Qantas website. How secure is it?

Status
Not open for further replies.

Beesem

Newbie
Joined
Jan 23, 2015
Posts
2
Hi all, this is my first post here so forgive me if this has been mentioned before.

It's always struck me that the log-on/security approach that Qantas uses for its frequent flyer website is, how shall I put it?, quaint!

They want three bits of information, a name, a member number, and a 4 digit PIN. It was always that 4 digit pin that worried me. Just 4 digits? Most passwords to be secure need 12 or so randomised characters, and Qantas is still running with a 4 digit, numbers only, PIN? I figured though that the additional combination of name and member number made it harder to crack.

But reading the article entitled "Password Re-use Fuels Starwood Fraud Spike" at the KrebsonSecurity website (You'll need to Google it because I can't post the link here being a newbie), has made me realise how unsecure the Qantas site is.

The article refers to a US based, loyalty rewards website called Starwood Preferred Guest, that has had many user accounts compromised and the users' points syphoned off, and sold on the black market.

The mass compromise of Starwood accounts began in earnest less than a week ago. That roughly coincides with a Starwoods-specific account-checking tool that was released for free onLeakforums[dot]org, an English-language forum dedicated to helping (mostly low-skilled) misfits monetize compromised credentials from various online services, particularly e-retailers, cloud-based services and points or rewards accounts

According to a tutorial posted on the forum, hijacked account buyers “cash out” their purchases by creating new Starwood accounts and then forcing the hijacked account to transfer its account balance to the new account. The reward points are then exchanged for gift cards that can be used as cash.

Not sure how easy it would be for crooks to take advantage of a compromised Qantas user account, but reading about how those crooks attacked the Starwood accounts, I reckon it must be a doddle for them to attack Qantas website with its ridiculous 4 digit PIN.

Any half smart cyber crook only needs to get hold of member numbers and names from somewhere and a simple brute force attack will open up user accounts in seconds.

I reckon Qantas better get their act together on this one pronto before people start seeing their points disappear before their eyes.

Anyone else see this as a risk?
 
Hi all, this is my first post here so forgive me if this has been mentioned before.

It's always struck me that the log-on/security approach that Qantas uses for its frequent flyer website is, how shall I put it?, quaint!

They want three bits of information, a name, a member number, and a 4 digit PIN. It was always that 4 digit pin that worried me. Just 4 digits? Most passwords to be secure need 12 or so randomised characters, and Qantas is still running with a 4 digit, numbers only, PIN? I figured though that the additional combination of name and member number made it harder to crack.

But reading the article entitled "Password Re-use Fuels Starwood Fraud Spike" at the KrebsonSecurity website (You'll need to Google it because I can't post the link here being a newbie), has made me realise how unsecure the Qantas site is.

The article refers to a US based, loyalty rewards website called Starwood Preferred Guest, that has had many user accounts compromised and the users' points syphoned off, and sold on the black market.

The mass compromise of Starwood accounts began in earnest less than a week ago. That roughly coincides with a Starwoods-specific account-checking tool that was released for free onLeakforums[dot]org, an English-language forum dedicated to helping (mostly low-skilled) misfits monetize compromised credentials from various online services, particularly e-retailers, cloud-based services and points or rewards accounts

According to a tutorial posted on the forum, hijacked account buyers “cash out” their purchases by creating new Starwood accounts and then forcing the hijacked account to transfer its account balance to the new account. The reward points are then exchanged for gift cards that can be used as cash.

Not sure how easy it would be for crooks to take advantage of a compromised Qantas user account, but reading about how those crooks attacked the Starwood accounts, I reckon it must be a doddle for them to attack Qantas website with its ridiculous 4 digit PIN.

Any half smart cyber crook only needs to get hold of member numbers and names from somewhere and a simple brute force attack will open up user accounts in seconds.

I reckon Qantas better get their act together on this one pronto before people start seeing their points disappear before their eyes.

Anyone else see this as a risk?

3 wrong PIN attempts and you are locked out I think with a forced reset of PIN using other personal data to verify. Someone else might need to confirm my facts though.
 
