QF trialling two-factor authentication for QFF accounts

lovetravellingoz · Mar 5, 2017

Pleb Status said:
If I can fake your signature, I could walk away with everything you have.....

Well at my bank in addition to signing they will ask you for ID.

Pushka · Mar 5, 2017

Pleb Status said:
So identify theft does not exist. Nice to know.

Of course it does. Just not in the manner you've described.

Pleb Status · Mar 5, 2017

Pushka said:
Of course it does. Just not in the manner you've described.

How did I describe?

All I said was that if someone could access all of the information available on a typical online banking site without TFA and if that person could also fake a signature (which they may not have) then they could 'walk away' with everything.

Everyone just assumed that would be walking into the bank and withdrawing cash but this is not how most identify theft works.

My premise at the end of the day is access to your online banking is a far greater risk to your QFF account.....

Pushka · Mar 5, 2017

I have access to all our creditors banking details but there's no way that means I can do anything with that info other than pay the bills.

Signatures are registered electronically.

nlagalle · Mar 5, 2017

Pushka said:
Of course it does. Just not in the manner you've described.

You would be surprised at how a few bits of information can be used to steal your identity.. seems it happen.

nlagalle · Mar 5, 2017

I am at a loss as to why QF went for SMS instead of a soft token.

Pushka · Mar 20, 2017

So today is another day with the test text messages. I don't get them every day but if I get one on a day there will be several.

This time I didn't get the text I had to verify with. So I selected 'need to verify in another way'. This takes you to a screen where you state your mothers maiden name, your birthdate, the date you joined - as if anyone knows that!

and postcode. Just as I realized I had no idea of the date I joined I received the original text. Five minutes later. Gonna have to improve on that!

eminere · Mar 20, 2017

The date you joined?! That's ridiculous!

kevrosmith · Mar 20, 2017

Pushka said:
So today is another day with the test text messages. I don't get them every day but if I get one on a day there will be several.

This time I didn't get the text I had to verify with. So I selected 'need to verify in another way'. This takes you to a screen where you state your mothers maiden name, your birthdate, the date you joined - as if anyone knows that! and postcode. Just as I realized I had no idea of the date I joined I received the original text. Five minutes later. Gonna have to improve on that!

The month and year joined are printed on your membership card. While not seeing your entry screens, I'd imagine this is what they are asking you to provide.

"Member since" is also printed in the header on the landing page when you log into QFF, though of course, that's less helpful when you are actually trying to log in. I guess this is where the membership card comes in.

Pushka · Mar 20, 2017

kevrosmith said:
The month and year joined are printed on your membership card. While not seeing your entry screens, I'd imagine this is what they are asking you to provide.

"Member since" is also printed in the header on the landing page when you log into QFF, though of course, that's less helpful when you are actually trying to log in. I guess this is where the membership card comes in.

I'll grab a screen shot next time.

greyyy · Mar 20, 2017

[FONT=arial, sans-serif]So bizzarre that they haven't opted to use a protocol like TOTP that allows codes to be generated offline through apps like Google Authenticator or Authy, or even though the Qantas apps! Even more important given the news of Wifi on planes where you can't receive SMS.[/FONT]

Pushka · Mar 21, 2017

Double verify this afternoon. This is the alternative to the text message:

It accepted month and year just fine.

Himeno · Mar 21, 2017

Pushka said:
This takes you to a screen where you state your mothers maiden name, your birthdate, the date you joined - as if anyone knows that! and postcode.

How did they get that information in order to verify it?

mviy · Mar 21, 2017

The date you joined is on your QANTAS Frequent Flyer membership card.

Pushka · Mar 21, 2017

Himeno said:
How did they get that information in order to verify it?

It's in the profile I guess. Entered when you join.

Himeno · Mar 21, 2017

Pushka said:
It's in the profile I guess. Entered when you join.

I don't recall ever giving them information like that requested. Sure, dob, join date, postcode/address. Information about family? nope.

I used to have an ANZ credit account. They added additional security questions to be able to login to online banking. You had to select 3 questions from a preset list and provide answers and it would randomly select one of the 3 to ask when you logged in. Answers could not be given (or existed) for any of the questions on their list, thus locking me out of my account. As such, I closed the account.

If QF wants to move ahead with security questions for QFF account log in, then any questions need to be selected by the member, not forced on them while expecting answers that the member may not have even given them.

Daver6 · Mar 21, 2017

Himeno said:
I don't recall ever giving them information like that requested. Sure, dob, join date, postcode/address. Information about family? nope.

I used to have an ANZ credit account. They added additional security questions to be able to login to online banking. You had to select 3 questions from a preset list and provide answers and it would randomly select one of the 3 to ask when you logged in. Answers could not be given (or existed) for any of the questions on their list, thus locking me out of my account. As such, I closed the account.

If QF wants to move ahead with security questions for QFF account log in, then any questions need to be selected by the member, not forced on them while expecting answers that the member may not have even given them.

What difference does it make who selects the question?

Pushka · Mar 21, 2017

Daver6 said:
What difference does it make who selects the question?

You could select a question that is meaningful to you so likely to be remembered.

Daver6 · Mar 21, 2017

The best solution is you don't actually answer the question with the correct answer. Eg, for your mother's maiden name, you just make something up that you'll remember. Means no-one else is going to guess it, as your mother's maiden name is not exactly top secret or difficult to find the answer to.

Therefore, my point is the question asked isn't important. Your nonsense answer is.

nlagalle · Mar 21, 2017

Pushka said:
So today is another day with the test text messages. I don't get them every day but if I get one on a day there will be several.

This time I didn't get the text I had to verify with. So I selected 'need to verify in another way'. This takes you to a screen where you state your mothers maiden name, your birthdate, the date you joined - as if anyone knows that! and postcode. Just as I realized I had no idea of the date I joined I received the original text. Five minutes later. Gonna have to improve on that!

If you have your card on you it's printed there...

QF trialling two-factor authentication for QFF accounts

Enthusiast

Veteran Member

Established Member

Veteran Member

Senior Member

Senior Member

Veteran Member

Established Member

Established Member

Veteran Member

Intern

Veteran Member

Senior Member

Senior Member

Veteran Member

Senior Member

Enthusiast

Veteran Member

Enthusiast

Senior Member

Become an AFF member!

AFF forum abbreviations