Hi all, this is my first post here so forgive me if this has been mentioned before.
It's always struck me that the log-on/security approach that Qantas uses for its frequent flyer website is, how shall I put it?, quaint!
They want three bits of information, a name, a member number, and a 4 digit PIN. It was always that 4 digit pin that worried me. Just 4 digits? Most passwords to be secure need 12 or so randomised characters, and Qantas is still running with a 4 digit, numbers only, PIN? I figured though that the additional combination of name and member number made it harder to crack.
But reading the article entitled "Password Re-use Fuels Starwood Fraud Spike" at the KrebsonSecurity website (You'll need to Google it because I can't post the link here being a newbie), has made me realise how unsecure the Qantas site is.
The article refers to a US based, loyalty rewards website called Starwood Preferred Guest, that has had many user accounts compromised and the users' points syphoned off, and sold on the black market.
The mass compromise of Starwood accounts began in earnest less than a week ago. That roughly coincides with a Starwoods-specific account-checking tool that was released for free onLeakforums[dot]org, an English-language forum dedicated to helping (mostly low-skilled) misfits monetize compromised credentials from various online services, particularly e-retailers, cloud-based services and points or rewards accounts
According to a tutorial posted on the forum, hijacked account buyers “cash out” their purchases by creating new Starwood accounts and then forcing the hijacked account to transfer its account balance to the new account. The reward points are then exchanged for gift cards that can be used as cash.
Not sure how easy it would be for crooks to take advantage of a compromised Qantas user account, but reading about how those crooks attacked the Starwood accounts, I reckon it must be a doddle for them to attack Qantas website with its ridiculous 4 digit PIN.
Any half smart cyber crook only needs to get hold of member numbers and names from somewhere and a simple brute force attack will open up user accounts in seconds.
I reckon Qantas better get their act together on this one pronto before people start seeing their points disappear before their eyes.
Anyone else see this as a risk?
It's always struck me that the log-on/security approach that Qantas uses for its frequent flyer website is, how shall I put it?, quaint!
They want three bits of information, a name, a member number, and a 4 digit PIN. It was always that 4 digit pin that worried me. Just 4 digits? Most passwords to be secure need 12 or so randomised characters, and Qantas is still running with a 4 digit, numbers only, PIN? I figured though that the additional combination of name and member number made it harder to crack.
But reading the article entitled "Password Re-use Fuels Starwood Fraud Spike" at the KrebsonSecurity website (You'll need to Google it because I can't post the link here being a newbie), has made me realise how unsecure the Qantas site is.
The article refers to a US based, loyalty rewards website called Starwood Preferred Guest, that has had many user accounts compromised and the users' points syphoned off, and sold on the black market.
The mass compromise of Starwood accounts began in earnest less than a week ago. That roughly coincides with a Starwoods-specific account-checking tool that was released for free onLeakforums[dot]org, an English-language forum dedicated to helping (mostly low-skilled) misfits monetize compromised credentials from various online services, particularly e-retailers, cloud-based services and points or rewards accounts
According to a tutorial posted on the forum, hijacked account buyers “cash out” their purchases by creating new Starwood accounts and then forcing the hijacked account to transfer its account balance to the new account. The reward points are then exchanged for gift cards that can be used as cash.
Not sure how easy it would be for crooks to take advantage of a compromised Qantas user account, but reading about how those crooks attacked the Starwood accounts, I reckon it must be a doddle for them to attack Qantas website with its ridiculous 4 digit PIN.
Any half smart cyber crook only needs to get hold of member numbers and names from somewhere and a simple brute force attack will open up user accounts in seconds.
I reckon Qantas better get their act together on this one pronto before people start seeing their points disappear before their eyes.
Anyone else see this as a risk?