Fraud on Velocity Frequent Flyer accounts

Same issue here. 1.3m points gone
Yikes!
Wait and see? Or there is something else that I can do?
It seems there's nothing any of use can do. Velocity is a law unto themselves and they work on their timeline only and are answerable to no-one. I get the impression there is a feeling that people with airline points are not exactly destitute anyway and therefore can wait their good turn for an investigation. With 1.3 million points, you go straight to the very bottom of the priority in-tray. Not forgetting of course that points represent a liability for Velocity, so if someone nicks them and redeems them, then that's a lot of points off their books, which in Velocity's POV is a good thing.
 
Two colleagues from work have had their VFF accounts suspended ‘pending investigation’ - interestingly both hacked at exactly the same time as well.

One is furious as was mid trying to move points out of VFF to SQ to book some OS travel, has called the VFF “customer no service line” multiple times and been given the brick wall, different team handling, can’t give you an update, go away speech mirroring everything posted in this thread…

Sounds like something systematic is going on…
 
It must be nice being an organisation or industry where you're left completely alone to 'self regulate' yourself via a token ombudsman that you pay for who does only exactly what you tell them to do. You don't ever have to explain yourself, justify anything to your customers, or be subjected to any scrutiny, oversight or regulation whatsoever. You make up your own rules and then selectively choose which ones you want to police or comply with on a case by case basis depending on what benefits your organisation the most.

That must be fun.
 
Australia's highest-earning Velocity Frequent Flyer credit card: Offer expires: 21 Jan 2025
- Earn 60,000 bonus Velocity Points
- Get unlimited Virgin Australia Lounge access
- Enjoy a complimentary return Virgin Australia domestic flight each year

AFF Supporters can remove this and all advertisements

Also shows just how slow big organisations are on stuff like this.

Rolling out authenticator based security should be a doddle for any decent developer, arguably even easier than an SMS based 2FA.
 
Rolling out authenticator based security should be a doddle for any decent developer
If they have any in house. I can see this being a big production if it was built to spec in the past and requires someone to come in and make a big project of it.
 
Not forgetting of course that points represent a liability for Velocity, so if someone nicks them and redeems them, then that's a lot of points off their books, which in Velocity's POV is a good thing.
Since Virgin would have full control of points and can track where they are transferred to etc, wouldn't it be a pretty easy and straightforward thing for them to restore points + cancelling illegitimately redeemed bookings once the dust settles? ie. like they already do after catching accounts that buy/sell/trade points against the T&C? Unless you're saying Virgin will simply conclude without evidence that all these compromised accounts are actually members doing exactly that and use that as justification to deny restoration?

If they have any in house.
So does this mean adding multi-city search for international flights isn't on the horizon then?
 
Australian Cyber Security Centre Report | Cyber.gov.au.
That's a very difficult form to fill out enough to submit when Velocity won't tell you anything about the fraud that took place. The form requires that you tell them exactly how much was stolen (don't know), How the fraud was carried out (don't know but none of the provided options apply), all of the sender and receiver account details including BSB/Acc times+dates, amounts etc. etc. (none of which actually apply of course, but you have to provide something anyway otherwise you can't submit the form). It's one of these nonsense box-ticking exercise forms where 50% of the boxes do not apply or are completely nonsensical to the case your trying to report.

Doesn't really matter in the end of course, because no-one will investigate anything off the back of it anyway.
 
I'm still curious how people are getting hacked - is Velocity customer service getting social engineered? Is it just reused passwords? Phishing? A weak link in the password recovery system for Velocity accounts (as in, it asks for information that can be found from other data breaches etc.)
 
Finally got the e-mail from Velocity they've restored points. Unfortunately that's only the start of the pain and suffering. I call and get Daniel. We go through all the rigmarole and Daniel then says he needs to put me on hold for 2 minutes to get my account unlocked so I can delink it from 7-Eleven. 20 minutes of utter silence later I give up and hang up.

I call back and this time I get Jaen. Go through all the rigmarole again and Jaen gets my account unlocked and then we're going through the delinking process at 7-Eleven, except every single link in the 7-Eleven app for delinking actually leads you to the LINKING screen and there is no known way to get to a de-linking screen or option that doesn't end up doing the exact opposite. Jaen then hangs up on me.

Third time I call back I get someone whose name I can't even decipher, before he or she puts me on hold and then I get the cone of silence phone call death sound, of which I'm so familiar now, I know it's not even worth holding on.

Call back a fourth time and the agent says she'll call me back on an outside number that will hopefully work without cutting me off. This calling me back is apparently going to take 10 minutes.

