Fraud on Velocity Frequent Flyer accounts

[jsoprano]

I suspect they're not the true culprit and there is quite the operation going on, and possibly some laundry being done...

I suspect this is some shady "Buy discount airfares here via email/whatsapp/Telegram" operation in these markets like Nigeria and Bangladesh (some of the originating itineraries we've seen, where people are more desperate and less aware of such shady operators). They sell a ticket at a significant discount, hack an account, book it on their "customer's" name, issue it to them, they can check on the airline website that they have a genuine booking, and then 2+ days later when QR cancels it the shady travel agent has disappeared and is no longer contactable and the "customer" is SOL and a few $1000 out of pocket. That's kind of how I explained it to myself what's going down here... Otherwise (a) you wouldn't book anything for yourself if you're the perpetrator, and (b) you'd redeem the points for gift cards or the like.

But in my mind to do this (the travel agent operation), you need a list/database of account details that you bought on the dark web somewhere, and then you go to work one by one. But what do I know...

 

[NM]

But in my mind to do this (the travel agent operation), you need a list/database of account details that you bought on the dark web somewhere, and then you go to work one by one. But what do I know...

Or an "insider" of some sort, with access to Velocity systems, such as a contact centre agent or IT service provider or similar. Someone who has access to change account information such as associated email address so that the transaction does not get emailed to the account owner.

It does seem what what hacked account owners are saying here, that their passwords were not changed, just the email address changed and redemptions transacted from their accounts.

But that is just my personal speculation.

 

[Brissy1]

I thought that Australian companies are required by law to report when customers details have been stolen via their system.
Even if VA don't know, care or willing to reveal "how", given the extent perhaps this could be be a noncompliance issue to the ACCC thus prompting VA to act. Their system clearly has a vulnerability.

 

[Legoman]

I thought that Australian companies are required by law to report when customers details have been stolen via their system.
Even if VA don't know, care or willing to reveal "how", given the extent perhaps this could be be a noncompliance issue to the ACCC thus prompting VA to act. Their system clearly has a vulnerability.

Unfortunately the ACCC are a completely worthless and useless organisation with no enforcement power whatsoever and all the businesses in Australia know it. Just try actually reporting a business to the ACCC as I have done, and see what response you get. It is laughable. The business you have a dispute with will openly dare you, or actually goad you into reporting them, and then if they really feel like it, will laugh at you to your face, because they know damn well, they will never be prosecuted or more likely even contacted at all.

ACCC and ESG are just nice acronyms in Australia. There is no actual meaning and no enforcement or policing behind them whatsoever. Australian consumer law is a joke. At best, a nice theory, but in practice, you've got no chance of ever seeing any compensation for even the most deliberate and clear cut case that results in anything less than death. For an actual death as the result, you might get somewhere if you're willing to pay a lot of money to lawyers, but for anything less, you're wasting your time and money.

 

[JohnK]

I thought that Australian companies are required by law to report when customers details have been stolen via their system.
Even if VA don't know, care or willing to reveal "how", given the extent perhaps this could be be a noncompliance issue to the ACCC thus prompting VA to act. Their system clearly has a vulnerability.

Very easy for an inside job to pass details to an outside source. Membership number, email address, password etc.

I don't quite understand the lack of action. Account had been hacked and flights booked and flown. You have the passport details of the person taking the flight. Did they purchase a flight from some dodgy website that uses stolen points to book flights? Did they book it themselves.

Solution is simple. Set-up a do not fly register and all airlines adhere to it. Do not let these people fly again unless they provide all the details.

A few weeks back I found someone had booked a $480 Jetatar flight using my 28 Degrees card. None of my details were hacked so how did they get past authentication? Has to be some sort of inside job. I called Jetstar before calling Latitude and flight had not yet been taken and I hope Jetstar cancelled that booking.

 

[Must...Fly!]

Solution is simple. Set-up a do not fly register and all airlines adhere to it. Do not let these people fly again unless they provide all the details.

The problem is that there is not a small group of people travelling the world having a grand old time on defrauded Velocity account points.

What there almost certainly is, is a group of people acting as agents in countries with lax regulation. Possibly offering these seats at retail as a cut price to unsuspecting buyers, or maybe involved in people/drug trafficking or other nefarious dealings.

 

[33kft]

I thought that Australian companies are required by law to report when customers details have been stolen via their system.

"Under the Notifiable Data Breaches (NDB) scheme any organisation or agency the Privacy Act 1988 covers must notify affected individuals and the OAIC when a data breach is likely to result in serious harm to an individual whose personal information is involved."

I would guess that this wouldn't meet the criteria. Unless we AFFers got to define serious harm....