Qantas ff account hacked

Status
Not open for further replies.
To access someones email, you not only need to know your target's email address, but you need to know their password, which is orders of magnitude more secure than a pin. Emails also have the ability to enable multi-factor authentication and other security tools.

Not true at all, all you need to do is be able to do is access any of the intermediate points between Qantas and the targets email box. One of the most commonly used protocols for sending emails is called SMTP or Simple Mail Transfer Protocol, and whilst there is an encrypted version of SMTP, a lot of SMTP mail is sent unencrypted. Furthermore many mail transfer programs use what is known as store and forward, and again these typically store mail in an unencrypted format whilst the email is been held.

There have been many attempt to secure and encrypt email over the years, but the reality is that in the choice between secure and convenient people will always choose convenient.

So could the average person read someone else's email without that persons permission (or password)? Unlikely. However it wouldn't even be a challenge for any system administrator.
 
I have been a member on here for years but don't often contribute to discussions. However now I think is an important time to do so.

Last week I went to sign in to my QFF account to check my points balance. I found that I could not gain access to the account so called the QFF department. They advised me that I had changed my password.... I advised that I had not changed my password. They also advised that I had purchased two items from the online Qantas Store at 16,300 points each one....which I had not. It was then that they realised my account had been hacked. At that point they changed my password etc and emailed me a Statutory Declaration to sign. They would then investigate the matter.

At 4.00am the next morning I received a text from QANTAS confirming that I had changed my password....which I had not. I called the QFF again only to discover that another 16,300 had been removed from the account. On investigation QANTAS advised that all three transactions on my account were for purchases from the QANTAS online store for "digital Myer Vouchers". A total of 48,900 points gone...just like that.
Qantas had to freeze the account and after investigation have decided to issue me with a whole new QFF card and number (another number to have to learn).
I emailed Lesley Grant CEO of QFF department asking that these vouchers be removed from the store as they are obviously not secure and too easy to access. If someone hacks your account uses your points to purchase these vouchers all they have to do is print out the voucher. Simple.....too simple.
I have had response advising that our Frequent flyer points will be reimbursed and they are looking into those vouchers to either make them more secure or remove them.

I felt I should share my story with you as Qantas advised me that this occurance is not common however it does happen. So check your FF account thoroughly and regularly. You could easily miss an automated text from QF confirming a change of password glad I didn't.

Has anyone else had this happen to them?

Jill

Hi, Yes I had it with my IHG account, 330,000 points wesnt west, I received an email advising my address had been changed. i logged in and it had been changed to an address in Orlando USA and and 330,000 points had been used to buy things.
I immediately contacted IHG and asked them to stop the posting of the goods.
Rang back in a couple of days, nothing recorded !!! Went through it all again and escalated to a Manager.
In the interim I Googled the address and it was a legitimate house in a "dodgy" area.
I contacted the Police in Orlando, they told me to contact the State Police they were not interested either and said the complaint had to come from the Police where the offence had occurred, I said "it's happened THERE !!", they were not interested.
I then kept hassling IHG and after about a fortnight I got my points back, a new card number and password.
Rather traumatic as it has taken years to build them up.
I gathered from the myriad number of people I spoke to that it is not uncommon.
I am in Victoria
 
I like the old number plate scheme for passwords. Personally I use an aboriginal place name (plus the postcode) on the grounds aboriginal names are highly unlikely to be in a brute force dictionary.
 
I like the old number plate scheme for passwords. Personally I use an aboriginal place name (plus the postcode) on the grounds aboriginal names are highly unlikely to be in a brute force dictionary.

You could go a step further and use the traditional name eg instead of Oenpelli use Gunbalanya assuming you don't already.
 
Not true at all, all you need to do is be able to do is access any of the intermediate points between Qantas and the targets email box. One of the most commonly used protocols for sending emails is called SMTP or Simple Mail Transfer Protocol, and whilst there is an encrypted version of SMTP, a lot of SMTP mail is sent unencrypted. Furthermore many mail transfer programs use what is known as store and forward, and again these typically store mail in an unencrypted format whilst the email is been held.

Eh, not really the case anymore, maybe for your mail box provider.
 
Eh, not really the case anymore, maybe for your mail box provider.

So, care to explain how anti-spam servers work if everything is encrypted and thus can't be read by an intermediate point?
 
Sorry to reply so largely - but I couldn't resist. Some good points in this thread.

Not sure two-factor authentication is required for login, even the banks I access don't require that. But they do require two-factor (eg SMS codes) when adding payees, making a first payment etc. This is where QF could focus attention, in addition to having a decent strength password.

