Qantas ff account hacked

[medhead]

The added security measure is that it has to be minimum 8 digits, including a special character and a capital letter, which makes it harder to remember but at least it's rather more secure than a 4 digit password (numbers only!)

Technically it's not a password

Assuming your mother was born here?

I like the secret questions. The answers I put cannot possibly be guessed by anyone.

Qantas has option of email or reset manually online. The second option needs to be tightened. Secret questions? Longer password with at least one capital, one lower case, number and special character. All that means is that the majority of my passwords are the same. Get one, get them all.

Oh and then the inconsistencies. Some websites don'tallow special characters in passwords. Some have to be 6 characters/numbers long. Some more than 8 characters. Recipe for disaster.

I like the secret questions. The thing that often stuffs me up is when they're case sensitive. For passwords I use variations of the number plates of cars I've owned. Maybe a bit OCD but I can easily remember those, then it's just a matter of getting teh variation correct. so far I've had 6 car number plates, so there is decent variation allowance between sites.

I've also taken to using Keychain on my Mac. That's really good until the business change name and website. But relatively painless to update keychain to the new website.

The Qantas Credit Union really stuffed me up with the click three pictures in order thing - and that was just to see your transaction history. :shock: Perhaps they were ultra secure to make up for QFF.

I'm thinking of a number between 0001 and 9999
You have 5 guesses - GO!

And even then - I bet my first born that there are zero accounts which are relieved of their points through PIN GUESSING.
It's all obtained through other means that even a 100 digit pin wouldn't fix

Actually 3 guesses

2467, 3452, 4589, 6543 and 9654

Sorry you only get 3 guesses.

 

[JohnK]

If the only way to reset a password on QFF is via email, then they have access to your email. It's even possible your own computer has been compromised so everything you do is being logged, including keystrokes.

You do not need an email address to reset a Qantas pin. That's why it was reset more than once and it can just as easily be reset again and again. I suspect it was someone close to OP who knew Mother's maiden name or last flight details as well as any 2 of either DOB, joining month/year, mailing address line 1.

The OP's Qantas account needs to change with a new joining date and possibly fake address line only known to OP.

 

[drewbles]

Never have truer words been spoken. I'm surprised that IT auditors haven't pulled them over coals for such a woefully insecure system, especially one that is valued in the billions range.

Qantas for the longest time (not so long ago) had 'We use Verisign to protect your information' just as you do a search or login. The best part? They weren't. They were using another certificate provider. I advised a friend in the industry, and it took QF months to fix it (even though I believe they were informed to change it by Verisign).

I'm honestly amazed when I can login half the time

 

[harvyk]

I'm thinking of a number between 0001 and 9999
You have 5 guesses - GO!

And even then - I bet my first born that there are zero accounts which are relieved of their points through PIN GUESSING.
It's all obtained through other means that even a 100 digit pin wouldn't fix

I'm going to throw my hat into the ring with
6969
1234
1111

These all appear on the most commonly used pins list, so I'm bound to get into something.

 

[opusman]

no way Qantas was hacked. That would take corporate level espionage

I think you're overestimating Qantas's IT prowess slightly there.

 

[Boca68]

no way Qantas was hacked.

I used to think along those lines before.

Until a couple of years ago, my then 14 year old nephew, as a bit fun, hacked into a prominent government services website. In about 2 to 3 minutes.

Mind you, once in, he really didn't have a clue what else he could do. But others might not be so amatuer or so niave. But it showed me how easy a password hack is.

 

[harvyk]

Qantas for the longest time (not so long ago) had 'We use Verisign to protect your information' just as you do a search or login. The best part? They weren't. They were using another certificate provider. I advised a friend in the industry, and it took QF months to fix it (even though I believe they were informed to change it by Verisign).

I'm honestly amazed when I can login half the time

I tend to believe that the larger or more numerous the image stating that they are "protected by", the higher the likelihood that they are not.

 

[harvyk]

I used to think along those lines before.

Until a couple of years ago, my then 14 year old nephew, as a bit fun, hacked into a prominent government services website. In about 2 to 3 minutes.

Mind you, once in, he really didn't have a clue what else he could do. But others might not be so amatuer or so niave. But it showed me how easy a password hack is.

Did he really "hack in" or did he simply access information which although public facing is not easy to find?

For example, using something like telnet it's possible to send commands to public facing ports on remote servers. It can give the appearance of being a successful hack (since you are sending commands to remote servers and getting information back) without it actually being a crack (there is a difference between hackers and crackers, hackers simply use technology in ways the developer never intended, crackers break through security).

Don't get me wrong, these ports are still leaking information out to the world that sys admins may not want the world to know (eg which server OS they are running), and things which may look "encrypted" are potentially just re-encoded plain text (if you're interested look up something called "BASE-64 strings", it's amazing how many websites will store passwords using BASE-64 encoding which takes all of 2 seconds to decode into plain text, and if you know what you're looking for BASE-64 strings are very easy to identify), but "hacking" into websites takes more than a smile.

