QANTAS Cyber Incident

[clifford]

If they give the appearance of competence they’ll never get anywhere in my organisation! Dead giveaway!!

I imagine you might work for the Government.

 

[SeatBackForward]

What makes you think that being in Australia people don't fall for the same scams? It happens ALL the time.

Exactly. The problem here is outsourcing not offshoring. Unfortunately, the scruples of many who outsource is to go offshore.

 

[moa999]

Exactly. The problem here is outsourcing not offshoring. Unfortunately, the scruples of many who outsource is to go offshore.

Don't think it's even that.
No reason a fully Australian based call centre where all the employees were Qantas empliyees may not be susceptible to similar tactics.

Databases are unfortunately necessary tools today, but present massive risks and every company needs to look at controls around downloads, exports and encryption of specific fields (eg. DOB and of course passwords)

 

[Daver6]

Exactly. The problem here is outsourcing not offshoring. Unfortunately, the scruples of many who outsource is to go offshore.

I don't follow your logic. How does not outsourcing prevent staff from falling for a scam?

 

[LondonAussie]

Unfortunately it could happen to anyone anywhere. Obviously the Australian media isn’t reporting on the others, but the same group that breached Qantas also recently got into M&S, Harrods and Co-Op in the UK, then WestJet and Hawaiian Airlines, and several insurance companies in the US. They previously breached Visa, Ticketmaster, Louis Vuitton, Nike, T-Mobile, and Vodafone in the US.

I think there’s an assumption that in-house staff wouldn’t fall for the scams because they receive better training and just generally care about their jobs more, usually because they’re higher paid and higher skilled than the outsourced staff. I’m not sure how true that would be in reality.

 

[Spamam]

I’ve been hit by the data leak. What’s not clear is how social engineering lead to the leak of 6 million records. Social engineering can happen whether the operation is insourced or outsourced, all the attacker needs is a weak point. Somehow that weak point lead to the release of 6 million records without setting off an alarm until it was too late. The likelihood here is a legacy system with out of date controls was accessed by the hapless worker who was compromised. This is an industry that’s grants access to your flight details with a six digit code and your surname. Details that are held without encryption in random emails, your local travel agent and any airline on your journey.

Cross airline interoperability is dependent on this level of pre 1990s security. Now think what it takes to get the industry of 100s of airlines to move as fast as the attackers after them.

 

[OATEK]

Could easily happen here as well, pretend to be from the IT team, get them to install the Salesforce extension/app, share password/username and you are in...

You would also need the appropriate VPN/SASE to be able to use the system as well, and then having 2 users logged in at the same time.....

So many questions that will never get answered.

This is an area that many organisations do not adequately control. A couple of times when Bank systems have not returned account records via the desktop, I have tried the phone app. Once I was told by a bank that I had too many sessions open, and would not allow access via the phone until I closed the other desktop session, but at other times I have had two sessions open via separate devices.

I’ve been hit by the data leak. What’s not clear is how social engineering lead to the leak of 6 million records. Social engineering can happen whether the operation is insourced or outsourced, all the attacker needs is a weak point. Somehow that weak point lead to the release of 6 million records without setting off an alarm until it was too late. The likelihood here is a legacy system with out of date controls was accessed by the hapless worker who was compromised. This is an industry that’s grants access to your flight details with a six digit code and your surname. Details that are held without encryption in random emails, your local travel agent and any airline on your journey.

Cross airline interoperability is dependent on this level of pre 1990s security. Now think what it takes to get the industry of 100s of airlines to move as fast as the attackers after them.

You do wonder about extracting 6 million records, how much bandwidth is being used, and for how long. Again, what controls/flags are in place, or should I say, not in place.

 

[MEL_Traveller]

Great recommendations and they definitely should be followed. The one remaining challenge we have though, is that with very enriched data sets being available to hackers, they don't need your passwords anymore. They simply use their social engineering techniques to bypass this vector. eg.

Hi, my name is ABC, my FF is, I have forgotten lost phone which has all my passwords encrypted on it...... my DOB is, my address is, my email is, my phone is, my medicare number is, my drivers licence is, my passport number is, my street address is....... can you reset my password.....

While many staff will be will trained to stop this attack vector, since we are talking about millions of customers data and 100's of thousands call center staff, some will get through...... they just did get through this vector, with the Qantas centre in Manila!!! This is the new frontier.

So that gets you in to a Qantas FF account. Not sure what damage can be done there? Points will be refunded.

Your FF number, tier and meal preferences aren’t going to be useful bits of information to get banking details or into the ATO or super.

In terms of fabric… limited use?

 

[Spamam]

So that gets you in to a Qantas FF account. Not sure what damage can be done there? Points will be refunded.

Your FF number, tier and meal preferences aren’t going to be useful bits of information to get banking details or into the ATO or super.

In terms of fabric… limited use?