I think this is the best place to look. The QF App has come forward in leaps and bounds, adding a two factor authenticator to that, SMS codes or failing all else, a call to the redemption centre to validate your identity.

The only situation I can imagine that causing unnecessary frustration is a FIFO employee, in between choosing 4A on his return flight, not able to use his mobile while on mine site and trying to book an award seat / redeem a myer voucher during work hours. Or, a non-tech-savvy person who can't receive an SMS code or use the app - but then again, they would be less likely to book online anyway.

Some people like to use the same password for everything. Its not a bad idea for some random chat forum online, but not the same as your email. Its very common for rogue websites to test the passwords clients have used against the email address provided and then go postal with the information they can find in your email account. Services, paypal accounts, frequent fliers. With access to an emaiil account, they can do anything, and take over everything. And you wont even know as they delete all the emails in/out before you see them.

Words to live by - unique passwords for anything and everything that knows your email address, physical address, mailing address or phone number. Knowing two of any of those, along with your name, means all anyone needs is a bank statement / bill / super statement / etc from your physical mailbox and they can access a scary amount of services.

I'm thinking of a number between 0001 and 9999
You have 5 guesses - GO!

0102
0304
9876

Also be aware that there may be scammers sending you emails that look legitimately from QF asking you to reset your passwords etc (similar to bank scam emailsPayPal etc) however these have a generic salutation not your name in the greeting. The fake one I received also had an odd sender email address when I hovered the mouse over the 'Qantas Frequent Flyer' sender details so I knew it was fake plus I never reset any passwords from links in any emails no matter how legit they look.

The old rule of 'never give your information to someone who asks for it' applies here. If a bank, airline or charity needs my information, it's because I've initiated the conversation. Phone, online, or in person.

I did the public service exam many years ago. One of the questions was: "there was a hack attempt on the computers systems. Draft a media release."

Couldn't find the release, but close enough: https://delimiter.com.au/2016/02/17/trojan-takes-down-entire-wa-parliament-it-phone-system/

Not true at all, all you need to do is be able to do is access any of the intermediate points between Qantas and the targets email box. One of the most commonly used protocols for sending emails is called SMTP or Simple Mail Transfer Protocol, and whilst there is an encrypted version of SMTP, a lot of SMTP mail is sent unencrypted. Furthermore many mail transfer programs use what is known as store and forward, and again these typically store mail in an unencrypted format whilst the email is been held.

There have been many attempt to secure and encrypt email over the years, but the reality is that in the choice between secure and convenient people will always choose convenient.

So could the average person read someone else's email without that persons permission (or password)? Unlikely. However it wouldn't even be a challenge for any system administrator.

My last email from QFF wasn't encrypted by the mass mailer server:

qff.PNG

So, care to explain how anti-spam servers work if everything is encrypted and thus can't be read by an intermediate point?

Or how banner ads relevant to my mail content show up in the promotions tab :)
 
Not true at all, all you need to do is be able to do is access any of the intermediate points between Qantas and the targets email box. One of the most commonly used protocols for sending emails is called SMTP or Simple Mail Transfer Protocol, and whilst there is an encrypted version of SMTP, a lot of SMTP mail is sent unencrypted. Furthermore many mail transfer programs use what is known as store and forward, and again these typically store mail in an unencrypted format whilst the email is been held.
You don't even need to wait for someone to send an email. If their device isn't configured to use encrypted mailbox sessions (i.e when using 'POP' or 'IMAP' - common for internet provider email accounts), capturing passwords is trivial.
A smartphone might check for new email every time it connects to a WiFi network, for example.

Personally I try and avoid open/free/etc. WiFi networks as they are too easy to intercept/'sniff', a local SIM card doesn't cost much these days and the barrier to intercepting mobile network traffic is a magnitude higher.
(And PSA: Only 'Enterprise' networks that rely on username+passwords or certificates are immune to being sniffed, contrary to popular belief, PSK/password-only WiFi networks can be sniffed if the attacker also knows the password!)

If you must use insecure WiFi, use a VPN service.

If anyone hasn't already - use "Have I Been Pwned?" (haveibeenpwned.com) to see if you have accounts that have been breached elsewhere. Attackers could use personal information from a hacked site to get into another one.
 
You don't even need to wait for someone to send an email. If their device isn't configured to use encrypted mailbox sessions (i.e when using 'POP' or 'IMAP' - common for internet provider email accounts), capturing passwords is trivial.
A smartphone might check for new email every time it connects to a WiFi network, for example.

