FF Account just hacked and almost 300,000 points taken

[Daver6]

Companies have a lot to answer for. How many times does one ring Qantas or some other company from an open plan office/mobile phone in public and they ask you to say your pin code out loud.

Another one is the stupid identification questions sometimes asked. Again, anyone in my office could impersonate me. Quite often the information they ask would be readily available if you found someone's lost wallet.

 

[drewbles]

Companies have a lot to answer for. How many times does one ring Qantas or some other company from an open plan office/mobile phone in public and they ask you to say your pin code out loud.

Another one is the stupid identification questions sometimes asked. Again, anyone in my office could impersonate me. Quite often the information they ask would be readily available if you found someone's lost wallet.

IMHO, banks are the worst offenders. They call you, ask you to verify all your personal details (without you being able to verify who is calling) and when you challenge them on the phone about this, they simply say 'oh but i'm from the bank!'.

My favourite is "is this Mr Drewbles?" I answer 'yes' and then get "I'm calling about your master card number xx_xx_ with current credit limit $yyyy". I cut them off asking how they can just pass my information out to anyone on the phone and their standard response is "oh but you said you were Mr Drewbles! That's all the ID we need". If you say to them it could have been anyone answering my phone proclaiming to be me, they say "oh but that would be fraud sir!". F'ing useless. Same thing goes if you complain and they tell you to call back on a number you've not heard, and they get narky when you say you'll only call back on a number listed on your card or statement.

I'm glad you got your points back Noreen. Great to see common sense (and some paperwork) prevailed.

 

[EmilyHoward]

I've been thinking for a long, long time now that Qantas needs to upgrade its security system in terms of the 4 digit (number) pin.

Nowadays, from my experience at least, you usually have to have a pin with 8 digits including at least one number and it doesn't include part of your name.

Q I think you should look at this.


EH

 

[TomVexille]

​Good to hear you're getting your points back Noreen

 

[MEL_Traveller]

IMHO, banks are the worst offenders. They call you, ask you to verify all your personal details (without you being able to verify who is calling) and when you challenge them on the phone about this, they simply say 'oh but i'm from the bank!'.

My favourite is "is this Mr Drewbles?" I answer 'yes' and then get "I'm calling about your master card number xx_xx_ with current credit limit $yyyy". I cut them off asking how they can just pass my information out to anyone on the phone and their standard response is "oh but you said you were Mr Drewbles! That's all the ID we need". If you say to them it could have been anyone answering my phone proclaiming to be me, they say "oh but that would be fraud sir!". F'ing useless. Same thing goes if you complain and they tell you to call back on a number you've not heard, and they get narky when you say you'll only call back on a number listed on your card or statement.

I'm glad you got your points back Noreen. Great to see common sense (and some paperwork) prevailed.

I have never had a bank call me (unless I have left a message requesting them to do so). there's no way I'd accept a cold call (anyone could take a copy of your CC statement, call you and tell you the number and credit limit, and ask for personal questions for verification which they would then use).

 

[Pushka]

I've had a bank call me. It was for my 28 degree MasterCard to tell me it had been cancelled because they recorded fraudulent activity the night before. That was fine, only problem was I was in the QP waiting for our international flight and that card I had used to pre load cash and used to book all our accommodation. Immediate panic and so much for enjoying pre trip ambience in the QP.

 

[legroom]

I have never had a bank call me (unless I have left a message requesting them to do so). there's no way I'd accept a cold call (anyone could take a copy of your CC statement, call you and tell you the number and credit limit, and ask for personal questions for verification which they would then use).

I have - many times, esp from Citibank, EDR and Westpac.

Their approach is all the same: we're from the bank, please ID yourself.

I always refuse and always point out to them that to me they could be as well be calling from Nigeria.

They would never ever give you an extension to call back either "just call us on 13 xx xx".

The managers must have rocks in their head expecting people to cough up ID replies to some stranger on the phone.

The problem with QFF PIN is that there is - currently - no other option to choose from.

No PIN = no MASA

No PIN = no account enquiry

As far as I am concerned, clause 6.5 would be invalid as there are at least two parties aware of the PIN: me and QFF CSRs.

".. 6.5 In the event of loss, theft or unauthorised use of your Card or unauthorised use of your Membership number or PIN, it is your responsibility to advise Qantas as soon as possible. The Member is liable for all use of the Card, PIN or Membership number until Qantas is notified of the loss, theft or unauthorised use...."

