Fraud on Velocity Frequent Flyer accounts

Exactly. The password makes no difference whatsoever. It is just sidestepped entirely. Make the password 360 characters long entirely out of symbols from WingDings and Microsoft Character Map application on your computer if you want. It will make no difference.
Indeed seems to be the case. So establishing a new account really is no protection against the same thing happening a second time to anyone's new account. Only changed account access protections can do that.

I have a balance of zero points and 75 SCs, so even if the bad people do get access to my account, there's nothing there to steal other than my personal details. I hope they will look at the zero points balance and just move on (sorry to the owner of the next account hacked).
 
I wish I could get my balance down to zero without having to fly speculatively to somewhere random I don't need to go.
 
I wish I could get my balance down to zero without having to fly speculatively to somewhere random I don't need to go.
Was not difficult for me ... my Velocity points balance has never been anything other than zero. Just a few SCs earned in the last few months.
 
If this appears to be assisted by Virgin 'insiders', one would assume their Security Folks could join up some dots?
 
If this appears to be assisted by Virgin 'insiders', one would assume their Security Folks could join up some dots?
I'm sure they can, but as others have suggested, that's not their priority. The priority is pumping up the product as much as possible to ready it for sale at the highest possible price to the most gullible buyer. A few points here and there from annoying noisy customers is irritating at worst, like a mosquito in your room as you're trying to go to sleep, but not going to affect the buy price, so it's not worth spending any money on. If they can flog the business off quickly then it becomes someone else's irritation.
 
I did but still got done! 74,900 points for a 06 Oct 24 - QR246, Istanbul-Doha, Qatar Airways.
Update
Contacted Velocity via website contact form and received this within 12 hours:

Thank you for contacting us about the unauthorized Points redemption on your account.
We understand that you are not the one who made the booking reservation using Velocity Points. Kindly be advised that your Velocity account will be place under suspended as a security precaution. We have a specialist team looking into this and they will be in touch with you within 30 business days. During this time, we are unable to provide any details of the investigation.
As an extra precaution, please know that you will not be able to access your account online during the investigation, this is to make sure that no one can access your account. We understand this may be inconvenient, however – the safety and security of our members is our top priority.


Now we wait!
 
Yep, put a calendar reminder for 7 weeks hence, but in the meantime, de-link Velocity from FlyBuys and try and de-link yourself from 7-Eleven too (if you can). You will need to delink all these partnerships anyway, so you may as well start the ball rolling now to allow for the inevitable glitches along the way.
 
Yep, put a calendar reminder for 7 weeks hence, but in the meantime, de-link Velocity from FlyBuys and try and de-link yourself from 7-Eleven too (if you can). You will need to delink all these partnerships anyway, so you may as well start the ball rolling now to allow for the inevitable glitches along the way.
Thanks-Flybuys Unlinked; no 7-Eleven.
 
Last edited by a moderator:
Yep, put a calendar reminder for 7 weeks hence, but in the meantime, de-link Velocity from FlyBuys and try and de-link yourself from 7-Eleven too (if you can). You will need to delink all these partnerships anyway, so you may as well start the ball rolling now to allow for the inevitable glitches along the way.

I'm happy to let them stay for now as the earnings will go through, rather than being lost by terminating early.
 
Glad Virgin spent all this money on their new fancy app with the spinning points, rather than fixing this issue.

Like spinning the pokies, instead it's a was my account hacked today?
 
Last edited:
Australia's highest-earning Velocity Frequent Flyer credit card: Offer expires: 21 Jan 2025
- Earn 60,000 bonus Velocity Points
- Get unlimited Virgin Australia Lounge access
- Enjoy a complimentary return Virgin Australia domestic flight each year

AFF Supporters can remove this and all advertisements

I am fully expecting my account to be hacked again before the week is out.

This is clearly an inside job not some random occurrence.

What worries me is how easily anyone can spoof email addresses or even partially take control of phone numbers. This has nothing to do with Velocity. This is a collective effort to allow criminals easy access to our private property.

P.S. My Velocity password is still 4 numbers and my wife's as I recently had to update is now 12 characters.
 
