QFF Fraudulent activity

[lowellmc]

Hi.
‘I’m in what appears to be a losing battle with Qantas as I attempt to recover almost 500,000 points that were stolen from my account in December 2019. I’d be interested in talking with anyone who has experience the same. I’d also advise everyone to check their accounts carefully for fraudulent activity. Below is my recent email discussion with Qantas. They have not responded to my latest email In over a month.

Hi Qantas.
These are extraordinary times we live in so I would like you to make an extraordinary effort to resolve this problem. Under normal circumstances, I would accept your decision, but as you know there is nothing normal about living in a Pandemic.
I am curious to know why your system checks did not detect the extremely usual activity on my account. I’ve been a Qantas Frequent Flyer for more than 25 years and never have I purchased a digital gift card, let alone 18 cards worth 473,950 points in one transaction. What dollar value do put on this?
I live in Canada, so I have been unable to fly anywhere for the past 18 months so there was no reason to monitor my frequent flyer account on a regular basis since February of 2020.
I’m sure my account is not the only one that has been hacked into. I suspect that a simple scan of your activity statements in around the same time my account was hacked will reveal considerable more of this criminal activity. Most companies are using two factor authentication and alert notification for all activity. One piece of email would have alerted me to this fraudulent activity immediately and I would have reported it.
I had planned to use these points for tickets for my family for a trip to Australia and New Zealand at Christmas 2021, but of course that was impossible. I started planning the same trip for Christmas 2022. I was shocked when I discovered that almost 75% of my points had been stolen and I can no longer book this family holiday.
Is there someway of tracking these gifts cards in attempt to identify the criminals? I suspect they have accumulated many more cards through this activity.
So have a meeting and think about this situation and what I have said. The best resolution would be to return my points and let me book my trip as soon as the restrictions are lifted. I would much rather resolve this problem directly rather than involve the police. That would be a long drawn out situation that would waste a lot of both your time and mine and would not likely produce satisfactory results. I will contact you soon about adding another level of security to my account.

Thanks
Lowell McLaren

On Jul 14, 2021, at 12:19 AM, Qantas Frequent Flyer <[email protected]> wrote:

Dear Mr McLaren,

Thank you for contacting the Qantas Frequent Flyer Service Centre.

Regretfully we will not be able to reinstate the points as you have requested.

Section 6.5 of the Frequent Flyer program terms and conditions states that in the event of loss, theft or unauthorised use of a Membership number or PIN, it is the Member's responsibility to advise Qantas Loyalty as soon as possible. It also states that the member is liable for all use of the PIN or Membership number until Qantas Loyalty is notified of the loss, theft or unauthorised use.

We would recommend reporting any event of hacking or theft of personal information to the police. We will cooperate with any investigation by the police should they request information from us.

Qantas takes the matter of unauthorised account activity and account security seriously. We strongly recommend that you regularly check your account status and notify us immediately if you notice any unusual or unauthorised activity.

In addition, if you have any reason to believe your account or personal information have been compromised please contact us so we may take steps to secure your account.

We will be monitoring your account for any further unusual or suspicious activity.

Thank you for your patience while we reviewed this case.

 

[sudoer]

Qantas have offered 2FA for a few years now - certainly prior to December 2019.

I don't think you're likely to get any response. The pandemic has nothing to do with your issue, and the tone of the message comes across as rather obnoxious despite Qantas not being clearly at fault here ("So have a meeting and think about this situation and what I have said" - DYKWIA much?)

Gift cards are notoriously difficult to track, after 20 months they've certainly been redeemed and Qantas has paid the bill for them. So why should Qantas also be liable to refund your points?

Without 2FA enabled, Qantas account security is unconventional (QFF + Last name + PIN) but accounts lock after three incorrect attempts and require a manual reset which makes it very time consuming to brute force them, and certainly not worthwhile for a few grand worth of gift cards. Was your computer or password manager login compromised?

 

[ChrisMars]

I remember getting a phone call from Qantas the next day I purchased, in a moment of weakness, about maybe 500AUD worth of gift cards. They asked me lots of questions to validate the transaction. That was in the early months of the pandemic. I think I already had 2fa at that time. Hope this info helps.

Otherwise, Yea I am not too optimistic for you, this happened a while ago, and 2fa was on offer at that time.

 

[RichardMEL]

I understand for you this is an emotive situation with your loss of points. Very frustrating but the tone of the shared message is hardly conducive to a positive reception in my view. Now, I understand you have shared just the latest in what likely has been a long chain of communication - very much not helped by your remote (to Aus) location - and that you're at the end of your tether.

