Fraud on Velocity Frequent Flyer accounts

[jsoprano]

I suspect they're not the true culprit and there is quite the operation going on, and possibly some laundry being done...

I suspect this is some shady "Buy discount airfares here via email/whatsapp/Telegram" operation in these markets like Nigeria and Bangladesh (some of the originating itineraries we've seen, where people are more desperate and less aware of such shady operators). They sell a ticket at a significant discount, hack an account, book it on their "customer's" name, issue it to them, they can check on the airline website that they have a genuine booking, and then 2+ days later when QR cancels it the shady travel agent has disappeared and is no longer contactable and the "customer" is SOL and a few $1000 out of pocket. That's kind of how I explained it to myself what's going down here... Otherwise (a) you wouldn't book anything for yourself if you're the perpetrator, and (b) you'd redeem the points for gift cards or the like.

But in my mind to do this (the travel agent operation), you need a list/database of account details that you bought on the dark web somewhere, and then you go to work one by one. But what do I know...

 

[NM]

But in my mind to do this (the travel agent operation), you need a list/database of account details that you bought on the dark web somewhere, and then you go to work one by one. But what do I know...

Or an "insider" of some sort, with access to Velocity systems, such as a contact centre agent or IT service provider or similar. Someone who has access to change account information such as associated email address so that the transaction does not get emailed to the account owner.

It does seem what what hacked account owners are saying here, that their passwords were not changed, just the email address changed and redemptions transacted from their accounts.

But that is just my personal speculation.

 

[Brissy1]

I thought that Australian companies are required by law to report when customers details have been stolen via their system.
Even if VA don't know, care or willing to reveal "how", given the extent perhaps this could be be a noncompliance issue to the ACCC thus prompting VA to act. Their system clearly has a vulnerability.

 

[Legoman]

I thought that Australian companies are required by law to report when customers details have been stolen via their system.
Even if VA don't know, care or willing to reveal "how", given the extent perhaps this could be be a noncompliance issue to the ACCC thus prompting VA to act. Their system clearly has a vulnerability.

Unfortunately the ACCC are a completely worthless and useless organisation with no enforcement power whatsoever and all the businesses in Australia know it. Just try actually reporting a business to the ACCC as I have done, and see what response you get. It is laughable. The business you have a dispute with will openly dare you, or actually goad you into reporting them, and then if they really feel like it, will laugh at you to your face, because they know damn well, they will never be prosecuted or more likely even contacted at all.

ACCC and ESG are just nice acronyms in Australia. There is no actual meaning and no enforcement or policing behind them whatsoever. Australian consumer law is a joke. At best, a nice theory, but in practice, you've got no chance of ever seeing any compensation for even the most deliberate and clear cut case that results in anything less than death. For an actual death as the result, you might get somewhere if you're willing to pay a lot of money to lawyers, but for anything less, you're wasting your time and money.

 

[JohnK]

I thought that Australian companies are required by law to report when customers details have been stolen via their system.
Even if VA don't know, care or willing to reveal "how", given the extent perhaps this could be be a noncompliance issue to the ACCC thus prompting VA to act. Their system clearly has a vulnerability.

Very easy for an inside job to pass details to an outside source. Membership number, email address, password etc.

I don't quite understand the lack of action. Account had been hacked and flights booked and flown. You have the passport details of the person taking the flight. Did they purchase a flight from some dodgy website that uses stolen points to book flights? Did they book it themselves.

Solution is simple. Set-up a do not fly register and all airlines adhere to it. Do not let these people fly again unless they provide all the details.

A few weeks back I found someone had booked a $480 Jetatar flight using my 28 Degrees card. None of my details were hacked so how did they get past authentication? Has to be some sort of inside job. I called Jetstar before calling Latitude and flight had not yet been taken and I hope Jetstar cancelled that booking.

 

[Must...Fly!]

Solution is simple. Set-up a do not fly register and all airlines adhere to it. Do not let these people fly again unless they provide all the details.

The problem is that there is not a small group of people travelling the world having a grand old time on defrauded Velocity account points.

What there almost certainly is, is a group of people acting as agents in countries with lax regulation. Possibly offering these seats at retail as a cut price to unsuspecting buyers, or maybe involved in people/drug trafficking or other nefarious dealings.

 

[33kft]

I thought that Australian companies are required by law to report when customers details have been stolen via their system.

"Under the Notifiable Data Breaches (NDB) scheme any organisation or agency the Privacy Act 1988 covers must notify affected individuals and the OAIC when a data breach is likely to result in serious harm to an individual whose personal information is involved."

I would guess that this wouldn't meet the criteria. Unless we AFFers got to define serious harm....

 

[jbman]

I have concerns that this is happening via some super user access that has either been granted or left open during testing etc. As passwords are not being used the only explanation can be there is another method to access accounts above customer level to make changes or bookings.

If such access is being used I would have hoped this would have been found ASAP and shut down. Cleary they either don’t know what the source of the access is or are still working on a solution.

Have all the flights so far been booked via QR?

 

[jbman]

"Under the Notifiable Data Breaches (NDB) scheme any organisation or agency the Privacy Act 1988 covers must notify affected individuals and the OAIC when a data breach is likely to result in serious harm to an individual whose personal information is involved."

I would guess that this wouldn't meet the criteria. Unless we AFFers got to define serious harm....

Yeah I do feel as though we are still in the early stages for the gov to really explain what a breach is and what action they will take against the company.

If a staff member accesses an account without request by the customer is this a breach? Would the customer be notified.

