Fraud on Velocity Frequent Flyer accounts

[NM]

Exactly. The password makes no difference whatsoever. It is just sidestepped entirely. Make the password 360 characters long entirely out of symbols from WingDings and Microsoft Character Map application on your computer if you want. It will make no difference.

Indeed seems to be the case. So establishing a new account really is no protection against the same thing happening a second time to anyone's new account. Only changed account access protections can do that.

I have a balance of zero points and 75 SCs, so even if the bad people do get access to my account, there's nothing there to steal other than my personal details. I hope they will look at the zero points balance and just move on (sorry to the owner of the next account hacked).

 

[Legoman]

I wish I could get my balance down to zero without having to fly speculatively to somewhere random I don't need to go.

 

[NM]

I wish I could get my balance down to zero without having to fly speculatively to somewhere random I don't need to go.

Was not difficult for me ... my Velocity points balance has never been anything other than zero. Just a few SCs earned in the last few months.

 

[ozstamps]

If this appears to be assisted by Virgin 'insiders', one would assume their Security Folks could join up some dots?

 

[Legoman]

If this appears to be assisted by Virgin 'insiders', one would assume their Security Folks could join up some dots?

I'm sure they can, but as others have suggested, that's not their priority. The priority is pumping up the product as much as possible to ready it for sale at the highest possible price to the most gullible buyer. A few points here and there from annoying noisy customers is irritating at worst, like a mosquito in your room as you're trying to go to sleep, but not going to affect the buy price, so it's not worth spending any money on. If they can flog the business off quickly then it becomes someone else's irritation.

 

[VPS]

I did but still got done! 74,900 points for a 06 Oct 24 - QR246, Istanbul-Doha, Qatar Airways.

I check all my bank accounts every morning so now include Virgin on that routine

 

[Subharpoon]

I did but still got done! 74,900 points for a 06 Oct 24 - QR246, Istanbul-Doha, Qatar Airways.

Update
Contacted Velocity via website contact form and received this within 12 hours:

Thank you for contacting us about the unauthorized Points redemption on your account.
We understand that you are not the one who made the booking reservation using Velocity Points. Kindly be advised that your Velocity account will be place under suspended as a security precaution. We have a specialist team looking into this and they will be in touch with you within 30 business days. During this time, we are unable to provide any details of the investigation.
As an extra precaution, please know that you will not be able to access your account online during the investigation, this is to make sure that no one can access your account. We understand this may be inconvenient, however – the safety and security of our members is our top priority.

Now we wait!

 

[Legoman]

Yep, put a calendar reminder for 7 weeks hence, but in the meantime, de-link Velocity from FlyBuys and try and de-link yourself from 7-Eleven too (if you can). You will need to delink all these partnerships anyway, so you may as well start the ball rolling now to allow for the inevitable glitches along the way.

 

[Subharpoon]

Yep, put a calendar reminder for 7 weeks hence, but in the meantime, de-link Velocity from FlyBuys and try and de-link yourself from 7-Eleven too (if you can). You will need to delink all these partnerships anyway, so you may as well start the ball rolling now to allow for the inevitable glitches along the way.

Thanks-Flybuys Unlinked; no 7-Eleven.

 

[odysseus]

Yep, put a calendar reminder for 7 weeks hence, but in the meantime, de-link Velocity from FlyBuys and try and de-link yourself from 7-Eleven too (if you can). You will need to delink all these partnerships anyway, so you may as well start the ball rolling now to allow for the inevitable glitches along the way.

I'm happy to let them stay for now as the earnings will go through, rather than being lost by terminating early.

 

[burmans]

I'm happy to let them stay for now as the earnings will go through, rather than being lost by terminating early.

You won’t lose earning by delinking flybuys, they will just accumulate in flybuys instead for a while.

 

[Legoman]

You won’t lose earning by delinking flybuys, they will just accumulate in flybuys instead for a while.

Which is exactly where they have more value anyway

 

[moa999]

Glad Virgin spent all this money on their new fancy app with the spinning points, rather than fixing this issue.

Like spinning the pokies, instead it's a was my account hacked today?

 

[JohnK]

I am fully expecting my account to be hacked again before the week is out.

