Sorry to reply so largely - but I couldn't resist. Some good points in this thread.
Not sure two-factor authentication is required for login, even the banks I access don't require that. But they do require two-factor (eg SMS codes) when adding payees, making a first payment etc. This is where QF could focus attention, in addition to having a decent strength password.
I think this is the best place to look. The QF App has come forward in leaps and bounds, adding a two factor authenticator to that, SMS codes or failing all else, a call to the redemption centre to validate your identity.
The only situation I can imagine that causing unnecessary frustration is a FIFO employee, in between choosing 4A on his return flight, not able to use his mobile while on mine site and trying to book an award seat / redeem a myer voucher during work hours. Or, a non-tech-savvy person who can't receive an SMS code or use the app - but then again, they would be less likely to book online anyway.
Some people like to use the same password for everything. Its not a bad idea for some random chat forum online, but not the same as your email. Its very common for rogue websites to test the passwords clients have used against the email address provided and then go postal with the information they can find in your email account. Services, paypal accounts, frequent fliers. With access to an emaiil account, they can do anything, and take over everything. And you wont even know as they delete all the emails in/out before you see them.
Words to live by - unique passwords for anything and everything that knows your email address, physical address, mailing address or phone number. Knowing two of any of those, along with your name, means all anyone needs is a bank statement / bill / super statement / etc from your physical mailbox and they can access a scary amount of services.
I'm thinking of a number between 0001 and 9999
You have 5 guesses - GO!
0102
0304
9876
Also be aware that there may be scammers sending you emails that look legitimately from QF asking you to reset your passwords etc (similar to bank scam emailsPayPal etc) however these have a generic salutation not your name in the greeting. The fake one I received also had an odd sender email address when I hovered the mouse over the 'Qantas Frequent Flyer' sender details so I knew it was fake plus I never reset any passwords from links in any emails no matter how legit they look.
The old rule of 'never give your information to someone who asks for it' applies here. If a bank, airline or charity needs my information, it's because I've initiated the conversation. Phone, online, or in person.
I did the public service exam many years ago. One of the questions was: "there was a hack attempt on the computers systems. Draft a media release."
Couldn't find the release, but close enough:
https://delimiter.com.au/2016/02/17/trojan-takes-down-entire-wa-parliament-it-phone-system/
Not true at all, all you need to do is be able to do is access any of the intermediate points between Qantas and the targets email box. One of the most commonly used protocols for sending emails is called SMTP or Simple Mail Transfer Protocol, and whilst there is an encrypted version of SMTP, a lot of SMTP mail is sent unencrypted. Furthermore many mail transfer programs use what is known as store and forward, and again these typically store mail in an unencrypted format whilst the email is been held.
There have been many attempt to secure and encrypt email over the years, but the reality is that in the choice between secure and convenient people will always choose convenient.
So could the average person read someone else's email without that persons permission (or password)? Unlikely. However it wouldn't even be a challenge for any system administrator.
My last email from QFF wasn't encrypted by the mass mailer server:
So, care to explain how anti-spam servers work if everything is encrypted and thus can't be read by an intermediate point?
Or how banner ads relevant to my mail content show up in the promotions tab