One of the reason these crims use gift cards is the basic fact that tracing is nigh on impossible. This is why you often see those tax scams luring unsuspecting and vulnerable people to "pay" their tax bill via itunes cards (which is insane to most rational people of course, but to some who are scared and pressured and all it is something they fall for - so much so that many grocery stores etc staff are advised to double check with people - specially elderly - buying large values of gift cards for this very reason). As the poster above wrote QF did call them after some gift card spend so they clearly are on the ball in some circumstances. Should they have attempted to call in Canada? Maybe.. maybe not..

There are literally millions of transactions on millions of accounts for their systems to attempt to flag - and perhaps living outside of Australia it may well have been seen as legitimate spend on cards if flights or whatever were not an option.

QF are right in terms of the security of one's account is the member's responsibility until you notify them My bank says the same for my credit/debt card. I can understand looking at one's FF transactions is not a frequent thing for many casual program users so the loss would not immediately be picked up. I understand.

The other thing is the notion of being "hacked" - for example your crednetials could have been scraped from your own compromised computer, a keylogger trojan or any number of things. For example could you be sure back then you had appropriate efforts to protect your own security like anti-virus, anti-malware and that your own security was up to date? Of course one can do everything they can to protect themselves and still things happen. It seems far more likely one's QFF account credentials were stolen somehow and used rather than randomaly hacked - a multiple digit QFF#, a alphanumeric surname and a sequence of digits for a PIN are a fair combnation to just guess - by brute force you'd have to be amazingly lucky!

Even you yourself ended with the comment about putting extra security on your account which suggests you suspected there possibly was a problem.

It has been a long time now. I think you are possibly out of luck. You may want to try the ACA at aviationcomplants.gov.au but I feel your chances are slim.. and if you do contact the ACA perhaps a moderate and "just the facts" approach would be best rather than suggesting staff "hold a meeting and think about what I've written."

Airline customer service | Aviation complaints

www.aviationcomplaints.gov.au

 

[MEL_Traveller]

My banks are different. As long as I haven't disclosed my PIN, the bank absolves me from responsibility for any fraudulent transactions.

QFFF may have millions of transactions, but I daresay banks have more. And they're pretty good at flagging potential fraud... some banks a little *too* keen.

QFFF could have insisted on 2FA, just like my bank has. Given the very simple security on accounts pre-2FA, I'd say QFFF should take a similar approach to the banks.

 

[Vic]

December 2019? 2FA was only just being implemented, and was not mandated by Qantas. How do I know. Because I remember when I was forced to use 2FA in 2020.

 

[mannej]

It is interesting as anecdotal evidences on this topic suggests that upon provision of a police report, QF are fairly responsive to situations like this. If the points are required, I am not sure why the threat of involving the police is such a bad thing? Make a report to the police and let the process take its course.

 

[RichardMEL]

2FA is likely problematic in a foreign country as IIRC it's mostly SMS used for 2FA and non oz phone numbers were not supported? maybe that has changed? I recall some other methods were added later (like auth apps) which helped a lot but it seems that the OP had not implemented this (and I am not saying that is his fault if QF had not forcefully enabled it on his account).

and yes OK banks deal in multiple magnitudes of transaction volumes. no doubt.

My point was an expectation on QFF to flag every single transaction as potentially wrong?

Heck if one reads my CC statement (yes not QFF but work with me) I have some outliers that are legit.. for example recently I purchased a (oh no!) a gift card for a US restaurant chain for a friend's birthday over there since I couldn't be there to take them to dinner. In amongst all my more usual and dull transactions that one would probably stand out a bit. Though in an overall history of purchases in the US and other countries (as I travel) it may not. I did not get flagged on that one, yet I have been called in the past (not for some years now tbh) o confirm a purchase was legit.

Where is the line?

I mean we as consumers do have a certain responsibility as much as the vendors.

And there's also something to be said for how one approaches customer service to resolve matters (again I note as I did above that we only seeing the latest in probably a long line of communications)

btw QF's 4 digit PIN for so long has been a very POOR level of security tbh, though it works better with the 3 items of information required making getting all correct pretty hard without obtaining the information more directly. Adding 2FA (finaly) has definitely helped.

Post automatically merged: Aug 10, 2021

It is interesting as anecdotal evidences on this topic suggests that upon provision of a police report, QF are fairly responsive to situations like this. If the points are required, I am not sure why the threat of involving the police is such a bad thing? Make a report to the police and let the process take its course.

this may be complicated by the OP's location in Canada. Of course reports of theft or loss when traveling require police reports for insurance purposes....

... but FF points by way of buying gift cards? that's perhaps not quite so clear cut.

 

[MEL_Traveller]

2FA is likely problematic in a foreign country as IIRC it's mostly SMS used for 2FA and non oz phone numbers were not supported? maybe that has changed? I recall some other methods were added later (like auth apps) which helped a lot but it seems that the OP had not implemented this (and I am not saying that is his fault if QF had not forcefully enabled it on his account).

and yes OK banks deal in multiple magnitudes of transaction volumes. no doubt.

