FF Account just hacked and almost 300,000 points taken

[JohnK]

The police told me that it is up to Qantas to investigate not them...I am still at a loss as to why Qantas dont keep records of the email address vouchers are sent too and or voucher numbers issued to stop the transaction at the store or online purchase.....

From memory any changes to a QFF account generate an email sent to the email address on the QFF account.

How was someone able to change the email address on your QFF account without you knowing? And if the email address on your QFF account hasn't changed how was someone able to order from the store and have the confirmation email go to a different email?

 

[DontGetMeStarted]

I don't agree with that. What has happened is still a theft. That's like saying it's up to Myers to investigate if someone shoplifts from their store. I know credit cards get police involved with fraud - that happened to one of my cards. Ask to speak with a more senior officer.

I too thought they would take it further...where too from here, though I have to say the QFF CEntre said a Stat Dec would do and there was no need for a police report. they would investigate from there .confusing ? T

 

[JohnK]

Do they have a value? If you PM me your QFF account details, I will let you know.

I have been reliably told by the AFF experts my points do not have a value.

I would hate for you to waste your time helping me out.

 

[amaroo]

I too thought they would take it further...where too from here, though I have to say the QFF CEntre said a Stat Dec would do and there was no need for a police report. they would investigate from there .confusing ? T

That sounds promising!

 

[Pushka]

I wonder if FF points are covered in some kinds of Insurance policies?

I just hope Qantas takes this seriously. It's quite a breach of security. Someone could book flights for all sorts of nefarious reasons using someone else's account and credit card.

 

[moa999]

I would also ask have you recently received an email from Qantas where you have clicked on a link to enter your FF details.

These 'fishing' style emails are the more common way to hack an account, as they are specifically targetting a firm/ bank.
USing a keylogger is much harder for the bad guys

 

[hotpaws]

I actually had the same thing happen to me late last year, had 67000 points spent on David Jones gift vouchers. I called Qantas as soon as I realized, and the operator said someone else had reported this that day also. The email address was changed, coincidentally to the same email as the other victim. They mentioned it may have been related to my bigpond.com email address, as the other victim had this also (or could just be a coincidence)
I submitted a stat dec stating that I did not spend the points, and within 2 or 3 days the points were back in my account. I also changed the email address for the account and my password. Good luck to the OP, I hope Qantas is as quick with their remedy as they were for me, and that further security gets added to prevent further fraud.

 

[lovestotravel]

Makes you wonder if QF should insert another security step into the process......maybe a text like internet banking?

NO NO NO NO NO NO NO

I resent that text so much!

With QF a 4 digit password is not super secure, but you do only get 3 attempts

 

[ChasingDaylight]

I don't agree with that. What has happened is still a theft. That's like saying it's up to Myers to investigate if someone shoplifts from their store. I know credit cards get police involved with fraud - that happened to one of my cards. Ask to speak with a more senior officer.

Yes, but do whom do the points belong - is it Qantas, or the flyer? My understanding (correct me if wrong!) is that the points remain property of QFF.

Also, to me it would appear that the fraud was perpetuated against Qantas, hence Qantas is in the best place to identify things like times, IP addresses etc and pass along to the relevant investigation unit, if resources are devoted to this.

I do hope that Q' reimburse the member the allocated points.

Also doesn't the history log/activity statement show a PIN change? I was under the impression it did, so if it doesn't (and may not - because the member concerned mangaged to log into her account today, which to me would indicate the PIN remained the same). So either the PIN was relatively easy (sequential numbers, part of the QFF #, or a DOB), it was bruteforced or the offender had managed to obtain it somehow.

 

[MEL_Traveller]

Yes, but do whom do the points belong - is it Qantas, or the flyer? My understanding (correct me if wrong!) is that the points remain property of QFF.

Also, to me it would appear that the fraud was perpetuated against Qantas, hence Qantas is in the best place to identify things like times, IP addresses etc and pass along to the relevant investigation unit, if resources are devoted to this.

but the terms and conditions say the member is responsible for any misuse of the card or loss of points until such time as the member notifies qantas. How that actually could work (given the member is unlikely to know there has been a problem until after it has occurred I don't know...).

 

[tinkybelle]

I had a friend who went thru a divorce and didn't check his account for almost 3 yrs ( when the 3 yr exp was around) he found that his wife had transferred 100k per year he called qantas and they said bad luck.
I know as I was helping him on the call. why they couldn't just un transfer the transfer I have no idea. he was prepared to do a stat heck
no dice.
once someone has the pin its fair game.

 

[Pushka]

I had a friend who went thru a divorce and didn't check his account for almost 3 yrs ( when the 3 yr exp was around) he found that his wife had transferred 100k per year he called qantas and they said bad luck.
I know as I was helping him on the call. why they couldn't just un transfer the transfer I have no idea. he was prepared to do a stat heck
no dice.
once someone has the pin its fair game.

I think it perfectly reasonable Qantas didn't refund the points. Clearly he had given access to his ex wife at some stage.