DOB and email are used as factors of auth for other organisations with similar levels of safeguards. Your status will be used by scammers to prioritise attacks. The data is gold for attackers, especially where passwords have been re-used from other orgs that have been hacked.

 

[GrahamBRI]

DOB and email are used as factors of auth for other organisations with similar levels of safeguards. Your status will be used by scammers to prioritise attacks. The data is gold for attackers, especially where passwords have been re-used from other orgs that have been hacked.

Yes, and with access to your QF account (on top of stealing your points and canceling a year of award bookings - to extract those points), they have enriched their data even further…… they now know a bunch about what your other active accounts (banks, hotels) are (from your transaction history) and if you have undertaken family transfers they now know those FF account numbers and with what they have already stolen can start identifying spouse, children…. Mother’s maiden name etc.
So agree data is gold and you have a bunch in your FF account that is useful.

 

[SYD]

DOB and email are used as factors of auth for other organisations with similar levels of safeguards. Your status will be used by scammers to prioritise attacks. The data is gold for attackers, especially where passwords have been re-used from other orgs that have been hacked.

Yes, and with access to your QF account (on top of stealing your points and canceling a year of award bookings - to extract those points), they have enriched their data even further…… they now know a bunch about what your other active accounts (banks, hotels) are (from your transaction history) and if you have undertaken family transfers they now know those FF account numbers and with what they have already stolen can start identifying spouse, children…. Mother’s maiden name etc.
So agree data is gold and you have a bunch in your FF account that is useful.

Pretty hard to get into your FF account with MFA. I use the Authenticator app option and that’s linked to a different email address.

 

[NM]

I decided to reduce my risk as far as my QFF account is concerned, and make a few QFF reward bookings over the weekend. Even booking a CR+ international Y award as that was the only option in the date range needed. Probably not the greatest value for money, given that the flight was available with a "Sale" fare, but that also meant the CR+ was not much more expensive than CR rate.

But still a healthy balance remains. QFF 2-factpr authentication was setup a few weeks ago - perhaps I knew what might be coming? Or just knew that QF's security processes were likely vulnerable.

 

[sanne]

To all you very knowledgeable people.. I just tested out logging into my QF account on a device I don’t use. It sent a 6 number code to my phone to use to authenticate it was me logging in. Plus QF sent an email telling me about this unusual log in.

Is this enough of a safe guard ?

It used to ask me to answer 3 questions… I haven’t seen that for a while.

Thanks for any help.

 

[Spamam]

Pretty hard to get into your FF account with MFA. I use the Authenticator app option and that’s linked to a different email address.

Yep but somehow someone ran off with 6million records without the need for your MFA. The attackers aren’t just after your FF account. The data will be sold and used to attack other accounts you have.

 

[Spamam]

To all you very knowledgeable people.. I just tested out logging into my QF account on a device I don’t use. It sent a 6 number code to my phone to use to authenticate it was me logging in. Plus QF sent an email telling me about this unusual log in.

Is this enough of a safe guard ?

It used to ask me to answer 3 questions… I haven’t seen that for a while.

Thanks for any help.

It’s fine. The 3 questions are an old verification method, however they are considered too easy to compromise. You can’t change your DOB nor your mother’s maiden name. Make sure you have MFA on your mobile providers account.

 

[SYD]

Yep but somehow someone ran off with 6million records without the need for your MFA.

Different systems and they didn’t get your PIN.

The attackers aren’t just after your FF account. The data will be sold and used to attack other accounts you have.

Yes, we know. That’s what people should be most vigilant about (as well as turning on 2FA on their FF account, if they hadn’t already!).

 

[I love to travel]

I have to say I am a bit surprised that the media interest in this story has died our so quickly, especially with people receiving multiple emails about what has been breached. Where is Joe Aston when you need him?

 

[SYD]

Where is Joe Aston when you need him?

Probably on the Dark Web looking for the list of CL members.

 

[Himeno]

It used to ask me to answer 3 questions… I haven’t seen that for a while.

The systems that ask you to answer questions which you set up answers to when the account was created/system updated to ask them, are stupid. More so when those questions are a limited preset selection. The typical questions asked in these preset lists either don't have answers, or have answers that are easily sourced if you know anything about the target. ANZ rolling out this system is the reason I cancelled my credit account with them.
If the system allows you to create your own questions for the random question to log in, you can make questions which no one else could even understand much less even attempt to answer.

 

[mrsterryn]

The systems that ask you to answer questions which you set up answers to when the account was created/system updated to ask them, are stupid. More so when those questions are a limited preset selection. The typical questions asked in these preset lists either don't have answers, or have answers that are easily sourced if you know anything about the target. ANZ rolling out this system is the reason I cancelled my credit account with them.
If the system allows you to create your own questions for the random question to log in, you can make questions which no one else could even understand much less even attempt to answer.

Oh I would love to be able to create my own questions. Make it much easier

On a side note checked my credit score and randomly back on May I was 1000 , sadly back down to 959 for all the other months