Update
Contacted Velocity via website contact form and received this within 12 hours:

Thank you for contacting us about the unauthorized Points redemption on your account.
We understand that you are not the one who made the booking reservation using Velocity Points. Kindly be advised that your Velocity account will be place under suspended as a security precaution. We have a specialist team looking into this and they will be in touch with you within 30 business days. During this time, we are unable to provide any details of the investigation.
As an extra precaution, please know that you will not be able to access your account online during the investigation, this is to make sure that no one can access your account. We understand this may be inconvenient, however – the safety and security of our members is our top priority.


Now we wait!

So, through no fault of your own...they lock you out of your account...
Can you earn points?
Does your status work?

Lately, a heap of sophisticated scams have been going on in the airline/hotel loyalty arena.

Our firm sees how the scammers achieve everything because they're also talking about stuff related to what we do.
So, we pick up the noise/chatter about how these things are being exploited. Frankly, it's impressive how some of this is pulled off.

Airlines could solve these issues quickly, but there are too many internal politics involved.
Fixes are easy, but not cheap.

We probably need a high-profile government minister's account hacked or drained of points, and then things might get fixed for the rest of us.
 
What worries me is how easily anyone can spoof email addresses or even partially take control of phone numbers. This has nothing to do with Velocity. This is a collective effort to allow criminals easy access to our private property.
I'm not sure why you would think that, given that neither email nor phone is being used as a security factor here. The only email notification that goes out is when the personal info in the account is changed, and attackers have been blasting victims inboxes with junk to try to hide that notification simply because they don't have access to inboxes to remove it.

There is no evidence of any sophistication here in terms of taking over people's accounts/phone numbers outside of VFF. There simply seems to be a way that VFF #s and passwords are known to or found by the attackers, or that authentication bypassed somehow.
 
This has nothing to do with Velocity. This is a collective effort to allow criminals easy access to our private property.
Steady on there big fella. I know the only thing separating conspiracy with fact is 2-3 years, but I'm not quite ready to call this part of the collective effort to deny free movement through the data monitoring of everything we say and do all of the time culminating in China's social credit system ala the Black Mirror episode Nosedive. I wouldn't want to give a coughty little Australian airline quite that much credit. I do however think this does indeed have everything to do with Velocity. The hacking is not sophisticated and does not involve clever social engineering to get account holders to willingly reveal personal data. It is rudimentary at best because that's all it needs to be in order to circumvent the appallingly weak 'security' (if you can call it that) in place by Velocity. Velocity know their security wouldn't stop two children piggybacked wearing a trenchcoat, glasses and a fake moustache to evade the min height limit in a rollercoaster queue, and yet they continue to not upgrade it, in spite of all their hacked account holders telling them it is rubbish. That very much is Velocity's fault.

So, through no fault of your own...they lock you out of your account...
Yep, that's fair and reasonable isn't it? We've completely coughed up even though we know we're hopeless because everyone is telling us we're hopeless, but because we're hopeless, you now have to suffer for 7 weeks, so we can relax and take our precious time "investigating", because, we don't like to be rushed m'kay? So just cool your jets, take a valium, and let us have a cup of tea while we decide whether we can be coughd enough to stop inconveniencing you through our own incompetence.

We probably need a high-profile government minister's account hacked or drained of points, and then things might get fixed for the rest of us.
Always, always, always back the horse called Self Interest. She's a real goer.
 
Last edited:
Make the password 360 characters long
Out of interest (I just updated my password) there is a maximum length of 16 characters. Poor form to not allow longer passwords to those who want them, such as password manager users
 
Out of interest (I just updated my password) there is a maximum length of 16 characters. Poor form to not allow longer passwords to those who want them, such as password manager users

Not necessarily the case here, but in my experience a low minimum password length is often a sign that the password is not being hashed and stored securely. There should be no technical reason to limit the password length this low (other than ridiculously long passwords that could stress a server when hashing them). When hashing a password, the hash that has to be stored in the database is always the same length regardless of the password length. So a low character limit can indicate they are storing the password as-is and have a limit on the database field (often low because of historical reasons).
 

Become an AFF member!

Join Australian Frequent Flyer (AFF) for free and unlock insider tips, exclusive deals, and global meetups with 65,000+ frequent flyers.

AFF members can also access our Frequent Flyer Training courses, and upgrade to Fast-track your way to expert traveller status and unlock even more exclusive discounts!

AFF forum abbreviations

Wondering about Y, J or any of the other abbreviations used on our forum?

Check out our guide to common AFF acronyms & abbreviations.
Back
Top