Qantas ff account hacked

[JohnK]

Mother's maiden name from Birth registry I suppose.

Assuming your mother was born here?

I like the secret questions. The answers I put cannot possibly be guessed by anyone.

Qantas has option of email or reset manually online. The second option needs to be tightened. Secret questions? Longer password with at least one capital, one lower case, number and special character. All that means is that the majority of my passwords are the same. Get one, get them all.

Oh and then the inconsistencies. Some websites don'tallow special characters in passwords. Some have to be 6 characters/numbers long. Some more than 8 characters. Recipe for disaster.

 

[get me outta here]

I remember reading that to questions that are not hard to find answers out because so many sites ask you this stupid 'security' question, you answer something like Elvis Presley or Adele or whatever.

Assuming your mother was born here?

I like the secret questions. The answers I put cannot possibly be guessed by anyone.

Qantas has option of email or reset manually online. The second option needs to be tightened. Secret questions? Longer password with at least one capital, one lower case, number and special character. All that means is that the majority of my passwords are the same. Get one, get them all.

Oh and then the inconsistencies. Some websites don'tallow special characters in passwords. Some have to be 6 characters/numbers long. Some more than 8 characters. Recipe for disaster.

 

[Buzzard]

I assume Qantas did a cost/benefit analysis. How much to fix the system vs how much fraud costs? Maybe the fraud costs less?
Seriously, why can't they just implement something like an authenticity code sent to your phone before a transaction can be finalised?
Maybe we are talking higher $$ value here but both Citi and NAB send me an SMS pass code.

 

[whatmeworry]

How many times have Qantas stuffed up their website? We can't trust them with major chances, how can we trust them with minor changes.

Also beware using your accounts over unsecured wifi networks.

 

[OATEK]

I assume Qantas did a cost/benefit analysis. How much to fix the system vs how much fraud costs? Maybe the fraud costs less?
Seriously, why can't they just implement something like an authenticity code sent to your phone before a transaction can be finalised?
Maybe we are talking higher $$ value here but both Citi and NAB send me an SMS pass code.

Not sure two-factor authentication is required for login, even the banks I access don't require that. But they do require two-factor (eg SMS codes) when adding payees, making a first payment etc. This is where QF could focus attention, in addition to having a decent strength password.

 

[JohnK]

I remember reading that to questions that are not hard to find answers out because so many sites ask you this stupid 'security' question, you answer something like Elvis Presley or Adele or whatever.

Someone would have access to my security questions from another website? Then they'd have my password as well if that's the case. I've lost count how many internet accounts I've got. I am not going to make each password unique.

Also I don't have a middle name and neither does mum or dad yet I make up a middle name as part of the security questions. I'm assuming security questions are safe otherwise everyone gets hacked easily.

 

[Jillybean]

Just had a thought. I wonder if there is a connection between QF and Woolworths who have recently dropped the QFFF option from their Rewards card.
I wonder where our information goes if Woolworths no longer want it attached to their Rewards card.

 

[theblank]

It was then that they realised my account had been hacked.

I think you are looking in the wrong place.

Its important to note here, that your account has not been 'hacked'. By definition that means someone has broken into a computer and got into your account by a backdoor. If Qantas was hacked, then it would be all over the news. If it was your computer was hacked, or only your account at Qantas that was hacked, have a think for a second, what made you so special to be targeted?

The most likely scenario is your password was compromised, and from the story you tell it does seem like they began by accessing your email account first. as you mentioned, they changed your Qantas password, they didnt know it first, Then how else would they be able to to go through the forgot password your password after you changed it without having access to your email!

Some people like to use the same password for everything. Its not a bad idea for some random chat forum online, but not the same as your email. Its very common for rogue websites to test the passwords clients have used against the email address provided and then go postal with the information they can find in your email account. Services, paypal accounts, frequent fliers. With access to an emaiil account, they can do anything, and take over everything. And you wont even know as they delete all the emails in/out before you see them.

If I was you, even if what I said doesnt sound right, is change ALL your passwords for all Email accounts immediately. And never use the the password with your email address with ANYTHING else at all. Set up whatever secondary authentication they offer, with Gmail there is a code texted to your phone if you sign in on a different computer. Then do the same with anything that is really Yours, like Facebook, Ebay, banks.

Personally, this doesnt sound like any security breach on your computer based on the info given.

