Fraud on Velocity Frequent Flyer accounts

[odysseus]

Airlines could solve these issues quickly, but there are too many internal politics involved.
Fixes are easy, but not cheap.

Fixes are easy - and cheap. Well, to get the 'low hanging fruit' anyway.

Either or better, both:
- block redemptions within the next say 2-3 days, or at a minimum on Qatar in that time and that looks to take away most of the viability. A more friendly way would be to permit these bookings only through the customer service centre, with verification. A bit more expensive, but I doubt there's a massive legitimate volume of bookings for those conditions that CS cost would be great.
- prevent changes to email address online. Require contact through CS, with verification provided. Again, cheap and easy to do, with little CS cost.

Slightly more expensive, but standard nowadays and not excessively costly is IP/session verification as is done with financial payments, which this is equivalent to in the case of redemptions. i.e. if a redemption is made, is the session trusted, or is it a new IP? Permit the first, reject the latter - again, require them to go through CS or add verification to the session.

Of course that won't eradicate it BUT with the extra lead time and extra visibility it will mean that most of the current dodginess can be picked up and cancelled in that time, making the honey pot less attractive. There are also things that do cost more and do a greater job of blocking, but it's just way too easy as it stands, so the aim is to make it harder, and then focus on the next best value things to improve.

 

[StayGoldPonyboy]

To your first dot point, I would add "redemptions not originating or finishing in AU". I don't think the scammers would try sell off a stolen redemption flight involving AU??

 

[jsoprano]

To your first dot point, I would add "redemptions not originating or finishing in AU". I don't think the scammers would try sell off a stolen redemption flight involving AU??

I don't see why they wouldn't sell it, if they have a customer wanting fly from or to AU and award availability is there? They'd sell you anything that makes those points into $$, it's just less likely I guess given how/where we assume they operate.

I think the easiest quick fix/band-aid for Velocity would be to restrict/disable the ability to change email addresses on the profile online (realistically, how often do you have to do this?) but make people call for further validation, or at least institute some kind of 24/48hr black-out period for redemptions following the change of email. But it's all crickets...

 

[Legoman]

I think the easiest quick fix/band-aid for Velocity would be to restrict/disable the ability to change email addresses on the profile online (realistically, how often do you have to do this?) but make people call for further validation, or at least institute some kind of 24/48hr black-out period for redemptions following the change of email. But it's all crickets...

Please just stop. You're making far too much sense. Logic and rational suggestions aren't appreciated at Velocity. They've made an entire business off the back of excuses and endless apologies, and it just wouldn't do to have to completely change the work culture now this late in the game. Their motto is Excuses are better than Prevention. There's another idiom that coughs on about "prevention" and "cures", but Velocity haven't heard that one yet.

 

[Subharpoon]

Update
Contacted Velocity via website contact form and received this within 12 hours:

Thank you for contacting us about the unauthorized Points redemption on your account.
We understand that you are not the one who made the booking reservation using Velocity Points. Kindly be advised that your Velocity account will be place under suspended as a security precaution. We have a specialist team looking into this and they will be in touch with you within 30 business days. During this time, we are unable to provide any details of the investigation.
As an extra precaution, please know that you will not be able to access your account online during the investigation, this is to make sure that no one can access your account. We understand this may be inconvenient, however – the safety and security of our members is our top priority.

Now we wait!

Received this morning Update #2

Hi Subharpoon

This email is to notify you that Velocity Rewards Pty Ltd (Velocity or us or our or we) has detected unusual activity in relation to your Velocity Account. If you contacted us, thank you for alerting Velocity to the unusual activity detected on your account.

Your Account has been suspended while the matter is investigated in accordance with section 2.6 of the Membership Terms.

During this time, we are unable to provide further information, however we will inform you of the outcome of our investigation within 30 business days. We do realise that this is a less than an ideal situation and would like to assure you that this process exists only to protect the best interests of both our members and Velocity Frequent Flyer.

The Membership Terms can be accessed in full at Terms and Conditions

Yours sincerely
Velocity Frequent Flyer

 

[trisreed]

A shame one of these 'major changes' was not the introduction of 2FA. Hopefully now all the 'enhancements' are out in the open, they can focus on this, but I imagine there's still much more to be done on the technical side with the 'enhancements'.

 

[aikman]

Virgin has the data on how many points are being stolen, who is doing it, how they are doing it, and how much money is being lost. I'm sure their people are working on whatever response is appropriate depending on the magnitude of the problem. Velocity is still the most profitable part of their business so this issue can't be doing much damage.

By all accounts they are reimbursing all customers affected so the issue is really just the inconvenience of not being able to use your points during the 7 week investigation period.

 

[harryhv]

Virgin has the data on how many points are being stolen, who is doing it, how they are doing it, and how much money is being lost. I'm sure their people are working on whatever response is appropriate depending on the magnitude of the problem. Velocity is still the most profitable part of their business so this issue can't be doing much damage.

By all accounts they are reimbursing all customers affected so the issue is really just the inconvenience of not being able to use your points during the 7 week investigation period.

Most of us are quite sure that "their people" are doing absolutely nothing about it! In particular, improving login security seems to have passed them by while they slept

 

[jsoprano]

Most of us are quite sure that "their people" are doing absolutely nothing about it! In particular, improving login security seems to have passed them by while they slept

Hear hear! And if they are not doing anything structurally about it but are simply refunding anyone affected eventually and just take it as a cost of doing business, why take 7 weeks? The superficial investigation and cancellation of any redemptions (if not already flown by the time it's reported) wouldn't take longer than a week or two.

On another note, with the latest announcement of lifetime Gold status being introduced, how will this go for those of us who had to open a new account? By the time they roll this out mid next year my old account will long be gone. But also, there's no way for me to take stock of my lifetime SCs now as it's not tracked anywhere...

 

[kallinch]

A shame one of these 'major changes' was not the introduction of 2FA. Hopefully now all the 'enhancements' are out in the open, they can focus on this, but I imagine there's still much more to be done on the technical side with the 'enhancements'.

From friend at VA - 2FA is coming December

 

[SydneySwan]

From friend at VA - 2FA is coming December

2024?

 

[kallinch]

2024?

Yep