QFF Points Theft

[yo yo ma]

relative has only basic computer skills

I have twice seen people who remain logged on after they exit the computers in the QC. The person may have forgotton to log off somewhere and an opportunistic thief has taken the points?

 

[JohnK]

They certainly do. See my previous explanation regarding my parent's accounts. My mother was provided, over the phone, with both her and Dad's PINs for their accounts.

That is not good. I thought they needed the PIN to access/make changes to my account not as a form of security where it is visible for all to see. And if they use Impact360 software then it is possible for anyone to follow conversation and have access to PIN.

I cant say my relatives are overly happy with how this has been handled. I guess they will now wait and see what happens post police report.

I don't know the whole story and I am not saying that this is the best resolution either but at least they will get their points back.

 

[albatross710]

It does make sense for the police report. For Qantas it removes them from having to investigate the family situation which may/may not exist between the two parties.

The police might also have other intel on the activities of the people involved.

The police can have Qantas disclose whom is involved, which tickets were purchased, whom ultimately traveled, which credit card was used, which bpay was used etc. While a few of the identities will be falsified along the way, there will be some leads.

Probably it will take a few of these to mount up to justify an investigation.

 

[Mal]

Using the "I don't have access to email" reset PIN link, I am requested for three of the following:

MANDATORY (One required)
Mother's Maiden Name
Details of one of my last 5 earning flights.

Additional (One or Two required depending how the Mandatory section was filled in).
Month of Joining
Date of Birth.
Mailing Address (Line 1)

This is moderately secure, but not foolproof. Someone with a Qantas statement stolen from your mailbox would have 2 pieces of information (Mailing address, one flight), and a 3rd should be easy to work out (date of joining - Use the expiry date and have a reference of correlation of membership numbers to years they were assigned). If someone is famous and their DOB is found on the web - pretty simple as well. Likewise if you find a wallet with a D/L and a QF Card and a BP.

There are a few things QF should do ASAP.
- Munge FF numbers on Boarding passes - for example QFF Plat OWE 94***34 should be used on boarding passes instead of 94888634 for the FF number. This does cause some issues with other systems though (for example the ability for a staffer to manually type in the FF number, or scan the Boarding pass).
- Change the challenge questions to something more secure. Qantas has limited options here, but there are other places where points are earned that can be used.
- Consider implementing a SMS challenge password sent to the mobile phone registered in the account for flight alerts.

But it all depends on cost to implement vs perception of risk and actual cost from fraud...

Anyone going to start collecting boarding passes at the airport?

 

[cove]

Never leave your boarding pass in the seat pocket. The pin is only 4 digits.