 

[ozbeachbabe]

Forget boarding old passes, 4 digit pins and all those other conspiracy theories. All any potential hacker needs is access to your email as it's quite easy to then search within your email account for 'Qantas Frequent Flyer' as every month the email you receive has your ffn plus your points balance so thieves can see at a glance whether the points balance you have are worth stealing.

Although the salutation is Dear (first name) and not surname, many people have their last name as part of their email address so the thieves could now have your ffn, surname, points balance so all they need now is to click on the forgot password link.

Maybe an IT geek on AFF can tell us whether it's safer for us to use our own device with wi-fi hotspots while overseas vs a public computer which could have a phishing virus attached.

I have used computers before at hotel executive lounges etc and it's amazing how many previous emails addresses of people who have previously logged into eg Yahoo pop us when you type the first two or three letters of your email address.

I remember another AFFer pointing out he had used a computer at a library and had his ff account hacked twice - the second time after he had changed his password and informed QF of this first incident.

Even if airlines logged IP addresses of the transaction where the points were stolen thieves could still use portable or disposable VPN's to avoid being traced.

Probably the best idea is for airlines to remove these kinds of untraceable awards or give customers the ability to permanently remove the gift voucher award option from their frequent flyer account.

Also be aware that there may be scammers sending you emails that look legitimately from QF asking you to reset your passwords etc (similar to bank scam emailsPayPal etc) however these have a generic salutation not your name in the greeting. The fake one I received also had an odd sender email address when I hovered the mouse over the 'Qantas Frequent Flyer' sender details so I knew it was fake plus I never reset any passwords from links in any emails no matter how legit they look.

 

[harvyk]

Maybe an IT geek on AFF can tell us whether it's safer for us to use our own device with wi-fi hotspots while overseas vs a public computer which could have a phishing virus attached.

Always own device, never public computer. At least with your own device you can be sure that you don't have spyware or other tech which allows "encrypted" communications to be decrypted by an untrustworthy middleman.

 

[Boca68]

Did he really "hack in" or did he simply access information which although public facing is not easy to find?

For example, using something like telnet it's possible to send commands to public facing ports on remote servers. It can give the appearance of being a successful hack (since you are sending commands to remote servers and getting information back) without it actually being a crack (there is a difference between hackers and crackers, hackers simply use technology in ways the developer never intended, crackers break through security).

Don't get me wrong, these ports are still leaking information out to the world that sys admins may not want the world to know (eg which server OS they are running), and things which may look "encrypted" are potentially just re-encoded plain text (if you're interested look up something called "BASE-64 strings", it's amazing how many websites will store passwords using BASE-64 encoding which takes all of 2 seconds to decode into plain text, and if you know what you're looking for BASE-64 strings are very easy to identify), but "hacking" into websites takes more than a smile.

Hi harvyk,
I get what your saying, but he was able to access an account using a password hack. Wasn't an account of any family members or friends(or not that I know of). Took several emails from a website, used the 1st one (of about 5). Using a source code(his words), he opened an app via a wifi hotspot. After about a minute, the app had created about a dozen or so passwords. And they were different, not your usual 'pass1234' and the like. Tried the first 3, it shut him out.
Then he simply rebooted the app and tried the next 3 on the same email. 2nd one worked. Done in about 3 minutes. So, I'm thinking whatever he did he was able to circumvent the lock-out after 3 attempts. And simply try again. The app was on an android device. Possibly just a random password generator? But the fact he could circumvent the 3 attempts lock out is what scared me.
Perhaps he was accessing a cache on a VPN? I don't know. I'm not that computer savvy.

 

[harvyk]

Hi harvyk,
I get what your saying, but he was able to access an account using a password hack. Wasn't an account of any family members or friends(or not that I know of). Took several emails from a website, used the 1st one (of about 5). Using a source code(his words), he opened an app via a wifi hotspot. After about a minute, the app had created about a dozen or so passwords. And they were different, not your usual 'pass1234' and the like. Tried the first 3, it shut him out.
Then he simply rebooted the app and tried the next 3 on the same email. 2nd one worked. Done in about 3 minutes. So, I'm thinking whatever he did he was able to circumvent the lock-out after 3 attempts. And simply try again. The app was on an android device. Possibly just a random password generator? But the fact he could circumvent the 3 attempts lock out is what scared me.
Perhaps he was accessing a cache on a VPN? I don't know. I'm not that computer savvy.

Was it on public wifi? It's surprisingly easy to enter a mode which simply does a packet capture on all data which passes through, so log onto a public wifi hotspot and wait a few minutes and you'll see something come through.

 

[Boca68]

Was it on public wifi? It's surprisingly easy to enter a mode which simply does a packet capture on all data which passes through, so log onto a public wifi hotspot and wait a few minutes and you'll see something come through.

It could be? I must ask him about it.

