QFF Fraudulent activity

[Guvner]

You clearly don't know what doxing is then. The thread is about fraudulent activity. My point is valid. Have great day sir.

 

[serfty]

Why on Earth would you doxx_ someone, regardless of trying to make a point?

The point was made - content has been removed.

 

[Seat0B]

Why don’t you all use the Qantas Authenticator facility?

what is that please?

 

[VPS]

what is that please?

Instead of getting a text you are able to answer some questions. It's an option when you log in

 

[TheRealTMA]

what is that please?

You use an Authenticator App on iPhone, iPad ( or android devices) or desktop to provide a one time code, valid for a short time to authorise your login. See the post above and read the Qantas article on how to do it.

Many systems use this now as it provides a more secure method of accessing a site.

 

[Seat0B]

You use an Authenticator App on iPhone, iPad ( or android devices) or desktop to provide a one time code, valid for a short time to authorise your login. See the post above and read the Qantas article on how to do it.

Many systems use this now as it provides a more secure method of accessing a site.

Sorry and thanks I know what an authenticator is as a general concept - my banks all have different ones and the ATO too. I took from your post that there is a Qantas specific one? If not, do you have any suggestions for a general one I could use that would handle Qantas? thanks again

Post automatically merged: Aug 11, 2021

Instead of getting a text you are able to answer some questions. It's an option when you log in

Yes I have set security questions as that is easier for me when overseas (ha, that's an old concept now!) than getting a text as I usually get a local SIM card.

 

[TheRealTMA]

Sorry and thanks I know what an authenticator is as a general concept - my banks all have different ones and the ATO too. I took from your post that there is a Qantas specific one? If not, do you have any suggestions for a general one I could use that would handle Qantas? thanks again

Use the Microsoft Authenticator. Works.

 

[Seat0B]

Use the Microsoft Authenticator. Works.

Thanks.

 

[RichardMEL]

Going back to an earlier thing..

first of all QFF is not a bank. They don't claim to be. Yes QFF points are a currency, but they're a private company and not held to the same banking regulations so comparisions are of limited value imo. Not that the points raised aren't valid - they are in my view - it's just a bit of apples and oranges.

CC#'s have standard algorithms for generation that are well known (and probably can be googled in 30 seconds - not that I care to try). The malcontents have millions of numbers on the dark web and as noted above one does not need a name with them and you can brute force an expiry date within a 3-4 year period (though I think Amex may be 5) and hit on it eventually - you're certainly looking at under 60 combinations which is far less than 9999 for a QFF PIN. I've made a number of purchases online and NOT been asked for CVV (in fact ironically QF may even not require it as an irony!) so again that's two items of information potentially needed for CC fraud.

My old school QFF# has 6 digits and now I think they have 10 or a 11? that's still a fair number to crack through (if one picks up a BP and doesn't decode the barcode - do those still contain the QFF# now that it's not physically on the BP? I have no idea)

I do absolutely agree QF needs to at the VERY least make the PIN longer - 6-8 digits or just make it a password/passphrase like most others have moved to long ago. There must be some sort of limitation stopping this or it would have been done long ago no doubt (not an excuse, just me wondering). I certainly never leave a BP lying around anyway - but I do know many do - I'd find one left by a previous occupant at my seat from time to time and always stickybeak usually they have no status IIRC.

just some random thoughts on that aspect of the discussion.

 

[Vic]

I certainly never leave a BP lying around anyway - but I do know many do - I'd find one left by a previous occupant at my seat from time to time and always stickybeak usually they have no status IIRC.

just some random thoughts on that aspect of the discussion.

A family member brought a second hand novel the other day. It had a BP in it. So yeah, some people aren't that secure with personal info.

The family member asked if I know the person?

 

[CaptJCool]

Go

My old school QFF# has 6 digits and now I think they have 10 or a 11? that's still a fair number to crack through

I do absolutely agree QF needs to at the VERY least make the PIN longer - 6-8 digits or just make it a password/passphrase like most others have moved to long ago. There must be some sort of limitation stopping this or it would have been done long ago no doubt (not an excuse, just me wondering).

this question depends on the original field lengths & field type & data type ( integer, text, numeric etc) inside the “data file” Were determined & the conditions placed upon them. Been through this problem in a previous employment and it’s not a straightforward fix. So expanding any field length or changing data structure or type comes with other consequences that probably create serious headaches for the back room IT Crowd. Think of it as trying to replace the plane engine while in flight or replacing the boat hull while on the high seas. Definitely not for the faint-hearted.

so I suspect the easier solution option was 2FA - adds a layer to the verification business process without unsettling the existing data structures

my 99 cents worth

 

[33kft]

so I suspect the easier solution option was 2FA - adds a layer to the verification business process without unsettling the existing data structures

It seems counter intuitive in some ways but is entirely valid. Requiring a longer single factor (something you know) vs a second factor (something you have... eg. your phone) the second factor is hands down more effective for a security control.

It's much harder to know a 4 digit pin and have my phone (or phone number, in essence) than to know a 10 digit pin only, especially if you happen to know it through lax security on my part, which no number of digits can protect from

Consider also that factors are distinct, hence why requiring 3 details you know (FF ID, Surname, PIN) are not 3FA. 2 are obtainable fairly easily, 1 is entirely private, but only SMS/email actually provides a second distinct factor. Hence the low value in the PIN being increased.