 

[trippin_the_rift]

A 4 digit PIN is simply not secure enough these days, and it's time QF did something about it.

Hang on - it's not a 4 digit PIN.

You require a FF#
and
matching surname
and
matching pin

Even then - you get locked out after a few attempts

These 3 fields combined with limited number of allowed attempts do keep your account secure IMO.

Phishing - keyloggers - peoples email accounts being compromised - insecure wifi - using the same pass/pin accross all your accounts (especially when using the same user/email login) === this is where you get "hacked". Even a 50 character password wouldn't protect an account in this case.

It's not simply that someone picked up your boarding pass and tried 9999 combinations. The likelyhood of correctly guessing a pin# in this scenario is tiny.

 

[opusman]

The 4 digit PIN is the only piece of information that's secret, the other 2 are easily obtainable.

 

[Jillybean]

Yes the first thing I did was change all my passwords as I was then so worried about everything I access online being compromised. Then 24 hours later I was hacked again.

 

[whatmeworry]

Yes the first thing I did was change all my passwords as I was then so worried about everything I access online being compromised. Then 24 hours later I was hacked again.

You should run your antivirus programs plus run a program such as spybot or similar as you might have malware on your computer.

 

[trippin_the_rift]

The 4 digit PIN is the only piece of information that's secret, the other 2 are easily obtainable.

I'm thinking of a number between 0001 and 9999
You have 5 guesses - GO!

And even then - I bet my first born that there are zero accounts which are relieved of their points through PIN GUESSING.
It's all obtained through other means that even a 100 digit pin wouldn't fix

 

[Pleb Status]

With everyone stating that the four digit pin is not secure, it would appear that the pin was actually very secure and it was the 'forgot my pin' process which could be at fault (as the pin was changed not cracked).

For a reasonable percentage of people, I would say the pin will be more secure than a password, as the most popular passwords are very easy to crack (Password1, Qwerty1 etc).

 

[Pleb Status]

I'm thinking of a number between 0001 and 9999
You have 5 guesses - GO!

And even then - I bet my first born that there are zero accounts which are relieved of their points through PIN GUESSING.
It's all obtained through other means that even a 100 digit pin wouldn't fix

2467, 3452, 4589, 6543 and 9654

 

[JohnK]

The most likely scenario is your password was compromised, and from the story you tell it does seem like they began by accessing your email account first. as you mentioned, they changed your Qantas password, they didnt know it first, Then how else would they be able to to go through the forgot password your password after you changed it without having access to your email!

It is much easier than having access to someone's email address. You can reset the Qantas pin online as per what I described in post $#17 and most of the information required is easily acquired.

So even if someone has reset the pin the perpetrator can go back and reset it again the same way they did the first time.

 

[Radio8tiv]

2467, 3452, 4589, 6543 and 9654

I've found that patterns on the keypad makes for better guesses on pin numbers like
2580, 0852, 1379, 1590, 1739 etc.
especially with younger people on their phones

 

[Jillybean]

With everyone stating that the four digit pin is not secure, it would appear that the pin was actually very secure and it was the 'forgot my pin' process which could be at fault (as the pin was changed not cracked).

For a reasonable percentage of people, I would say the pin will be more secure than a password, as the most popular passwords are very easy to crack (Password1, Qwerty1 etc).

No, I hadn't forgotten my pin number. My pin number would not give me access to my account. After phoning QFFF it was discovered that someone else had changed my pin number which enabled them to access my account to use my points.

 

[opusman]

I'm thinking of a number between 0001 and 9999
You have 5 guesses

Let me guess, you use "password" as a password on most websites, or "password1234" when you want to be ultra secure?

 

[theblank]

Yes the first thing I did was change all my passwords as I was then so worried about everything I access online being compromised. Then 24 hours later I was hacked again.

no way Qantas was hacked. That would take corporate level espionage for just stealing a lousy few hundred dollars. That's so unrealistic. IMO you are wasting your time with Qantas, you need to be looking at your own stuff.

If the only way to reset a password on QFF is via email, then they have access to your email. It's even possible your own computer has been compromised so everything you do is being logged, including keystrokes.

Who is your email provider? If Google you can log into your account and see the history of IP addresses that has logged in recently. Many other providers can reveal the same info. Also ask them to restore all recently deleted emails, some providers can do that.