Starwood uses email and password, perhaps the least secure of any authentication method (in terms of people using the same email/pass for *everything*, with insecure easy-to-remember passwords).

They do also allow account number/password logins, but you can have both.

Qantas are using three factor, which is better, but not by much. People tend to know your last name, and a 4 digit pin is not overly secure. I guess the thing they have going for them is not many websites do a 4 digit pin, so you're not going to be spreading that around much, and as Mr_Orange says, 3 wrong attempts and your account is locked out.

I change my Qantas PIN regularly. I consider points like cash (although not much these days thanks to fuel surcharges), so protect them.
 
ATM Card pin's are a min of 4 digits.

Id value my actual cash more than my FF history tbh.
 
Why single out one airline when a lot of other FFP logins are similar.

Yes there are cases from time to time but you don't hear about it a lot on here do you?
 
In terms of cashing out to 'steal' points, a lot of info needs to be given to actually benefit. ie, how can you use points you stole without getting caught? Only thing I can think of is cashing in for digital gift cards used at a self check out, even then you'd be caught on camera. Or delivery of something physical to a false address.

And if your account was hacked would Qantas refund?
 
Starwood uses email and password, perhaps the least secure of any authentication method (in terms of people using the same email/pass for *everything*, with insecure easy-to-remember passwords).

They do also allow account number/password logins, but you can have both.

Qantas are using three factor, which is better, but not by much. People tend to know your last name, and a 4 digit pin is not overly secure. I guess the thing they have going for them is not many websites do a 4 digit pin, so you're not going to be spreading that around much, and as Mr_Orange says, 3 wrong attempts and your account is locked out.

I change my Qantas PIN regularly. I consider points like cash (although not much these days thanks to fuel surcharges), so protect them.

IHG use pin, and so does Hilton if you take that option.
 
The Frequent Flyer Concierge team takes the hard work out of finding reward seat availability. Using their expert knowledge and specialised tools, they'll help you book a great trip that maximises the value for your points.

AFF Supporters can remove this and all advertisements

IHG use pin, and so does Hilton if you take that option.

The issue is not really with a pin so much as the number of attempts allowed. Hilton never had a lockout so it was possible to brute force every account's pin. This resulted in a mass hacking of HH and the introduction of the new captcha process.

Similarly with banks, you can't easily brute force a pin and card because you'll need a physical card, and their systems would notice multiple failed attempts.

QF have a 3 attempt system as mentioned above, leaving it relatively secure, for an online pin.
 
Never leave your boarding pass or your baggage receipt in the seat pocket and shred them at home.
 
At least the QF site now uses SSL.

Few years back Qantas.com users would transmit their login details (PIN and all) openly while logging in... Anyone could, for example, sit in a terminal with free wifi and hoover-up credentials.
 
In terms of cashing out to 'steal' points, a lot of info needs to be given to actually benefit. ie, how can you use points you stole without getting caught? Only thing I can think of is cashing in for digital gift cards used at a self check out, even then you'd be caught on camera. Or delivery of something physical to a false address.

And if your account was hacked would Qantas refund?
There are several threads on AFF about stolen QFF points. AFAIK all points have been reinstated.
 
Lets be honest, every website is hackable.

Just remember same basics to follow

1. Different passwords for every site
2. Include letters, numbers, characters, uppercase and 8 characters minimum
3. Change your password on a regular basis
 
Why single out one airline when a lot of other FFP logins are similar.

Yes there are cases from time to time but you don't hear about it a lot on here do you?

i only single out Qantas, because that's the one I use, and when I logged in last I was struck by the apparent weakness of their security.

I suppose that a lockout after three attempts makes it more secure, but even so, my corporate login has a three strike lockout, and it requires a much more secure password than a 4 digit Pin.

I reckon that we'll be reading about compromised Qantas accounts before too long. Not much I can do though, It's not as though I can transfer my points to the bank for safe keeping.
 
Last edited:
Status
Not open for further replies.

Enhance your AFF viewing experience!!

From just $6 we'll remove all advertisements so that you can enjoy a cleaner and uninterupted viewing experience.

And you'll be supporting us so that we can continue to provide this valuable resource :)


Sample AFF with no advertisements? More..
Back
Top