At this point I really don't care about Velocity or my status or points or anything really. I am never, ever going to use Virgin or Velocity ever again for anything. Their utter incompetence has no limits.

Update: Called back a fifth time. Got someone called Arias. Arias says she wants to get someone who only goes by the initials LJ to call me back. So Arias hangs up on me, and this time LJ does indeed actually call me back. Sixth or Seventh phone call now? I'm not completely sure. I've lost count.

LJ says I need to delink 7-Eleven from Velocity - sounds easy doesn't it? Cold fusion is "easy" compared to delinking two points schemes, when neither party wants you to delink them. If you think you might need to delink your Velocity from 7-Eleven at any time in the future before you die, then I suggest you start the process NOW.

In short, delinking 7-Eleven from Velocity is completely IMPOSSIBLE. There's a link in the app sure enough. Click that and go through all the confirmation and password pages and you end up… at the LINKING page again! Every single which way you try to delink, pushes you back to the LINKING page. You will never get to see a page where you can finally delink. If you continue past the LINKING page (as there is literally no other option), then you just get e-mail after e-mail after e-mail confirming that you've linked your Velocity to 7-Eleven. There is no other way out of the Catch-22 vicious circle. Every single option leads to LINKING. None will actually delink.
 
Last edited:
My suggestion is to call back Velocity to unlock your account.

Open the 7-11 app and log out of your account. Log back in on the 7-11 app and then go through the de-linking process. This worked for me.
 
I have now spoken to at least seven different CSRs of Velocity and every one of them speaks too fast and swallows their words, failing to enunciate properly in exactly the way that Asians who learnt English as a second language in Asia tend to do from my experience. I haven't met any of them of course, so I don't know for sure, but my very strong guess is that the Brisbane call centre for Velocity is staffed entirely with ESL Asians.

So now, Velocity have to contact 7-Eleven directly and forcibly de-link my accounts. This is going to take a further 5-10 days of course. I now have an ETA to check back with them again of 4 October to see if anything's been done - and we all know from experience, it won't have been by then either.

I have now had to send them the Police Cybercrime Investigations report and their reply and recommendations to me, details of my new Velocity account and the screenshots from my mobile phone 7-Eleven app proving just how impossible it is for me to delink Velocity from 7-Eleven.
 
My suggestion is to call back Velocity to unlock your account.

Open the 7-11 app and log out of your account. Log back in on the 7-11 app and then go through the de-linking process. This worked for me.
Did that, doesn't work. For the 10 minutes or so they left my account unlocked I could see the reason for my stolen points. Someone redeemed 94,000 points for a flight from Tokyo to LA 3 months ago. Can't see the details anymore though because Velocity has now not just locked my account, but deleted it altogether seemingly. It doesn't even show up as a locked account anymore. It's like it never existed at all now.
 
My advice to anyone facing a similar issue with account hacking is not to wait for Velocity to tell you what to do. Get on the front foot and lodge your cyber crime case immediately. De-link your FlyBuys (this is easy to do because it's one-sided and the FlyBuys website actually works) and start the process of trying to extricate yourself from 7-Eleven as well. This will be well nigh impossible to do, and take at least a week and require enormous intervention from Velocity to get done, all because 7-Eleven employ teenagers wagging school in the local park huffing oven cleaner through a Pringles can to code their phone app. Which ultimately means of course that it doesn't have a snowball's chance of actually working.

Don't do as I did and wait for advice from Velocity. Velocity "advice" is worth as much as a pitcher of warm <you know what>. The only way to get devoid of 7-Eleven is by brute-force back room intervention by Velocity talking to 7-Eleven, because the kids in the park high on chroming paint thinner from Bunnings, managed to code the process so that no one side of the agreement can forcibly break the link by themselves. Of course, 7-Eleven don't want to let you go, so they frustrate this process as much as they possibly can which adds weeks to the process. Start it as soon as you can in other words.
 
Didi is pretty much the same. They do not have option to delink the old velocity account. Contacted Didi support at first they said go to your profile and you can delink it that way. I told them there is no such option on their app. They said they are escalating this issue and after 1 week they are no longer responding to me even I sent another follow up message.
 

Become an AFF member!

Join Australian Frequent Flyer (AFF) for free and unlock insider tips, exclusive deals, and global meetups with 65,000+ frequent flyers.

AFF members can also access our Frequent Flyer Training courses, and upgrade to Fast-track your way to expert traveller status and unlock even more exclusive discounts!

AFF forum abbreviations

Wondering about Y, J or any of the other abbreviations used on our forum?

Check out our guide to common AFF acronyms & abbreviations.
Back
Top