Qantas ff account hacked

[Jillybean]

I have been a member on here for years but don't often contribute to discussions. However now I think is an important time to do so.

Last week I went to sign in to my QFF account to check my points balance. I found that I could not gain access to the account so called the QFF department. They advised me that I had changed my password.... I advised that I had not changed my password. They also advised that I had purchased two items from the online Qantas Store at 16,300 points each one....which I had not. It was then that they realised my account had been hacked. At that point they changed my password etc and emailed me a Statutory Declaration to sign. They would then investigate the matter.

At 4.00am the next morning I received a text from QANTAS confirming that I had changed my password....which I had not. I called the QFF again only to discover that another 16,300 had been removed from the account. On investigation QANTAS advised that all three transactions on my account were for purchases from the QANTAS online store for "digital Myer Vouchers". A total of 48,900 points gone...just like that.
Qantas had to freeze the account and after investigation have decided to issue me with a whole new QFF card and number (another number to have to learn).
I emailed Lesley Grant CEO of QFF department asking that these vouchers be removed from the store as they are obviously not secure and too easy to access. If someone hacks your account uses your points to purchase these vouchers all they have to do is print out the voucher. Simple.....too simple.
I have had response advising that our Frequent flyer points will be reimbursed and they are looking into those vouchers to either make them more secure or remove them.

I felt I should share my story with you as Qantas advised me that this occurance is not common however it does happen. So check your FF account thoroughly and regularly. You could easily miss an automated text from QF confirming a change of password glad I didn't.

Has anyone else had this happen to them?

Jill

 

[juddles]

Hey there Jill,

interesting post.

Any ideas how someone got started on your account? Have you left boarding passes in seat-backs, that sort of thing? Have you checked every other sort of account that you access via your computer?

 

[blackcat20]

I'm aware of a few people here who have had their accounts hacked and points taken (multiple times).

 

[Dr Ralph]

It may not be a 'common' occurrence, but it's certainly not unprecedented. I've seen a number of similar experiences reported to AFF and am aware of at least 5 other people that this has occurred to.

 

[BettyB]

This hasn't happened to me (yet). But I'm curious as to how easy some people have set their password. Do you have numbers plus symbols (eg. $, * or !) as part of your password? Do you have different passwords for different online accounts? If so I think it would be a lot harder to hack an account.

 

[JohnK]

Sorry to hear but it is strange.

Pin changed by hacker and there were 2 fraudulent transactions and then account holder called Qantas. Pin changed by Qantas customer service. Then hacker has changed pin again and another fraudulent transaction.

How? Inside information? Yes I do realise they can run a script to check every pin combination under the sun but Qantas really needs to tighten up their security. Failed 5 times and account locked and only manual intervention unlocks account.

 

[blackcat20]

This hasn't happened to me (yet). But I'm curious as to how easy some people have set their password. Do you have numbers plus symbols (eg. $, * or !) as part of your password? Do you have different passwords for different online accounts? If so I think it would be a lot harder to hack an account.

You cant have a password, just a four digit pin (for QF).

 

[harvyk]

I would suggest it is someone whom knows you rather than a random internet hacker.
There is enough information on a boarding pass that would allow a person whom knows only the smallest amount about you to reset a pin.
Alternatively do you use a work email address in your FF profile? If so a less than honest IT administrator at your work would have no problems getting a FF pin reset.

 

[blackcat20]

I would suggest it is someone whom knows you rather than a random internet hacker.
There is enough information on a boarding pass that would allow a person whom knows only the smallest amount about you to reset a pin.
Alternatively do you use a work email address in your FF profile? If so a less than honest IT administrator at your work would have no problems getting a FF pin reset.

People also have a tendency to use their birth date or year for their pin, so it wouldnt be hard to guess if you knew the person (or googled).

 

[opusman]

A 4 digit PIN is simply not secure enough these days, and it's time QF did something about it.