My point was an expectation on QFF to flag every single transaction as potentially wrong?

Heck if one reads my CC statement (yes not QFF but work with me) I have some outliers that are legit.. for example recently I purchased a (oh no!) a gift card for a US restaurant chain for a friend's birthday over there since I couldn't be there to take them to dinner. In amongst all my more usual and dull transactions that one would probably stand out a bit. Though in an overall history of purchases in the US and other countries (as I travel) it may not. I did not get flagged on that one, yet I have been called in the past (not for some years now tbh) o confirm a purchase was legit.

Where is the line?

I mean we as consumers do have a certain responsibility as much as the vendors.

And there's also something to be said for how one approaches customer service to resolve matters (again I note as I did above that we only seeing the latest in probably a long line of communications)

btw QF's 4 digit PIN for so long has been a very POOR level of security tbh, though it works better with the 3 items of information required making getting all correct pretty hard without obtaining the information more directly. Adding 2FA (finaly) has definitely helped.

Post automatically merged: Aug 10, 2021

this may be complicated by the OP's location in Canada. Of course reports of theft or loss when traveling require police reports for insurance purposes....

... but FF points by way of buying gift cards? that's perhaps not quite so clear cut.

All valid points, but on the bank - it's in their interest to flag transactions. If there are some outliners which they didn't pick up, and happen to be fraudulent, they still wear the cost.

QFFF's log in is pretty basic... name and FF number from a boarding pass, then attempt to replicate the PIN. Other airlines have gone to passwords which must meet minimum requirements, or longer PINs (SQ is 6 digit for example).

QFFF has members all around the world. My UK-based bank sends me an OTP via text to my Aussie number. So international texts are possible.

And QFFF continues to offer gift cards, and to have gift cards delivered - presumably - as gifts to an address other than that listed on the membership? The requirements could be strengthened to remove high-fraud items, or to require signing on delivery for high-fraud items.

I think mannej is on the money - getting a police report might be of assistance to getting the points returned.

 

[RichardMEL]

yep agree with all your points too of course. QFF could do much better in many ways. heck it was only in the last 18 months or so they finally removed FF# from BP's and just list status level(if any). Other airlines if they print the FF# mask it bar the last few digits that I have seen.

My thought on gift cards being delivered somewhere - what if they're digital and sent to an email address - like an obvious fake account which is not obviously linked to anyone.. or if physical say delivered to a business address or a PO Box or something.

They did cover themselves with their T&C that's for sure. I'm not trying to defend them per se. I think it's rotten if they won't consider some sort of compensation even if it's hard to prove where the "fault" may lie. It gets complex indeed.

So yes police report, potentially ACA as above.

I do wish the OP luck even with my comments.

 

[MrJetset]

Given QFF sends a monthly email statement, I suspect they are responding to the fact it took you so long to notice. It may feel unfair, however the T/Cs are written to benefit QFF and not us.

 

[DC3]

20 months? I would expect nothing, unfortunately.

 

[sudoer]

December 2019? 2FA was only just being implemented, and was not mandated by Qantas.

The pilot ran in 2017, and I opted in later that year when it was made generally available.

Did the implementation have problems? Yes. Was it still worth enabling? Yes.

The date it was mandated by Qantas is irrelevant given the onus is on the member to secure their account.

 

[MEL_Traveller]

The date it was mandated by Qantas is irrelevant given the onus is on the member to secure their account.

Do you have the section for that?

5.4 of the Ts and Cs says the member is responsible for making sure their PIN and other security details are kept secure.


6.5 deals with loss or theft, and says 'as soon as possible'...

6.5 In the event of loss, theft or unauthorised use of a Card or unauthorised use of a Membership number or PIN, it is the Member's responsibility to advise Qantas Loyalty as soon as possible. The Member is liable for all use of the Card, PIN or Membership number until Qantas Loyalty is notified of the loss, theft or unauthorised use.

I'm not sure how the second sentence works. If QF's systems are hacked, the member is responsible? Or if the unauthorised use was a one off, without further use of the card.

QF may argue 7.3(b):

7.3 Each Member is responsible for regularly checking their Membership Account and must:

(a) notify Qantas Loyalty of any omissions, incorrect entries or other discrepancies within twelve months of the applicable flight;
(b) notify Qantas Loyalty or the applicable partner (as specified by Qantas Loyalty) of any omissions, incorrect entries or other discrepancies within six months of any other transaction (or such other period specified by the partner).

However, 7.3 deals with discrepancies... not the loss or theft of the card or PIN which is in 6.5.

