Fraud on Velocity Frequent Flyer accounts

[SYDNEYAIRPORTRIPOFF]

My Samsung phone with Amysim was ported and compromised last week, and my velocity account points were used to book a flight with Qatar Airways from Dhaka in Bangladesh to Doha in Qatar, booked by some guy with a Bangladeshi name. I called Velocity help line before the Qatar Airways flight was due, and they were pretty useless, I don't think they care. I did ask them to suspend my account, but of course most of my points had been stolen due partly due to the velocity help center built in inertia !

 

[SydneySwan]

Maybe the first thing that Qatar Airways can bring to Virgin is 2FA. Qatar have it on their FF accounts where they send you a OTP.

 

[jbman]

Hopefully they don’t just offer one time SMS and allow 2FA via an authentication app

 

[encryptededdy]

Would also love to see Passkey support from Virgin (and Qantas). AirNZ has it, and it's great.

 

[jsoprano]

So I had my Velocity account hacked as well on Monday. Got an email around 8:30pm that my details had been updated and to call them if it wasn't me. Checked my account on the app and sure enough, someone changed the email address and then booked a redemption LOS-DOH on QR for 99200 points. Called them first thing the next morning and now going through the process with account suspended etc. At least I wasn't planning on booking any further redemptions as I booked my J rewards on NH for next June a few weeks ago. Oh well.

 

[moa999]

around 8:30pm that my details had been updated and to call them if it wasn't me.

Sorry to hear.

Any idea how the hack might have occured?
Any recent suspicious emails asking you to login? Medibank member? Any recent flights on Virgin?

 

[Legoman]

Well this doesn't bode well for those of us who are about to get new accounts with restored stolen points back. The fact hacks are still happening the same way means new accounts are just as vulnerable since no new anti-hacking measures are being implemented at all (unless you count a new membership number under the exact same system to be an anti-hacking measure).
Thanks for telling us all about this happening. I shall be bringing this up with the Velocity staff I shall be talking to tomorrow, being the day they said they would finally have my account extricated from 7-Eleven linkage so I can finally get my points back - but for how long is anyone's guess before they get hacked and stolen again.

 

[jsoprano]

Sorry to hear.

Any idea how the hack might have occured?
Any recent suspicious emails asking you to login? Medibank member? Any recent flights on Virgin?

No idea. Not a Medibank member and no other suspicious activity/phishing lately. I fly VA almost weekly, so that's not narrowing it down lol. However, one thought I had was I flew back from DPS with them last week - maybe a leak over there?? Not sure.

But honestly, given how prevalent it is with VFF accounts and not QFF or others, surely this must be a hack/leak on the Velocity end somewhere? Occam's razor etc. etc.

 

[Legoman]

But honestly, given how prevalent it is with VFF accounts and not QFF or others, surely this must be a hack/leak on the Velocity end somewhere? Occam's razor etc. etc.

Absolutely. Trying to lay the blame at the end users is looking for the source of the problem in the most unlikely place. The common denominator in all cases is that it's the Velocity servers that are being hacked. Not the individual users one by one. If I was a thief and I wanted to steal lots of eggs, which would be easier? Break into a thousand private homes and rifle through their fridges hoping there were eggs there I can nab? Or would I be better off breaking into one single Colesworth store, where I know for a fact there are going to be thousands of eggs and steal them all in one night?

If the hackers have got your e-mail address (as they did mine) to spam, then they got it from the unencrypted, plain text storage of it on the Velocity servers, not because I am an idiot who flippantly goes around broadcasting my e-mail to every sundry retail assistant worker who asks for it when I buy something.