Qantas ff account hacked

[prozac]

Valid point..
But I guess if you weigh up using a set of even 5 different passwords amoungst the sites that you use (I used to use 4, very personal, important, semi and couldn't care less) where none of the providers' primary business is security vs using a unique password for every different site you go to and trusting a company who's entire existence relies on their data integrity.. Well I guess I have already chosen the latter.

I used to be subscribed to Stratfor, a site specialising in geopolitical intelligence. You would expect that they would be pretty secure too, right? In 2011 Stratfor wrote to me to inform me that they had been hacked. They played down the attack but an ensuing court case treated the attack seriously. Your company recommendation is only as good as their marketing will have you believe.

 

[opusman]

While I am sure that they are a reliable and proffesional company what would the plan-B be if Lastpass.com itself got compromised by a data security breach? Bit of a PITA to recover from that.

Hard to see how that could happen. There's a difference between the storing of individual passwords (or hashes) and an encrypted chunk of data. If a database containing hashed passwords is compromised it's vulnerable to a dictionary-style attack. If an encrypted chunk of data (your "password vault") is compromised, it's not vulnerable unless the encryption algorithm itself is. And companies like this would certainly be using very strong encryption.

 

[DougG]

Hasn't happened to me, but a more complex password system is well overdue I think.

 

[whatmeworry]

Can't a link that isn't behind a paywall but another person has had their account hacked.

QANTAS frequent flyer program security has been questioned after a member’s account was hacked to steal almost 50,000 points. Retiree Jill Fallon said more than half her total balance was siphoned for Myer digital vouchers.

01/05/2016: Front Page: Alarm at frequent flyer point security

 

[get me outta here]

I just called reservations and was asked to enter my 4 digit pin over the phone. Is that new?

 

[astrosly]

I just called reservations and was asked to enter my 4 digit pin over the phone. Is that new?

I've noticed this in two calls I've made in the last week. Before you had just just enter in your QFF number, now you are asked to enter in both the QFF number and PIN. Can't say I feel too comfortable dialling 2 of the 3 identifiers needed for my QFF account into the phone.

 

[Buzzard]

+1 for password managers.

I use LastPass. You set one master password (that you don't use on any other site) to secure your vault.
Lastpass has extensions for Firefox and chrome (& no doubt the others) so when ever you are presented with a password box, you can either generate a long, random and secure password (were you about to guess F9!xsqP9FD9% ?) for the site and save it to your vault or choose from a saved entry.
Has mobile apps for on the go, with the same functionality (insert user & pass directly in to any site or app).
You can store credit cards in it for pre-fill in to any site and has 2 factor authentication.
$12 US p/a

Lastpass.com <-- direct link
Lastpass.com <-- Referral link should you choose

I use LastPass too, the free version.
Used it for a few years and very happy.

 

[JohnK]

Best scam I know is to accumulate a million points, let it sit idle for a while, transfer the lot to gift vouchers or something else untraceable, then sometime later ring up qantas and cry "Hacked!" and expect my money back on the spot.

Why didn't I think of that? Grab some gift vouchers with my 1.1 million points, sell vouchers for cash, cry "Hacked!" to Qantas, get points back and book flights and pay the exorbitant fuel surcharges with the cash.

Win, win for everyone.

 

[sumthinfornuthin]

I assume you are referring to Have I Been Pwned?

Basically, if a large website has been hacked, the (leaked) account details for its users often end up on the black market (for not a lot of money, I might add). Similar things have been happening with credit card numbers for a long time.
The operator of this website (Troy Hunt, an Australian based security expert) obtains lists of the compromised accounts and allows you to search if you have been compromised.

Most of the websites with data on HIBP are specialist-IT forums but there are a couple of high profile ones (Sony, older Google/GMail and Yahoo accounts, Forbes, some notorious dating sites)

Thanks.....................................

 

[drron]

A few years ago surrogate granddaughters were going on a school trip to Europe on EK.They asked if I could get allocated seats for them.It was actually easy to do but doing that I had access to all the names of their group,addresses and email address.

 

[wandering_fred]

It wasn't all that many months ago that CX updated the security on their website. Upper / lower case, numbers and special characters are now mandatory.

Can we have a pool on how long the QF IT section will take to implement better passwords?

Happy wandering

Fred

 

[theblank]

I use LastPass.

Do you use Lastpass to login to this forum?

I cant stay logged in, and its a pain. If I take to long to type in a post, which are often long because I compile awesome stuff, when I press submit, I have been logged out. Then logging in again and moving forward, I have lost my post.
Then I got to retype it all, and because I am cranky, I write less, so its not as good....

Pressing back, doesn't always work, especially on the phone.

 

[ozbeachbabe]

Do you use Lastpass to login to this forum?

I cant stay logged in, and its a pain. If I take to long to type in a post, which are often long because I compile awesome stuff, when I press submit, I have been logged out. Then logging in again and moving forward, I have lost my post.
Then I got to retype it all, and because I am cranky, I write less, so its not as good....

Pressing back, doesn't always work, especially on the phone.

I cut and paste my post in case I get logged out.

Sometimes when you login again after you think you've lost your post it will prompt you to reinstate your post.

 

[theblank]

I cut and paste my post in case I get logged out..

So its not only me, thats good to know.

 

[Hvr]

I cut and paste my post in case I get logged out.

<snip>

Tick the 'remember me' box when logging in and you'll be here forever.

 

[OATEK]

Tick the 'remember me' box when logging in and you'll be here forever.

Some people are like me and drop their cookies etc when they close their browser. For example, it restarts your SMH/AGE read pages count, not just the airline search history. In such cases even if you tick the box, you will not be kept logged-in. You must add the site as an "exception" in the settings area for that.

 

[theblank]

Tick the 'remember me' box when logging in and you'll be here forever.

For personal reasons I choose not to tick that box. However that option should only be assisting me when I first visit the site on any given day or browser session. Its not a function to keep someone logged in. There has to be a technical reason why the site seems to automatically log me out after something like 5-10 mins idle.

I dont experience this on other forums.

 

[drron]

Sometimes that function keeps me logged in but at other times not so much.Again any computer I own has a mind of it's own.

 

[Franky]

Sometimes that function keeps me logged in but at other times not so much.Again any computer I own has a mind of it's own.

And silly me thought it was just the computer that I bought..

 

[harvyk]

I've noticed this in two calls I've made in the last week. Before you had just just enter in your QFF number, now you are asked to enter in both the QFF number and PIN. Can't say I feel too comfortable dialling 2 of the 3 identifiers needed for my QFF account into the phone.

Although it's been years since I last used phone banking, it's not really too much different, except with Phone Banking it's both easier to listen into accounts and pins (as they are not encrypted in any way), and it's harder to get caught if you attempt to use someone else's details with Phone Banking. Plus it's then actual and real money which the cracker has access to rather than loyalty points which are limited in the ways which they can be used.