 

[harvyk]

People also have a tendency to use their birth date or year for their pin, so it wouldnt be hard to guess if you knew the person (or googled).

Perhaps, but then I doubt that a would be hacker would then reset the pin, that would be effectively leaving fingerprints behind.

 

[Jillybean]

A 4 digit PIN is simply not secure enough these days, and it's time QF did something about it.

You are so right. The QFF system is a code grey security and not secure enough.

I had everything on my end checked and it is not me, my accounts or server.

I have not flown with QF for a year so nothing to do with boarding passes as suggested.

I would never use my DOB as a password.

I think Qantas do need to tighten up the security to their QFFF area.
What happened to me just seemed all too easy to gain my hard earned FF points.

 

[love_the_life]

Jellybean, what an awful thing to happen to you, not once but three times! I agree that the sale of vouchers that just need downloading and printing is an area wide open to theft of points. I suppose there is no record of the IP address of the computer used to hack the account and steal the points? Perhaps QFF don't view the issue as important enough but it should be possible to trace online activity.

 

[Jillybean]

Jellybean, what an awful thing to happen to you, not once but three times! I agree that the sale of vouchers that just need downloading and printing is an area wide open to theft of points. I suppose there is no record of the IP address of the computer used to hack the account and steal the points? Perhaps QFF don't view the issue as important enough but it should be possible to trace online activity.

Qantas advised that they have their fraud people investigating this. Particularly as they did change everything to protect the account but within 24hrs it was hacked again.
I was worried sick about everything else of mine that's why I had it checked my end and it is all OK. However I'm so cautious of everything online now.
A four digit password is not good enough no matter how often you change it.

 

[harvyk]

<snip>
A four digit password is not good enough no matter how often you change it.

Never have truer words been spoken. I'm surprised that IT auditors haven't pulled them over coals for such a woefully insecure system, especially one that is valued in the billions range.

 

[Milefest]

All you need is a BP and you've got the FF number and the surname of the target (as well as a variety of other pieces of sensitive information).

With 5 attempts at the 5 most used 4 digit pins, it's about a 20% chance of success.

These days you're able to run web-crawlers through social media to pick up photos of BPs people have posted online.

 

[JohnK]

To change a pin you need mother's maiden name or one of the last 5 flights flown. And altogether you need to provide 3 pieces of information and 2 of these can be DOB and mailing address line 1.

I guess the last 2 are relatively easy. The first one not so easy but if they can get that/guess that then they can change the Pin.

The other option is for Qantas to send link to registered email address.

One would think they need to tighten up the security regarding forgetting a Pin as it is too easy to change now.

 

[medhead]

Mother's maiden name from Birth registry I suppose.

The Qantas PIN allows 3 attempts, at least that was the message when I just entered the wrong pin.

 

[SandyS]

Jillybean, sorry to hear about that happening to you.

In general, all the information can easily be picked up from Facebook. Mother's maiden name - lots of women, have their maiden names plus married names on Facebook. If they are 'friends" with their sons, daughters, grandchildren who post all their travel stories, I reckon it would be pretty easy to get the info required.

 

[Archphoto]

To change a pin you need mother's maiden name or one of the last 5 flights flown. And altogether you need to provide 3 pieces of information and 2 of these can be DOB and mailing address line 1.

I guess the last 2 are relatively easy. The first one not so easy but if they can get that/guess that then they can change the Pin.

The other option is for Qantas to send link to registered email address.

One would think they need to tighten up the security regarding forgetting a Pin as it is too easy to change now.

Had to change my CX password this week, and it asks for your email address and then sends a link to you to reset.

The added security measure is that it has to be minimum 8 digits, including a special character and a capital letter, which makes it harder to remember but at least it's rather more secure than a 4 digit password (numbers only!)

Guess QF don't value our FF points quite as highly as we do - after all, these days they're so easy to acquire. I guess they can't be bothered adding security measures to make our accounts more difficult to hack, after all that would cost $$$$ and how would they explain to the shareholders?