Personally I try and avoid open/free/etc. WiFi networks as they are too easy to intercept/'sniff', a local SIM card doesn't cost much these days and the barrier to intercepting mobile network traffic is a magnitude higher.
(And PSA: Only 'Enterprise' networks that rely on username+passwords or certificates are immune to being sniffed, contrary to popular belief, PSK/password-only WiFi networks can be sniffed if the attacker also knows the password!)

If you must use insecure WiFi, use a VPN service.

If anyone hasn't already - use "Have I Been Pwned?" (haveibeenpwned.com) to see if you have accounts that have been breached elsewhere. Attackers could use personal information from a hacked site to get into another one.

How does that program work ???
 
How does that program work ???
I assume you are referring to Have I Been Pwned?

Basically, if a large website has been hacked, the (leaked) account details for its users often end up on the black market (for not a lot of money, I might add). Similar things have been happening with credit card numbers for a long time.
The operator of this website (Troy Hunt, an Australian based security expert) obtains lists of the compromised accounts and allows you to search if you have been compromised.

Most of the websites with data on HIBP are specialist-IT forums but there are a couple of high profile ones (Sony, older Google/GMail and Yahoo accounts, Forbes, some notorious dating sites)
 
EXCLUSIVE OFFER - Offer expires: 20 Jan 2025

- Earn up to 200,000 bonus Velocity Points*
- Enjoy unlimited complimentary access to Priority Pass lounges worldwide
- Earn up to 3 Citi reward Points per dollar uncapped

*Terms And Conditions Apply

AFF Supporters can remove this and all advertisements

You don't even need to wait for someone to send an email. If their device isn't configured to use encrypted mailbox sessions (i.e when using 'POP' or 'IMAP' - common for internet provider email accounts), capturing passwords is trivial.
A smartphone might check for new email every time it connects to a WiFi network, for example.

Personally I try and avoid open/free/etc. WiFi networks as they are too easy to intercept/'sniff', a local SIM card doesn't cost much these days and the barrier to intercepting mobile network traffic is a magnitude higher.
(And PSA: Only 'Enterprise' networks that rely on username+passwords or certificates are immune to being sniffed, contrary to popular belief, PSK/password-only WiFi networks can be sniffed if the attacker also knows the password!)

If you must use insecure WiFi, use a VPN service.

If anyone hasn't already - use "Have I Been Pwned?" (haveibeenpwned.com) to see if you have accounts that have been breached elsewhere. Attackers could use personal information from a hacked site to get into another one.

One thing which I would add, use a trustworthy VPN service, not a "dodgy get around geo-blocks" service. All such a service would need to do is install a root certificate on your device and they can see everything, which would be worse than a teenager thinking they can hack because they can capture wifi packets.
 
Sad to confess, our family got hacked through Awardwallet last July 2015 - the program that lets you put all your reward card details and frequent flyer points etc and lets you keep track of them. Unfortunately I was sick at the time and not picking up emails. We did receive an email from awardwallet notifying that some of their accounts has been compromised and to change passwords. We also got an email from Qantas store asking me to contact them. Apparently a hacker had used our points to purchase iTunes cards. We got all the points, except my mothers, restored. We are only small fish and our balances were only about 10000 points each. I dread to think what the hacker would have done with those special people with hundreds of thousands of points.
I must also confess that I used a really obvious password so "mea culpa" in that case. The password has since been changed and I changed pin numbers etc also.
 
As everyone above has intimated, these types of intrusions can happen in so many ways that it's often difficult for the victim to track back and locate the source.

Even well prepared individuals and organisations can be hit. Effectively, I'd treat everything that accessible or transactable via the Internet as inherently insecure.

Of course there are ways to mitigate that risk:
- always use two-factor authentication where available, especially with your email account(s) as this is often the most vulnerable point.;
- have SMS alerts and a secondary email account setup for password changes to your primary account;
- always use long and randomly-generated passwords (I use 1password to generate 64+ character phrases of nonsense) - obviously this is much easier if you use a password manager;
- only use your own devices and networks to access secure sites. Use a reputable end-to-end VPN if on a non-trusted network;
- Install a secure OS in a virtual environment to conduct your 'risky' transactions. Obviously this is difficult if travelling with no PC;
- secure your own devices and networks, yes including macs and iphones.

These measures are not about being paranoid - it's just about making your digital identify a harder target to hit. Often the script kiddies will only try getting through a certain number of times in an attack before moving onto easier prey.
 
<snip> on a 3x3 key pad I reckon a pattern can be found for any 4 digit combination.