Now you mention it, they lived only about 100 metres from a McDonalds at the time. And I remember the boys (all 3 of them) saying they could access the Maccas wifi at times, although it was a bit hit and miss.

But, you'll be happy to know he is at university now and studying..... Sports Medicine! Thankfully not computer engineering or software development.

 

[harvyk]

It could be? I must ask him about it.

Now you mention it, they lived only about 100 metres from a McDonalds at the time. And I remember the boys (all 3 of them) saying they could access the Maccas wifi at times, although it was a bit hit and miss.

But, you'll be happy to know he is at university now and studying..... Sports Medicine! Thankfully not computer engineering or software development.

Pity he didn't take up something in the computer sciences, he'd have also learnt how easy it is to leave a trail when doing such things, and how easy it is to catch someone whom is not really really good.

The reality is that most hacks are not serious enough to be followed up, for example one network I managed I had between 1,000 and 2,000 hack attempts per day, with double that over school holidays. In the 14 months I was looking after that network, only 1 attack was serious enough to warrant action, and even then the action I took was to block the IP address range which this attack was coming from. Ultimately we decided it was not even worth our time to report it. So whilst crackers out there think they are smart and getting away with things, the reality is unless you annoy a really large dragon (or start stealing more than a trivial amount of money), you'll probably never be traced down, not because we can't but because it's not worth our time.

Waiting for the "but TOR..." in 3, 2, ......

 

[Franky]

A 4 digit PIN is simply not secure enough these days, and it's time QF did something about it.

Thats been said more than once on this issue...

 

[Milefest]

Forget boarding old passes, 4 digit pins and all those other conspiracy theories. All any potential hacker needs is access to your email as it's quite easy to then search within your email account for 'Qantas Frequent Flyer' as every month the email you receive has your ffn plus your points balance so thieves can see at a glance whether the points balance you have are worth stealing.

To access someones email, you not only need to know your target's email address, but you need to know their password, which is orders of magnitude more secure than a pin. Emails also have the ability to enable multi-factor authentication and other security tools.

If someone has access to your email account, you have much bigger problems than someone guessing their way into your FF account.

Hang on - it's not a 4 digit PIN.

You require a FF#
and
matching surname
and
matching pin

Even then - you get locked out after a few attempts

These 3 fields combined with limited number of allowed attempts do keep your account secure IMO.

I mentioned this earlier, hackers only attack accounts they have the useful information for, they wouldn't randomly generate FF numbers, surnames and pins, that would take far too long.

Right now you could create and run a webcrawler that scours the internet using image recognition to pick up and catalog boarding passes on social media. The barcode on the boarding passes can be scanned and you retrieve the victim's FF number and surname.

The first two pieces of information extremely easy obtain.

It's not simply that someone picked up your boarding pass and tried 9999 combinations. The likelyhood of correctly guessing a pin# in this scenario is tiny.

When you run brute-force attacks, you don't randomly generate pins and passwords. Normally you'd run a dictionary attack using the most common words and passwords or pins.

This dramatically increases the probability for entry especially with a large enough set.

Around 10% of people use the pin "1234". It would be highly likely that multiple people on this forum have it for their QFF account. With 1000 targets, you'd have access to more than 100 accounts just on the first attempt.

 

[froggerADL]

I think that the biggest security hole is that when you need to do something with your QFF account over the phone they often ask you for your PIN, e.g. when you change a reward flight. The call centre worker now has you QFF number, Surname and PIN. A dishonest employee could have a lot of fun with that info.

 

[medhead]

All this talk has reminded me of our new voice mail system. The old system was perfectly happy with a pin of 1234+extension number. New system rejected that option, and it rejected anything with the extension number. In the end I used my FF number as the voice mail pin.

I did the public service exam many years ago. One of the questions was: "there was a hack attempt on the computers systems. Draft a media release."

 

[JohnK]

I think that the biggest security hole is that when you need to do something with your QFF account over the phone they often ask you for your PIN, e.g. when you change a reward flight. The call centre worker now has you QFF number, Surname and PIN. A dishonest employee could have a lot of fun with that info.

Why are people looking at the most complex scenario? Forget email addresses and knowing passwords etc.

All you need is the QFF#, the last flight taken (boarding pass would provide this information), the DOB and address. It is not that difficult to reset the password with those details. Someone close to the OP would be able to do it fairly easily. A hacker would also be able to do it.

By the way I do not believe you are penalised if you get one of those details wrong when trying to reset the password.

 

[medhead]

Why are people looking at the most complex scenario? Forget email addresses and knowing passwords etc.

All you need is the QFF#, the last flight taken (boarding pass would provide this information), the DOB and address. It is not that difficult to reset the password with those details. Someone close to the OP would be able to do it fairly easily. A hacker would also be able to do it.

By the way I do not believe you are penalised if you get one of those details wrong when trying to reset the password.

Many years ago, so my memory is failing. But I had to reset the father in laws QFF account once, ISTR a limit number of attempts being allowed.