Concerning is the fact Velocity has not contacted anyone from what I can read. The members have contacted them to advise of the breach on their accounts.

 

[Happy Dude]

I am not convinced that flights are flown when these last minute QR redemptions are made. Citizens of Nigeria and Bangladesh cannot just jump on a plane to Doha on a whim. Those that could probably are more organised wrt international trips and would be unlikely to risk picking up 'hot' tickets on the day of travel. Plus, the "model" relies on they're being reward availability. Hardly a given. There must be a way an award ticket can be monetised.

 

[encryptededdy]

I am not convinced that flights are flown when these last minute QR redemptions are made. Citizens of Nigeria and Bangladesh cannot just jump on a plane to Doha on a whim. Those that could probably are more organised wrt international trips and would be unlikely to risk picking up 'hot' tickets on the day of travel. Plus, the "model" relies on they're being reward availability. Hardly a given. There must be a way an award ticket can be monetised.

I was reading a thread on FlyerTalk last year (sorry can't find it now) talking about how some scammers are able to pull off scams where they sell tickets to customers (usually they meet them on Social Media promising premium class tickets at a discount off the regular cash fare) that end up being rewards, either with points they've purchased off people as a points broker or stolen points.

First, they would book the flights as soon as the award space opens up with a bot (for popular routes) or when a customer requests them using their own points, usually with a currency with free cancellations & refunds (such as Aeroplan Flex Rewards). Then, they will acquire points from other places (e.g. stolen accounts), cancel their flex booking and use a bot to automatically book that flight when it returns to inventory using the stolen account, or their points broker account*.

I understand this is the main reason Aeroplan suspended Family Transfers last year for quite a long time, so they could beef up their security.

*either directly with someone who's sold their account to a points broker, or one of the many accounts a points broker would have to receive "family transfers" from their customers.

 

[odysseus]

Wow, commiserations! This sounds very similar what happened to me, same routing etc. and it occurring outside service centre hours also seems deliberate to me.

Question: how do you know for when the redemption was? I could only see the flight number and routing but no date or PNR.

If you know enough to make last minute bookings and get multiple accounts to pay for them, I'm sure they know the contact centre hours to know the best/safest time to get bookings when the office is closed and nothing can be done. Again, Velocity could do something about that - but don't seem bothered to.

As for the booking, it was accessible from My account under My trips, with the PNR, passenger name and all other flight/booking details. Passenger also had a unique name so I checked out his background. Has some IT knowledge and some history of questionable activities, but nothing related to flights so I lean towards him being a paying customer of some professionals.

 

[jsoprano]

If you know enough to make last minute bookings and get multiple accounts to pay for them, I'm sure they know the contact centre hours to know the best/safest time to get bookings when the office is closed and nothing can be done. Again, Velocity could do something about that - but don't seem bothered to.

As for the booking, it was accessible from My account under My trips, with the PNR, passenger name and all other flight/booking details. Passenger also had a unique name so I checked out his background. Has some IT knowledge and some history of questionable activities, but nothing related to flights so I lean towards him being a paying customer of some professionals.

That's interesting, in my case it didn't show up under My Trips, was the first thing I checked after seeing the redemption. But neither do rewards I book for my partner show up in there, so this didn't strike me as odd.

To your first point: yes, they could absolutely do something about it, such as a 24/7 phone line for security breaches - either post the phone number somewhere or have it as an option in the phone menu. Also, I do not think I ever got an email from Virgin or Velocity suggesting to change my password or even a more general "be vigilant" kind of message (unless I missed it?). Seems these issues are going on for the best part of a year now, so well overdue. But they would admit there's a problem to a few million customers, while for now it's only a few hundred impacted and a few thousand aware of it I guess. Not good enough.

 

[moa999]

The similarity between some of these cases.
- high number of points
- change of details
- last minute flight redemption
- flood of emails to obscure
Would suggest some type of inside job targeting specific accounts.. but that's only because we are seeing the outcome.. who knows if they are also gaining access to accounts with only 3,000 points and then moving into bigger fish.

But VA look pretty damm stupid allowing points redemptions in different names from high risk countries with no additional verification, particularly after recent changes to account details.

 

[jsoprano]

The similarity between some of these cases.
- high number of points
- change of details
- last minute flight redemption
- flood of emails to obscure
Would suggest some type of inside job targeting specific accounts.. but that's only because we are seeing the outcome.. who knows if they are also gaining access to accounts with only 3,000 points and then moving into bigger fish.

But VA look pretty damm stupid allowing points redemptions in different names from high risk countries with no additional verification, particularly after recent changes to account details.

Very much this! One other simple security enhancement would be 24hr cool off period for any redemptions after account details where changed. As you say, there are so many red flags - account details changed, immediate high-value redemption, suspicious routings not in line with user profile/history etc., why has nothing been done about this?

 

[jsoprano]

I am not convinced that flights are flown when these last minute QR redemptions are made. Citizens of Nigeria and Bangladesh cannot just jump on a plane to Doha on a whim. Those that could probably are more organised wrt international trips and would be unlikely to risk picking up 'hot' tickets on the day of travel. Plus, the "model" relies on they're being reward availability. Hardly a given. There must be a way an award ticket can be monetised.

Yes, but African and South Asian countries are also the main source for guest workers in Qatar. So there will always be a few thousand of them that have an urgent need to (a) get back to work asap, or (b) try to get home for a family emergency, flee their exploitative conditions etc. Lot's of vulnerable and desperate souls that travel on these routes. I can easily see them fall for a half-price last minute ticket scam if your family's livelihood depends on it.