Fraud on Velocity Frequent Flyer accounts

[SYDNEYAIRPORTRIPOFF]

My Samsung phone with Amysim was ported and compromised last week, and my velocity account points were used to book a flight with Qatar Airways from Dhaka in Bangladesh to Doha in Qatar, booked by some guy with a Bangladeshi name. I called Velocity help line before the Qatar Airways flight was due, and they were pretty useless, I don't think they care. I did ask them to suspend my account, but of course most of my points had been stolen due partly due to the velocity help center built in inertia !

 

[SydneySwan]

Maybe the first thing that Qatar Airways can bring to Virgin is 2FA. Qatar have it on their FF accounts where they send you a OTP.

 

[jbman]

Hopefully they don’t just offer one time SMS and allow 2FA via an authentication app

 

[encryptededdy]

Would also love to see Passkey support from Virgin (and Qantas). AirNZ has it, and it's great.

 

[jsoprano]

So I had my Velocity account hacked as well on Monday. Got an email around 8:30pm that my details had been updated and to call them if it wasn't me. Checked my account on the app and sure enough, someone changed the email address and then booked a redemption LOS-DOH on QR for 99200 points. Called them first thing the next morning and now going through the process with account suspended etc. At least I wasn't planning on booking any further redemptions as I booked my J rewards on NH for next June a few weeks ago. Oh well.

 

[moa999]

around 8:30pm that my details had been updated and to call them if it wasn't me.

Sorry to hear.

Any idea how the hack might have occured?
Any recent suspicious emails asking you to login? Medibank member? Any recent flights on Virgin?

 

[Legoman]

Well this doesn't bode well for those of us who are about to get new accounts with restored stolen points back. The fact hacks are still happening the same way means new accounts are just as vulnerable since no new anti-hacking measures are being implemented at all (unless you count a new membership number under the exact same system to be an anti-hacking measure).
Thanks for telling us all about this happening. I shall be bringing this up with the Velocity staff I shall be talking to tomorrow, being the day they said they would finally have my account extricated from 7-Eleven linkage so I can finally get my points back - but for how long is anyone's guess before they get hacked and stolen again.

 

[jsoprano]

Sorry to hear.

Any idea how the hack might have occured?
Any recent suspicious emails asking you to login? Medibank member? Any recent flights on Virgin?

No idea. Not a Medibank member and no other suspicious activity/phishing lately. I fly VA almost weekly, so that's not narrowing it down lol. However, one thought I had was I flew back from DPS with them last week - maybe a leak over there?? Not sure.

But honestly, given how prevalent it is with VFF accounts and not QFF or others, surely this must be a hack/leak on the Velocity end somewhere? Occam's razor etc. etc.

 

[Legoman]

But honestly, given how prevalent it is with VFF accounts and not QFF or others, surely this must be a hack/leak on the Velocity end somewhere? Occam's razor etc. etc.

Absolutely. Trying to lay the blame at the end users is looking for the source of the problem in the most unlikely place. The common denominator in all cases is that it's the Velocity servers that are being hacked. Not the individual users one by one. If I was a thief and I wanted to steal lots of eggs, which would be easier? Break into a thousand private homes and rifle through their fridges hoping there were eggs there I can nab? Or would I be better off breaking into one single Colesworth store, where I know for a fact there are going to be thousands of eggs and steal them all in one night?

If the hackers have got your e-mail address (as they did mine) to spam, then they got it from the unencrypted, plain text storage of it on the Velocity servers, not because I am an idiot who flippantly goes around broadcasting my e-mail to every sundry retail assistant worker who asks for it when I buy something.

 

[Must...Fly!]

No idea. Not a Medibank member and no other suspicious activity/phishing lately. I fly VA almost weekly, so that's not narrowing it down lol. However, one thought I had was I flew back from DPS with them last week - maybe a leak over there?? Not sure.

But honestly, given how prevalent it is with VFF accounts and not QFF or others, surely this must be a hack/leak on the Velocity end somewhere? Occam's razor etc. etc.

Do you use a password manager/unique password for VFF?

 

[Legoman]

I don't think the hackers are getting passwords at all. They have instead found a way of backdooring Velocity to get around passwords altogether and just get straight to the customer details which they can clearly see stored in plain text on the Velocity servers. Because Velocity has no 2FA system of protecting access, there is nothing to alert users or require account holders to authorise the intrusions

 

[odysseus]

Add another one to the ones impacted.

Last night got an email swarm (1400 emails in an hour, signing up to new email lists, password resets from unknown sites, email enquiries and other things), was working through them and found the 'your details have been updated' from VFF without saying what. Then checked my profile, found they'd changed my email (slightly), and made a return booking for just a few hours ahead on Qatar, from Lagos, Nigeria to Doha.

Tried to get it cancelled before the flight, but contact centre and other channels had shut down and no means to contact anyone, so scammer customer likely got to fly. Called VFF this morning and they're going through the usual motions.

As for the cause, was wracking my brain and the only recent entry was when I was asked to supply my credentials in a Virgin lounge or on a flight.

As for the process enabling this, it's absolutely horrid. They should block such last minute redemptions from high risk regions as other air programs have done, or require it be done through a service centre so there can be more verification, which will cut down demand and therefore risk dramatically. Similarly, they could require email address updates to be done through a service centre with id verification instead of the 1 minute quick change, and then wild splurge with no fallback at all.

All simple to do, and all with outsized benefits to cost.

 

[jsoprano]

Add another one to the ones impacted.

