Qantas ff account hacked

[mbeder]

I've found that patterns on the keypad makes for better guesses on pin numbers like
2580, 0852, 1379, 1590, 1739 etc.
especially with younger people on their phones

The number of possible combinations for a four digit password, where all digits can be used more than once, is only 10,000; i.e. not very secure - obviously there is the 'lock-out' after 3 attempts, but in terms of security, as others have said, it's hardly a high enough level for such 'high currency' account contents.

 

[ozbeachbabe]

Now whenever I phone them, l change my PIN number immediately after the call

Keep in mind that if you submit a request for a points upgrade then change your pin after putting that request in it will be rejected at the time of processing (eg T-72) as it will be an incorrect pin.

 

[v01c3s]

Welcome to AFF v01c3s

What were you doing that enabled you to find a vulnerability in the QF site? Have you tried it again to see if anything was done to plaster over the issue?

Going back to the BP idea. Maybe the OP left their BP in the taxi that delivered them home for example. That might explain that piece of data (address) being available.

Thanks for the welcome.

I have a background in computer security and sometimes look for these things for fun. You'd be surprised how often you can find things like this in major websites. When I find them I pass them on to the website owners (hey, better I find it and tell them than someone else finds them and doesn't).

I found two exploits - one gives up email addresses and some customer info if you can guess a booking ref (which isn't that hard) without logging in to the FF site, and the other gives up customer/seating details. Unfortunately they didn't have a bug bounty/finder's fee.

I won't go into more details, as it would be possible for baddies to reverse engineer my work. Qantas have full details. I don't think they've patched it, but haven't checked for a little while. I would be surprised if they had.

 

[prozac]

Thanks for the welcome.

I have a background in computer security and sometimes look for these things for fun. ...
... Qantas have full details. I don't think they've patched it, but haven't checked for a little while. I would be surprised if they had.

:shock: That's disturbing.

Looking forward to seeing you post a bit more frequently now that you have broken the ice.

 

[dacom]

I think that the biggest security hole is that when you need to do something with your QFF account over the phone they often ask you for your PIN, e.g. when you change a reward flight. The call centre worker now has you QFF number, Surname and PIN. A dishonest employee could have a lot of fun with that info.

I agree with that statement, I never like revealing my pin to get the customer service staff to access the account. All they need is to note the details down for later use. How many people don't change their passwords or pin for years.
I'm one of them, I better change the pin now.

 

[samh004]

I'm aware of a few people here who have had their accounts hacked and points taken (multiple times).

I had this happen last year. Ultimately the points were taken on several occasions, but at night, and the redemptions need to process manually I believe, so they were never fulfilled. First time I had to sign a stat dec, second time they didn't require that and I think ultimately it happened 3 times before I was put in touch with a special department in Qantas who secured my account such that it hasn't happened again... touch wood!

That said, I can't get my status to show under my avatar anymore







<<<<<<<

 

[theblank]

I was hacked for nearly 300,000 points in February 2014, Qantas store employee contacted me to confirm that I had ordered an Apple Computer, when I said I had not placed an order for the computer they also said that a store voucher for $50.00 had been obtained the day before, again not ordered by me.

Thats pretty dumb by the thief given the delivery of a computer to a known address.

 

[timster]

So I don't suppose anyone here has ever logged into their QFF account on a public computer (or any computer that someone else has access to for that matter), such as in a QC or BA lounge ? Or logged into their private email.
Often these exploits are closer to home than you think.
"Hacking" ? Rarely.

 

[Rebekkap]

Mother's maiden name from Birth registry I suppose.

In Victoria at least, and I'm sure in the other states/territories as well, you can't just find out details about living people from the registry. It requires all sorts of certified identification, both from you, and if you're applying to get someone's birth certificate and they are not your child aged under 18, the person whose certificate you are applying for, plus a letter of permission. Apply for a birth certificate - Births, Deaths & Marriages Victoria

 

[globbo]

I know of 6-8 people this has happened to. One such situation was the purchase of a one way flight from Hong Kong to Russia on the same day, under a Russian sounding name (fake) and they flew within 2hrs of making the booking. They could build in a 2 factor authentication on any purchases, including a flight purchase - if the surname doesn't match the account holder, why isn't the account holder asked to confirm?

