QFF Fraudulent activity

[RichardMEL]

If I was OP, I would make the case that Qantas failed to provide adequate security measures to protect his account, at that time. Being Canadian based might be relevant, and the timeline of 2fa-token feature general availability is critical.

(devil's advocate hat on again.. it has horns and everything!) the problem is how do you define "adequate" ? you could argue a surname, unique QFF# and PIN is fair security. How does one prove that QF's security was inadequate - imo it's as hard as proving the member's credentials were stolen from them somehow due to THEIR inadequate measures (and note, the OP already kinda admitted this when in his note to QF he said he would add more protection... which, while I'm no legal expert, could be taken as an admission that perhaps his end was not as secure). At any rate the argument works both ways and QFF have made it clear that until they are notified the security of membership credentials is the responsibility of the member (unless, obviously, one could prove that it was QFF's systems that were hacked as opposed to members' credentials obtained via other methods outside of QFF).

 

[serfty]

and one needs to have opted in to certain communications - and many do opt out.
specially if a more casual member who does not care for 10 dull promo emails a week

I am opted in to everything!

 

[pagingjoan]

I have all the boxes ticked on the interests etc, and monthly statements are definitely a thing of the past.
Indeed, I cannot remember when I last received one.

 

[RichardMEL]

I get monthly points balances and news still. Mostly non events but they do come.

 

[ChrisMars]

you could argue a surname, unique QFF# and PIN is fair security.

You can't claim that Surname + QFF# is part of the security measure if you cannot change them when you think it is compromised.

 

[TheRealTMA]

You can't claim that Surname + QFF# is part of the security measure if you cannot change them when you think it is compromised.

From QF.

With Two-Factor Authentication (2FA), we check if it's really you trying to access your account by asking for a verification code sent to your registered email address, mobile number or Authenticator App. Alternatively, you can answer security questions. To set up 2FA, log into your Profile and go to 'Personal Information'. For more on 2FA, read our FAQs.

 

[RichardMEL]

You can't claim that Surname + QFF# is part of the security measure if you cannot change them when you think it is compromised.

no, but you cAN change the pin and have 2FA....

Aside I do wonder if QFF have created new QFF accounts in such situations?

 

[ChrisMars]

no, but you cAN change the pin and have 2FA....

Aside I do wonder if QFF have created new QFF accounts in such situations?

Changing your PIN just means that someone who already knows your QFF# and name has 3 chances out of 10,000 to guess your pin. That's not secured.
Of course, there is 2FA now, I personally enabled it as soon as it was announced. But in the context of OP's hack, it was fairly new, if available at all (I don't have the timeline)

For your last question, I can only say from personal experience that Qantas doesn't seem to create new QFF account/number for members who got their details compromised. My Kogan account was hacked, which include my name, and linked QFF number. Later the week, my QFF account got locked due to too many failed attempt (I would have been safe with 2fa anyway) I asked Qantas (call and email) what can be done about it, including getting a new number. It didn't seem to be possible.

 

[Matt_01]

I don't think I have ever received a monthly statement from QF, ever ... may be should I subscribe to it someplace?

I get them sporadically so does the rest of the family and as @serfty mentions it is not on a regular basis. When QF changed the business program from Acquire to QBR I had to call QF to get the monthly statements reactivated but that is going OT.

On another note I had my QFF hacked back in 2015, I was fortunate that did not lose to many points. Luckily for me I had used most of them for OW awards bookings for the family a month earlier. I had become suspicious as when I went to log in my pin would not work I would reset it and then it would not work again and the points balance was going down. Long story short I called QF and after discussing options my old account was cancelled and a new one was created by the QF agent. It was not an easy process as the agent went through points transactions and tallied up that I disagreed with, at the time I was more interested in getting my points balance back to what I thought it was and retaining my status. Once we agreed on everything I was informed that it would take overnight to for the new account to be setup and was warned that once my old FF was deleted it was gone forever, I agreed. By the following morning I had received an email with a new QFF number which was now 10 digits in length and after logging in I was happy with the points balance and my status was still the same. I then noticed my LT SC around 11K-12K had been reset to zero so I called QF to see if the 10 digit number could be somehow changed back to my original number and LT SC could be reinstated. I incorrectly assumed it may have been possible to overwrite my new QFF number with the old one and the agent could still look up the details of my old account. When searching for my old number the agent advised there was no record to be found. As I still had my points and status I was ok with the outcome. The LT SC reset was annoying as I was close to LTG (LTP was not on the radar) and with the travel that I was doing at the time LTG would was able to be achieved in 2-3 years, which it was.

@RichardMEL yes a new QFF can be created but from experience I would only do it again as a last resort. @ChrisMars you bring up a good point about your Kogan account, at the time of my new account creation all my linked QFF accounts e.g. Woolies stopped working for points auto transfer in the end I had to set up a new Woolies account.

My experience is now 6 years old so not sure how QF are dealing with similar situations these days.

 

[RichardMEL]

Wow Matt - they did nothing to redress the LTSC count of thousands? that is.... amazing ... and surprising/disappointing.

but it seems like you had a very good outcome otherwise.

 

[TheRealTMA]

Why don’t you all use the Qantas Authenticator facility?