Last night got an email swarm (1400 emails in an hour, signing up to new email lists, password resets from unknown sites, email enquiries and other things), was working through them and found the 'your details have been updated' from VFF without saying what. Then checked my profile, found they'd changed my email (slightly), and made a return booking for just a few hours ahead on Qatar, from Lagos, Nigeria to Doha.

Tried to get it cancelled before the flight, but contact centre and other channels had shut down and no means to contact anyone, so scammer customer likely got to fly. Called VFF this morning and they're going through the usual motions.

As for the cause, was wracking my brain and the only recent entry was when I was asked to supply my credentials in a Virgin lounge or on a flight.

As for the process enabling this, it's absolutely horrid. They should block such last minute redemptions from high risk regions as other air programs have done, or require it be done through a service centre so there can be more verification, which will cut down demand and therefore risk dramatically. Similarly, they could require email address updates to be done through a service centre with id verification instead of the 1 minute quick change, and then wild splurge with no fallback at all.

All simple to do, and all with outsized benefits to cost.

Wow, commiserations! This sounds very similar what happened to me, same routing etc. and it occurring outside service centre hours also seems deliberate to me.

Question: how do you know for when the redemption was? I could only see the flight number and routing but no date or PNR.

Post automatically merged: Today at 3:18 PM

Do you use a password manager/unique password for VFF?

Unique password but no password manager.

 

[Legoman]

Add another one to the ones impacted.

Last night got an email swarm (1400 emails in an hour

Yep, that's exactly what happened to me too. That's approximately one new e-mail every 2.5 seconds which perfectly equates with what I witnessed first hand as I sat looking at my e-mail account logged in watching them come in. It was at least a new e-mail every 2.5secs, or faster than that during the flood attack.

Great news to hear that Velocity's efforts (I'm being sarcastic) to shut down the theft of points has achieved absolute sweet FA. This is incredibly reassurring to those of us about to get our points back into new membership accounts after 6 weeks.

I'm seriously considering just redeeming as many points as I can on Apple/electronics from the store, before they get stolen again and just forgetting Velocity altogether. I've already permanently parked my direct earn Velocity AMEX. It's just too hard and not worth the hassle. I haven't got the time to deal with all this BS. Qantas is just easier.

 

[Rebus]

Add another one to the ones impacted.

I'm really sorry to hear that. I'm sure that there are many of us who feel like sitting ducks right now. I have to admit that I am keeping a close eye on my account but to what end, given that we seem to be powerless to prevent our points being stolen.

Do we have anyone on the forum with connections to major media organisations? It doesn't seem like VA are paying much attention to the posts on AFF or Ozbargains, perhaps a bigger audience will jolt them in to action.

 

[MARTINE]

FWIW - and don't judge me - I listen to Tom Elliott on 3AW mornings.

Why not ring in?

I called the station once when I had a consumer issue and there was nowhere left to go after weeks of getting the runaround. Within a week I had a phone call from their head of consumer support and a good resolution and lifelong go-to contact person.

What is happening is awful to everyone on here who has been hacked.

Especially when it can be pinpointed who the culprit is ie the person (recipient) occupying the seat on the plane. Begs the question - is there other criminal activity concurrent with this happening?? Identity thefts etc


Worth a try as I have heard numerous examples (other than my own) whereby access to senior people in a business become available to resolve a range of consumer microaggressions

They also have a word on the street line when issues of public interest can be logged also

 

[Must...Fly!]

Especially when it can be pinpointed who the culprit is ie the person (recipient) occupying the seat on the plane

I suspect they're not the true culprit and there is quite the operation going on, and possibly some laundry being done...

 

[Legoman]

My gut feel is that Jane Hard Liquor (if she even knows about it at all) would have this issue firmly filed away in the DO NOT CARE drawer of her filing cabinet. Given that she resigned in February and for some truly bizarre reason is still there - with no firm plan announced for her to actually get on her bike - her focus is very clearly on good news stories only while she has one foot out the door and the other in Tennis Australia. She was right there front and centre with the Qatar news, coz that was easy to spin as a good news story. Stories about customer hacking and stolen points are only for the plebs at Optus, Medibank, Latitude etc. Don't bother the Hard Liquor with such trivialities please.

 

[SydneySwan]

My gut feel is that Jane Hard Liquor (if she even knows about it at all) would have this issue firmly filed away in the DO NOT CARE drawer of her filing cabinet. Given that she resigned in February and for some truly bizarre reason is still there - with no firm plan announced for her to actually get on her bike - her focus is very clearly on good news stories only while she has one foot out the door and the other in Tennis Australia. She was right there front and centre with the Qatar news, coz that was easy to spin as a good news story. Stories about customer hacking and stolen points are only for the plebs at Optus, Medibank, Latitude etc. Don't bother the Hard Liquor with such trivialities please.

I suspect the entire senior management team are too busy trying to sell off the company to be bothered about day-to-day issues.

 

[Legoman]

I suspect the entire senior management team are too busy trying to sell off the company to be bothered about day-to-day issues.

Yep, that would certainly fit with the astonishing speed I was told about the Qatar deal via my inbox with my "message from Jayne Hrdlicka".

Seriously, just how far up yourself and sanctimonious do you have to be to title your company missive "A message from Jayne Hrdlicka, anyway? FFS, normal people title the subject of their e-mails with oh, I dunno, maybe a very brief summary of what the e-mail is actually about. Not something along the lines of "An important person has something to say to you, stop everything you're doing and listen to me!"

Just the subject alone put me so offside, that it arrived two days ago, and I've only just opened it today.