 

[serfty]

Given QFF sends a monthly email statement, I suspect they are responding to the fact it took you so long to notice. It may feel unfair, however the T/Cs are written to benefit QFF and not us.

This does not occur for all QFF members.

While I do get emailed statements from Qantas now and again, I can certainly not characterise them as being sent to me Monthly.

 

[sudoer]

Do you have the section for that?

5.4 is the section I am referring to. There's a high likelihood that OP's credentials have been compromised - as per my first post it's virtually impossible to brute-force a Qantas account.

 

[RichardMEL]

It comes back to how you define "hack"

what I mean is:

if members account was accessed because (through whatever method) their details were taken from the member - from a file on their PC for example, or keylogger or some other external method but the actual access to QF's system is legitimate - ie: a login was made with the FF#. name and PIN in a legitimate way then that is on the member. In that instance the "hack" was made on the member.

If though access to the QFF systems were made via flaws in their security (by this I mean firewalls, systems and software that allowed unauthorised access) - for example say a hacker group obtained membership details database access via a network intrusion then that kind of thing would be on QF and the member should not be liable.

So the grey area is.. how does one prove this?

Now QF would have login records for the transaction.. eg: Member logged in at date X/Time Y from IP address Z and made the purchases of the gift cards. You could then examine the IP number.. did it come from somewhere other than Canada (eg: Germany for example) then one may assume that the member is not in Germany and it's illigitimate use of the access credentials (you know these days QF sends me an email saying I logged in from such-and-such if I'm not at home to verify if it was me or not - so checks are made). However what if it's more something more? What if, I don't know, the member had their access details written in a diary or something and a friend or family member (or heck, someone robbing the home) gets this and makes use of it? (seems unlikely I know, but hey stranger things happen at sea).... and in that case what if the accesses came from local IP's - or what if someone in the house used the same PC or accessed it remotely that the member normally uses? how is QF to know if it is legit or not?

I'm writing this more as a devil's advocate I guess. These things can be quite tricky to actually prove... and really the key here from QFF's point of view is the time in telling them of the breach.. how does one define "As soon as possible"? I mean if one checks their account once every six months then is finding the problem four months after it happened "As soon as possible"? I'm not a lawyer but I can see an argument there.

Really though "hack" is a poor word imo because it's used as a coverall for a variety of crimes. In general a "hack" is probably best considered as access to a system through a flaw or vulnerability in the software designed to protect it - ie someone has gotten in somewhere they should not be and should have been prevented from doing. Sometimes user credentials to sites can be gained by means of social engineering, "phishing" -ie a fake email to steal credentials, malware and the like. All of those scams like you see every so often floating around that people fall foul of "QUANTAS are giving away 10 first class tickets for free.. " type things etc. That kind of stuff is not really a "hack" in my view.

Of course we really do not know how the member's details were acquired and used. it is more likely than not that it was not a breach of QF's systems though (but hardly impossible given many companies are impaced by corporate hacks)

my 38 cents worth

Post automatically merged: Aug 10, 2021

This does not occur for all QFF members.

While I do get emailed statements from Qantas now and again, I can certainly not characterise them as being sent to me Monthly.

and one needs to have opted in to certain communications - and many do opt out.
specially if a more casual member who does not care for 10 dull promo emails a week

 

[Ade]

This does not occur for all QFF members.

While I do get emailed statements from Qantas now and again, I can certainly not characterise them as being sent to me Monthly.

I don't think I have ever received a monthly statement from QF, ever ... may be should I subscribe to it someplace?

 

[ChrisMars]

if members account was accessed because (through whatever method) their details were taken from the member - from a file on their PC for example, or keylogger or some other external method but the actual access to QF's system is legitimate - ie: a login was made with the FF#. name and PIN in a legitimate way then that is on the member. In that instance the "hack" was made on the member.

I would like to point a subtility here:
Let's say your QFF numbers and First name are compromised (whether it's hacked, or leaked i.e. via old boarding pass), what can you do about it? What does Qantas does about it?

Nothing.

You can't change your QFF number, you can't change your name, and at this stage, for the rest of your life, your only line of protection for your points is a tiny 4 digit pin with 3 attempts, and only recently 2fa tokens which was fairly new at the time of OP.

If I was OP, I would make the case that Qantas failed to provide adequate security measures to protect his account, at that time. Being Canadian based might be relevant, and the timeline of 2fa-token feature general availability is critical.

 

[RichardMEL]

I don't think I have ever received a monthly statement from QF, ever ... may be should I subscribe to it someplace?

in the QFF account, menu option is Profile, and then "Interests and subscriptions" or something like that, and there is the QFF email things you can subscribe to.. one is "Your Points Balance and News" - I think this includes the monthly email.