QF Points taken and fast response from Qantas

[DoctorSimon]

Hi,

I checked my QFF account on Easter Monday and found 185,000 points had been spent by someone (unknown) two days earlier (Easter Saturday) on a booking for 3 adults. Rang Qantas and advised, they cancelled the reservations. I sent in a stat dec with the details late on Easter Monday night and the QFF points were back in my account the next morning.

Thank you Qantas - excellent, prompt response.

However, how did they get into my account? Why didn't I get a TXT confirming the log-on from a new computer? Why didn't I get an email of the itinerary, confirming deduction of the points? etc, etc.

Seems it is too easy to steal from a QFF account, when it is effectively a bank account.

 

[I love to travel]

Very glad resolved for you. Wonder what Qantas will do with people whose names appeared on reservation.

 

[levelnine]

Strikes me as a pointless form of theft (pun intended). Unless you are booking flights for the exact same day, the tickets will be cancelled (unlike money, which can be withdrawn from an ATM). I guess it relies on the thief selling the points to some unsuspecting person and/or hoping that the theft is never detected.

As to how they got into your account, logged into to your Qantas account via an email link? Details have could been phished.

 

[goldenhorn]

I can relate. I had 150,000 points stolen from from my QFF account a couple of years ago. They had booked flights and had already taken one departing Bali for the Middle East.

I too didn’t receive any confirmations of travel booked etc. Luckily I accidentally stumbled across it when I logged into my account (these were the days before I was points chasing and checking my account balance multiple times a week lol)

I had a similar positive experience and points were returned quickly after a stat dec. to Qantas.

The culprit for me was using a computer in an executive lounge in the Beijing Hilton to log into my QF account. I suspect my login details were scraped by hackers.

 

[jetpack]

I had a similar thing happen to my Velocity account. As it turns out, the phone agent I spoke to that day accidentally took points out of my account for a booking she made for the subsequent caller. Hackers are not always the reason.

 

[drron]

My best was logging on to my Aadvantage account as I was supposedly booking a flight from Nairobi.Rang AA and they caught them in the act.

 

[DoctorSimon]

Thanks for the kind thoughts 'I love to travel' .

levelnine, I get a code texted to my mobile if I log on to my Qantas account from a different computer. I assume clicking on a link would initate the same?

 

[sinophile888]

Mr.s. had 50000 points taken from his account a year or so ago. The hackers bought iTunes vouchers which I understand are more tradable that flight tickets. They changed Mr. s's contact details, so Qantas had trouble contacting him. Qantas quickly refunded the points. SInce then, I have moved his points to my account on a regular basis. Besides, he wouldn't know what to do with the points anyway.

 

[serfty]

Besides, he wouldn't know what to do with the points anyway.

... I lolled at that ...

 

[33kft]

If you have 2FA enabled for the account, it's very unlikely that it was another person redeeming those points. Just as @jetpack has pointed out above, it's much more likely that the wrong FF account number was supplied somewhere in the chain and the points were incorrectly debited from your account, which would not require logging in nor 2FA. It also suggests why the points were likely reinstated so quickly without investigation (the audit logs probably indicated who went wrong where)

In terms of suggesting that the regulation/liabilities around FF accounts should be similar to financial institutions because of a perceived similarity - as someone who works in that arena and has seen what happens when a single regulator in a single country introduces regulations that require global banks which trade (in whatever minor/major capacity) in that country/region to either shut down their entire retail operation or spend $xx_M to retrofit the entire core banking infrastructure globally to accommodate it... any FF program with a shred of risk assessment capability would immediately find a way to shut down and bow out

 

[nannieann]

I have always thought that the Qantas system of logging in is open to abuse. If you leave your boarding pass on a table for all to see or in the seat pocket or just throw it away, it is very easy for another person to see the name and FF number. Because the password only has four numbers, it's then just a matter of entering up to 9999 digits to unlock the account online. I always bring my boarding pass home and shred it.

 

[opusman]

Because the password only has four numbers, it's then just a matter of entering up to 9999 digits to unlock the account online

You only get a few tries before the account is locked so would be very unlucky to break into by chance. I don't disagree that it's insecure though. 2FA is definitely an improvement though I wish they supported Authenticator apps rather than just SMS.

 

[33kft]

it's then just a matter of entering up to 9999 digits to unlock the account online.

The same amount of numbers that (usually, I get some are 5/6 digits) stops you from withdrawing all of the money off a card you find in the street, and more than you need to make a purchase using a paywave card in most cases. Not nearly as trivial as you're making out - if every attempt took 20 seconds (ignoring the lockout component) it would take you up to 2 and a third days to brute force, not budgeting any time for sleeping, eating, just non stop PIN guessing.

 

[Travelbugz]

I had 850,000 points stolen through 10 separate transactions over the course of 3 days in December of last year. Luckily I noticed within a day of the last transaction appearing in my account and Qantas reinstated the points within hours of receiving my stat declaration. The points were used for flight bookings and Jetstar extras. I was more annoyed that the thief was better able to find award bookings than I have been which is the reason for the large accumulation of points .

 

[Flying Fox]

I can relate. I had 150,000 points stolen from from my QFF account a couple of years ago. They had booked flights and had already taken one departing Bali for the Middle East.

I hope the rest of the itinerary got cancelled and that they got stuck somewhere terrible!!!

 

[Chief Wiggum]

I question the efficacy of the 2FA that Qantas has deployed for the Frequent Flyer accounts.

* I recently set up AwardWallet to monitor my QFF and many other loyalty-points accounts.
* Part of that process involves giving AW the login details for your QFF account - so they can log-in and update points balances and activities etc.
* I've worked out now that AW does this weekly on a Saturday arvo because I now get a regular SMS from the QF 2FA service with a code for me to use to login.
* I do nothing with this SMS code.... yet AW is able to access my account and update what it needs to, and send me a weekly summary of the changes to my QFF account... all without ever receiving or knowing the one-time 2FA SMS code.
* As far as I know, there is no read-only API from QF that AW is using to update my QFF account details. And that AW is using full-login rights to do what they do.

So what good are the QF 2FA SMS codes?

Happy (eager) to be corrected in my observations and conclusions...

 

[33kft]

4. I don’t have my mobile with me or have recently changed my mobile number. Can I still log in to my account?

If you cannot access your mobile or the verification code for any reason, simply select ‘I need to verify another way’, as shown in the window below. You’ll then be taken through a series of security questions, allowing you to log in.

You gave those security question answers to awardwallet and it uses them to log in. You'll still get the SMS as that is sent automatically when someone tries to log into your QFF account.

 

[Chief Wiggum]

OK... that now makes sense... thankyou for finding that.

I do remember having to setup those questions in my QFF account, and then give AwardWallet those details. So that's how they are avoiding needing the SMS.