This is clearly an inside job not some random occurrence.

What worries me is how easily anyone can spoof email addresses or even partially take control of phone numbers. This has nothing to do with Velocity. This is a collective effort to allow criminals easy access to our private property.

P.S. My Velocity password is still 4 numbers and my wife's as I recently had to update is now 12 characters.

 

[trippin_the_rift]

Update
Contacted Velocity via website contact form and received this within 12 hours:

Thank you for contacting us about the unauthorized Points redemption on your account.
We understand that you are not the one who made the booking reservation using Velocity Points. Kindly be advised that your Velocity account will be place under suspended as a security precaution. We have a specialist team looking into this and they will be in touch with you within 30 business days. During this time, we are unable to provide any details of the investigation.
As an extra precaution, please know that you will not be able to access your account online during the investigation, this is to make sure that no one can access your account. We understand this may be inconvenient, however – the safety and security of our members is our top priority.

Now we wait!

So, through no fault of your own...they lock you out of your account...
Can you earn points?
Does your status work?

Lately, a heap of sophisticated scams have been going on in the airline/hotel loyalty arena.

Our firm sees how the scammers achieve everything because they're also talking about stuff related to what we do.
So, we pick up the noise/chatter about how these things are being exploited. Frankly, it's impressive how some of this is pulled off.

Airlines could solve these issues quickly, but there are too many internal politics involved.
Fixes are easy, but not cheap.

We probably need a high-profile government minister's account hacked or drained of points, and then things might get fixed for the rest of us.

 

[33kft]

What worries me is how easily anyone can spoof email addresses or even partially take control of phone numbers. This has nothing to do with Velocity. This is a collective effort to allow criminals easy access to our private property.

I'm not sure why you would think that, given that neither email nor phone is being used as a security factor here. The only email notification that goes out is when the personal info in the account is changed, and attackers have been blasting victims inboxes with junk to try to hide that notification simply because they don't have access to inboxes to remove it.

There is no evidence of any sophistication here in terms of taking over people's accounts/phone numbers outside of VFF. There simply seems to be a way that VFF #s and passwords are known to or found by the attackers, or that authentication bypassed somehow.

 

[Legoman]

This has nothing to do with Velocity. This is a collective effort to allow criminals easy access to our private property.

Steady on there big fella. I know the only thing separating conspiracy with fact is 2-3 years, but I'm not quite ready to call this part of the collective effort to deny free movement through the data monitoring of everything we say and do all of the time culminating in China's social credit system ala the Black Mirror episode Nosedive. I wouldn't want to give a coughty little Australian airline quite that much credit. I do however think this does indeed have everything to do with Velocity. The hacking is not sophisticated and does not involve clever social engineering to get account holders to willingly reveal personal data. It is rudimentary at best because that's all it needs to be in order to circumvent the appallingly weak 'security' (if you can call it that) in place by Velocity. Velocity know their security wouldn't stop two children piggybacked wearing a trenchcoat, glasses and a fake moustache to evade the min height limit in a rollercoaster queue, and yet they continue to not upgrade it, in spite of all their hacked account holders telling them it is rubbish. That very much is Velocity's fault.

So, through no fault of your own...they lock you out of your account...

Yep, that's fair and reasonable isn't it? We've completely coughed up even though we know we're hopeless because everyone is telling us we're hopeless, but because we're hopeless, you now have to suffer for 7 weeks, so we can relax and take our precious time "investigating", because, we don't like to be rushed m'kay? So just cool your jets, take a valium, and let us have a cup of tea while we decide whether we can be coughd enough to stop inconveniencing you through our own incompetence.

We probably need a high-profile government minister's account hacked or drained of points, and then things might get fixed for the rest of us.

Always, always, always back the horse called Self Interest. She's a real goer.

 

[FishFood]

Make the password 360 characters long

Out of interest (I just updated my password) there is a maximum length of 16 characters. Poor form to not allow longer passwords to those who want them, such as password manager users

 

[Legoman]

Out of interest (I just updated my password) there is a maximum length of 16 characters. Poor form to not allow longer passwords to those who want them, such as password manager users

Poor form is SOP for Velocity