Absolutely a pattern could be found. Outside the "top 10" list, you would also find that the number 1 is highly likely as the first number of a pin, since that covers years (eg 1980), as well as birthday days. The next likely as the first number would be 2 as that would also cover birthdays.

The third digit is likely to be 1 or between 5 and 9. About the only digit which is likely to be "random" is the 4th.

You may also find that famous years in history are likely to be pins, therefore increasing the likelihood of the first digit being a 1. The other combinations which are likely would be products or media (like movies or books), so I'd bet there is more than one person using 2001, 2010, 2061 and 3001. 9000 is likely to be in there, 4077 is another one.

Another good pattern might be dirty words spelled out via a keypad, so things like 7399 or 8008 would be good guesses as well.

Long story short, pins are not exactly a good way of securing information.
 
I am late to this thread (from the gazette).

IT geeks aside, a boarding pass and/or social media posts contain adequate information for a "hacker" to spoof their way into your account through this link.
https://www.qantas.com/fflyer/dyns/fpin

It isn't really hacking at all. Just a simple exploitation of publicly available information. Once into your account, the mailing address (and/or email address) can be changed and points redeemed for goods to be sent to the new address.


That is why you should never post your boarding passes on social media (or leave them in seat pockets, bags, etc.).

If you have to post on social media, you should make sure all the useful information (and barcode) is hidden. Always take your boarding passes home and destroy them securely (as you would with a bank statement).
 
I was hacked for nearly 300,000 points in February 2014, Qantas store employee contacted me to confirm that I had ordered an Apple Computer, when I said I had not placed an order for the computer they also said that a store voucher for $50.00 had been obtained the day before, again not ordered by me. I confirmed that it was the Qantas Store calling me and the Qantas Store froze the order and asked me to send them a Statutory Declaration to say I had not purchased the voucher or ordered a computer. My password was changed immediately and a week later all points were restored. A Police report was made but inquiries did not lead to any suspects. Proactive action by the Qantas Store saved my points.
 
My first post here...

I wasn't going to post this to the forum, but here goes...

This doesn't surprise me. A couple of months ago, I found a vulnerability in the Qantas website that exposed customer and seating data, and found a way to harvest that data en masse. That would probably be enough to steal a frequent flyer account, as it contained all customer details - it would probably be easy to call up with that info, say your email address screwed up and get handed the account. I have no idea how long that hole was sitting there.

I documented it all and gave the info to Qantas, but they don't seem to have done anything about it.
 
I have also had points "stolen", although at the time it was under the guise of a "family transfer" - to someone I'd never heard of. I'd been watching my account very closely as we were wanting to book business class flights back from Europe on points as soon as they were released. So you can imagine my horror when there were 2 transfers out, one of 100,000 and another of 50,000. I rang Qantas immediately and changed the pin. They required a statutory declaration from me, and the points were eventually reinstated about a week later. The police had some idea who it was, but I'm not sure if there was any further action.
2 thoughts as to how it happened:
- I had never changed my pin from the one issued years ago when I opened the account, and I suspect everyone got the same pin in those days
- I had phoned Qantas a few days earlier to check on something, and gave my PIN number to the Qantas rep on the phone so they could look at something on my account. Not implying the staff member did anything, but someone could have overheard/looked over their shoulder, etc. Now whenever I phone them, l change my PIN number immediately after the call
 
My first post here...

I wasn't going to post this to the forum, but here goes...

This doesn't surprise me. A couple of months ago, I found a vulnerability in the Qantas website that exposed customer and seating data, and found a way to harvest that data en masse. That would probably be enough to steal a frequent flyer account, as it contained all customer details - it would probably be easy to call up with that info, say your email address screwed up and get handed the account. I have no idea how long that hole was sitting there.

I documented it all and gave the info to Qantas, but they don't seem to have done anything about it.

Welcome to AFF v01c3s.

What were you doing that enabled you to find a vulnerability in the QF site? Have you tried it again to see if anything was done to plaster over the issue?

Going back to the BP idea. Maybe the OP left their BP in the taxi that delivered them home for example. That might explain that piece of data (address) being available.
 
Status
Not open for further replies.

Become an AFF member!

Join Australian Frequent Flyer (AFF) for free and unlock insider tips, exclusive deals, and global meetups with 65,000+ frequent flyers.

AFF members can also access our Frequent Flyer Training courses, and upgrade to Fast-track your way to expert traveller status and unlock even more exclusive discounts!

AFF forum abbreviations

Wondering about Y, J or any of the other abbreviations used on our forum?

Check out our guide to common AFF acronyms & abbreviations.
Back
Top