 

[MEL_Traveller]

I used the work 'hack' to cover a number of potential flaws. IIRC I have been asked by QF to provide my PIN over the phone for certain transactions? This is potentially a flaw and could be fixed by requiring the account member to enter the PIN via the keypad rather than saying it out loud. Other flaws could be a hack of QFFF's systems, like happened to Star Alliance.

QF could also have insisted on longer passwords, alpha-numeric passwords, or 2FA. Not leave it to the customer to choose. Other airlines have gone down that path.

Reports of unauthorised access to QFFF accounts are not unheard of. If QFFF wants to take the risk with fairly low - albeit convenient for the user - security, they should cover any losses.

 

[Danger]

...

The date it was mandated by Qantas is irrelevant given the onus is on the member to secure their account.

I don't think that's entirely fair. We're talking your Audi or holiday yacht where there are actually multiple measures that can be taken. To continue the analogy, Qantas owns the carport and the boat yard and only puts up a fence in front secured with zip ties. The account owner isn't in a position to turn that fence into a 10-foot brick wall and install a security system.

 

[Matt_01]

Wow Matt - they did nothing to redress the LTSC count of thousands? that is.... amazing ... and surprising/disappointing.

but it seems like you had a very good outcome otherwise.

To this date and IIRC the QF agent did warn me about the decisions I was making at the time and LT SC was low on my priority list, I was a P1 at the time and retaining status was what I cared about. Six years on I have a different opinion.

Why don’t you all use the Qantas Authenticator facility?

I do now.

 

[sudoer]

Qantas owns the carport and the boat yard and only puts up a fence in front secured with zip ties. The account owner isn't in a position to turn that fence into a 10-foot brick wall and install a security system.

I don't think Zip ties is a fair analogy - it is not easy to break into a QFF account without obtaining a member's confidential information through other means, though I do concede that a BP barcode contains 2/3 necessary credentials (not including 2FA)

My choice of words "onus is on the member to secure their account" wasn't the best, obviously we cannot harden Qantas infrastructure and are limited by the restriction to a 4 digit PIN. Qantas should do better to modernise QFF account authentication, but I also think the account locking policy and 2FA implementation adequately mitigates the limitations of a 4 digit PIN.

To rephrase the point I was trying to make - the onus is on the member to ensure their QFF number, PIN and "other security information" (eg TOTP QR code) are kept secure by adequately ensuring their devices and/or password managers (if they use one) are not compromised.

 

[MEL_Traveller]

To rephrase the point I was trying to make - the onus is on the member to ensure their QFF number, PIN and "other security information" (eg TOTP QR code) are kept secure by adequately ensuring their devices and/or password managers (if they use one) are not compromised.

For sure. But it's the same with banks. Yet an unathorised transaction or fraud is covered by the bank, no questions. (And come to think of it, a QFFF may seem secure, but guessing a CC number, name and CCV or PIN is also pretty complex. I would have thought a QFFF account would be easier pickings?)

 

[Vic]

The pilot ran in 2017, and I opted in later that year when it was made generally available.

Did the implementation have problems? Yes. Was it still worth enabling? Yes.

The date it was mandated by Qantas is irrelevant given the onus is on the member to secure their account.

Yep, I do secure all my pins. that is my responsibility. I dont have access to Qantas IT systems, and technically I cannot secure my account.

 

[sudoer]

For sure. But it's the same with banks. Yet an unathorised transaction or fraud is covered by the bank, no questions.

A bank is highly unlikely to cover a fraudulent transaction reported to them 20 months later. I think Qantas would be more helpful in this situation if the issue was reported in a timely manner.

And come to think of it, a QFFF may seem secure, but guessing a CC number, name and CCV or PIN is also pretty complex. I would have thought a QFFF account would be easier pickings?

The complexity of a QFF account - which now requires 2FA for every use, which a CC does not - is commensurate to the average value a malicious actor could obtain from a QFF account.

MOTO credit card transactions still only require a card number and expiry (which can be guessed with a 1/60 chance with the standard 5 year expiry limits of most banks). The addition of a CCV helps, but there is no OOB verification (on telephone orders) like 2FA which QFF has now implemented.

I dont have access to Qantas IT systems, and technically I cannot secure my account.

Have already addressed this in my previous post.

 

[Guvner]

The OP seems to be pretty lax with his personal info, so I suspect some of the "blame" might be apportioned to him. Not that I agree with Qantas' apparent stance that they have no obligation to assist the OP with the points recovery.

From his post we now have his name, he mentions <redacted>
This is all public data before anyone accuses me of posting PII or breaking the forum rule:

• Personal information and private discussions may not be posted unless it’s clear that all parties involved have consented.

There's other info you can find (e.g. D.O.B) if you know where to look, but I won't post that here.

I'm posting this to show how anyone with a small bit of knowledge can join the dots, and build a detailed profile, which greatly advantages them when trying to 'hack' in to your accounts. Also, any assumption that the 'hack' was online and involved a PIN may not always hold true. Myriad online videos illustrate how social engineering and profiling combined is still the most powerful hacking tool.

 

[MrJetset]

Why on Earth would you doxx_ someone, regardless of trying to make a point?