 

[Programme]

It's disturbing how points have been stolen from you.

It's even more disturbing how you seem to have received "there is nothing we can do" type responses from both QF and the QF store. It looks like everything has been done as quickly as possible, including notifying QF as soon as you became aware of the theft (which would seem at most seven hours after the theft actually occurred).

It would be interesting to here from Red Roo as to what QF's standard procedure is regarding theft/fraud and what they expect the members to do if we find that our accounts have been stolen from.

 

[mannej]

It's disturbing how points have been stolen from you.

It's even more disturbing how you seem to have received "there is nothing we can do" type responses from both QF and the QF store. It looks like everything has been done as quickly as possible, including notifying QF as soon as you became aware of the theft (which would seem at most seven hours after the theft actually occurred).

It would be interesting to here from Red Roo as to what QF's standard procedure is regarding theft/fraud and what they expect the members to do if we find that our accounts have been stolen from.

To be fair it would seem that QF expect a signed stat dec before they will act on this type of situation. To me this doesn't suggest that QF are wiping their hands of the situation.

 

[Programme]

To be fair it would seem that QF expect a signed stat dec before they will act on this type of situation. To me this doesn't suggest that QF are wiping their hands of the situation.

True. It's too early to praise or condemn QF as they haven't had a proper chance to fix things yet. The response from QF and the QF store posted here just don't seem particularly helpful from the perspective of a third party (me). Everything might work out well in the end.

I've never had to deal with fraud from a FF programme, or something like a bank account before. Simply presumed that if there is a transaction reported as fraudulent, some sort of hold would be placed until the required paperwork is received, but that might be expecting too much from a FF programme. Of course, banks are (and should be) more proactive about such out of character transactions but no matter what T&Cs say, QFF points have a value as they can be exchanged for goods and services, even if a specific exchange rate in $ can't be determined, and therefore some policy regarding theft of QFF points is appropriate.

Still interested to know what a member should do when faced with a fraudulent transaction, though. All the QFF T&Cs seem to say is that the member is responsible for any fraudulent activities until QF is notified.

 

[anat0l]

I think it perfectly reasonable Qantas didn't refund the points. Clearly he had given access to his ex wife at some stage.

Agree.

Even if the ex somehow maliciously accessed the account (e.g. "hacked" in the same way as our OP), the victim may have a hard time proving what happened and bringing an action (and points back) after only realising it 6-36 months after the act.


As for QFF points having value, irrespective of the T&C and whether you can call this theft of something tangible or otherwise, the main thing here is that there is at minimum a potential theft of confidential (private) information, and a potential for fraud. Whilst you can't use your identity alone to get free flights, the compromise of someone's details by malicious access is likely the larger problem at hand here.

 

[MEL_Traveller]

True. It's too early to praise or condemn QF as they haven't had a proper chance to fix things yet. The response from QF and the QF store posted here just don't seem particularly helpful from the perspective of a third party (me). Everything might work out well in the end.

I've never had to deal with fraud from a FF programme, or something like a bank account before. Simply presumed that if there is a transaction reported as fraudulent, some sort of hold would be placed until the required paperwork is received, but that might be expecting too much from a FF programme. Of course, banks are (and should be) more proactive about such out of character transactions but no matter what T&Cs say, QFF points have a value as they can be exchanged for goods and services, even if a specific exchange rate in $ can't be determined, and therefore some policy regarding theft of QFF points is appropriate.

Still interested to know what a member should do when faced with a fraudulent transaction, though. All the QFF T&Cs seem to say is that the member is responsible for any fraudulent activities until QF is notified.

the terms and conditions say this:

6.5 In the event of loss, theft or unauthorised use of your Card or unauthorised use of your Membership number or PIN, it is your responsibility to advise Qantas as soon as possible. The Member is liable for all use of the Card, PIN or Membership number until Qantas is notified of the loss, theft or unauthorised use.

the member must notify qantas to escape subsequent liability from the time of notification. there is no requirement for that notification to be in the form of a stat dec. So the OP calling QF would be enough for QF to instigate security measures on the account it thinks appropriate.

However for the investigation, QF wants a stat dec. i suppose that is for evidence and notification to the relevant authorities in the event the perpetrator is found.

 

[Buzzard]

Sorry Noreen to read that you are the victim of a points hack. Hope it all ends well for you.

I must thank you for reporting here and making us all aware of what can happen and to keep an eye on our QFF accounts.

At least the next time a provider asks me all those annoying security questions I won't be so annoyed.

 

[docjames]

To the OP: Hopefully QF and police can assist you here.

Family member of mine had their account hacked and had 100,000 points pulled out and transferred without consent (ie. someone was stupid enough to transfer them to their account!).

QF took it very seriously. They weren't able to give details to my family member but I believe they were trying I hint that the person who made the transfer was known to Qantas beyond just a ff account.

Best of luck but I'd expect QF to take it very seriously. Fwiw my family member got their points back.

 

[Pushka]

And I wonder how many have checked our accounts today..