In this instance, due to the amount stolen/hacked, a police report was required before Qantas would investigate as well as a stat dec.. This all look a LOT of time let me tell you!!

I've also had a few friends/family members have points taken to buy multiple iTunes vouchers.

Really frustrating..!

 

[OATEK]

I know of 6-8 people this has happened to. One such situation was the purchase of a one way flight from Hong Kong to Russia on the same day, under a Russian sounding name (fake) and they flew within 2hrs of making the booking. They could build in a 2 factor authentication on any purchases, including a flight purchase - if the surname doesn't match the account holder, why isn't the account holder asked to confirm?

In this instance, due to the amount stolen/hacked, a police report was required before Qantas would investigate as well as a stat dec.. This all look a LOT of time let me tell you!!

I've also had a few friends/family members have points taken to buy multiple iTunes vouchers.

Really frustrating..!

Welcome to AFF globbo, and yes, very frustrating.

 

[RooFlyer]

In Victoria at least, and I'm sure in the other states/territories as well, you can't just find out details about living people from the registry. It requires all sorts of certified identification, both from you, and if you're applying to get someone's birth certificate and they are not your child aged under 18, the person whose certificate you are applying for, plus a letter of permission. Apply for a birth certificate - Births, Deaths & Marriages Victoria

Any family history 'old hand' can easily get around this.

 

[theblank]

In this instance, due to the amount stolen/hacked, a police report was required before Qantas would investigate as well as a stat dec.. This all look a LOT of time let me tell you!!

and so it should. There is no good reason for them to simply take your word for it.

Best scam I know is to accumulate a million points, let it sit idle for a while, transfer the lot to gift vouchers or something else untraceable, then sometime later ring up qantas and cry "Hacked!" and expect my money back on the spot.

 

[topcat45]

I completely agree with opusman. A 4 digit pin is completely inadequate.

 

[lwcarden]

My husband's account was hacked last year and more than 250,000 points were taken - by a person who apparently stated they were a relative. The name was either Russian or one of the Slavic nations. It had to be reported to the police and QANTAS did replace the points, however if this is occurring on a regular basis something needs to be done. The one thing that is imperative is to ensure that you check your Frequent Flyer points every month when your statement comes in to your account.

 

[ozbeachbabe]

My husband's account was hacked last year and more than 250,000 points were taken - by a person who apparently stated they were a relative. The name was either Russian or one of the Slavic nations.
It had to be reported to the police and QANTAS did replace the points, however if this is occurring on a regular basis something needs to be done.

The one thing that is imperative is to ensure that you check your Frequent Flyer points every month when your statement comes in to your account.

Was the hacker silly enough to use it for air travel ie not a more anonymous award like online vouchers?

 

[G00r]

- always use long and randomly-generated passwords (I use 1password to generate 64+ character phrases of nonsense) - obviously this is much easier if you use a password manager;

+1 for password managers.

I use LastPass. You set one master password (that you don't use on any other site) to secure your vault.
Lastpass has extensions for Firefox and chrome (& no doubt the others) so when ever you are presented with a password box, you can either generate a long, random and secure password (were you about to guess F9!xsqP9FD9% ?) for the site and save it to your vault or choose from a saved entry.
Has mobile apps for on the go, with the same functionality (insert user & pass directly in to any site or app).
You can store credit cards in it for pre-fill in to any site and has 2 factor authentication.
$12 US p/a

Lastpass.com <-- direct link
Lastpass.com <-- Referral link should you choose

 

[eastwest101]

While I am sure that they are a reliable and proffesional company what would the plan-B be if Lastpass.com itself got compromised by a data security breach? Bit of a PITA to recover from that.

 

[prozac]

While I am sure that they are a reliable and proffesional company what would the plan-B be if Lastpass.com itself got compromised by a data security breach? Bit of a PITA to recover from that.

That was my thought as well.

 

[G00r]

While I am sure that they are a reliable and proffesional company what would the plan-B be if Lastpass.com itself got compromised by a data security breach? Bit of a PITA to recover from that.

Valid point..
But I guess if you weigh up using a set of even 5 different passwords amoungst the sites that you use (I used to use 4, very personal, important, semi and couldn't care less) where none of the providers' primary business is security vs using a unique password for every different site you go to and trusting a company who's entire existence relies on their data integrity.. Well I guess I have already chosen the latter.