So, they could hardly absolve themselves of any potential fraud as it can be proven that they also know the PINs - every time I call up.

 

[trippin_the_rift]

I have - many times, esp from Citibank, EDR and Westpac.

Their approach is all the same: we're from the bank, please ID yourself.

I always refuse and always point out to them that to me they could be as well be calling from Nigeria.

For the last few years Citi have asked things like "what is the month of your year of birth?". In most cases you know why they're calling anyhow (recent large transaction, calling you back and so on..) so it makes sense that it's really the bank calling.

What about insurance against someone stealing points? I see a business opportunity here to protect digital items...

 

[JohnK]

The naivety of some people can be amazing at times. A member on Facebook is quite happy to show his full BP on there, yet laughs it off when people suggest it's a security risk.

Just out of interest if someone had your QFF number how easy would it be to guess the pin?

I agree though some sort of report on failed attempts would be handy.

 

[isdnman]

Your account will be locked after 3 times continuous trail of PIN.
At least for online log in.

 

[Daver6]

So in other words, if someone has your name and FF number there is a 1 in 3333 chance of them gaining access. In the grand scheme of what is at stake, those odds aren't nearly long enough!

 

[RooFlyer]

IMHO, banks are the worst offenders. They call you, ask you to verify all your personal details (without you being able to verify who is calling) and when you challenge them on the phone about this, they simply say 'oh but i'm from the bank!'.

My favourite is "is this Mr Drewbles?" I answer 'yes' and then get "I'm calling about your master card number xx_xx_ with current credit limit $yyyy". I cut them off asking how they can just pass my information out to anyone on the phone and their standard response is "oh but you said you were Mr Drewbles! That's all the ID we need". If you say to them it could have been anyone answering my phone proclaiming to be me, they say "oh but that would be fraud sir!". F'ing useless. Same thing goes if you complain and they tell you to call back on a number you've not heard, and they get narky when you say you'll only call back on a number listed on your card or statement.

I'm glad you got your points back Noreen. Great to see common sense (and some paperwork) prevailed.

Here, here to the max, although I am usually asked to respond to their 'security questions'. After twice refusing to 'identify myself" and give these 'security answers' to a cold call from Westpac (on successive Saturday mornings, no less) I had a card account stopped (by them).

Right. By the time I had finished with them, I had a groveling apology from the Manager - Retail (or something like that) and some guy in security and a (I still think grudging) admission that cold calling and then expecting me/us to identify ourselves isn't the way to go.

I then switched banks (about 9 accounts in all business and personal) and let all and sundry know why I was switching banks. Actually, that was the second time I had swapped in 2 years. Its not that hard once you go through it.

 

[Happy Trails]

So in other words, if someone has your name and FF number there is a 1 in 3333 chance of them gaining access. In the grand scheme of what is at stake, those odds aren't nearly long enough!

Actually they're shorter, as the account is only locked temporarily (2 hours?) before they get another try.

 

[Pushka]

I'd imagine hackers just set up random number generators that keep on plugging numbers into the system automatically until it hits the jackpot. Could well be happening to everyone's account right now.

 

[medhead]

I have never had a bank call me (unless I have left a message requesting them to do so). there's no way I'd accept a cold call (anyone could take a copy of your CC statement, call you and tell you the number and credit limit, and ask for personal questions for verification which they would then use).

I've had cold calls from [my phone provider] to offer some better options, that want to know the security info before telling about the options. Either a scam or an incredibly thick person who couldn't understand I wanted to hear the options first and if give him my details if I want to change.

 

[JohnK]

I'd imagine hackers just set up random number generators that keep on plugging numbers into the system automatically until it hits the jackpot. Could well be happening to everyone's account right now.

Interesting yet scary thought.

So they have your QFF number and get 3 tries every 2 hours? That is extremely poor.

 

[Storyteller]

Glad QF reinstated your points ?
It must indeed be the season for it - my WP Amex was somehow cloned, & someone physically swiped it in Canada a couple of days ago. 4 times in 2 shops, to the tune of over $4000.

Meanwhile it was siting here at home with me.

It's chip & pin. Am always aware of who's around me. Rarely let it out of my sight, & only in restaurants I go to often. Maybe 3 times total. I did have an odd experience with it & another card in a shop at SYD International a few months ago where 2 cards were supposedly declined, & worked fine when, stressed to the max, I raced into the shop next door to buy the cheapest thing possible with both, to see if they still worked. and they did.

At that shop, the counter top was littered with card machines, and I'm talking half a dozen. I'll have to go in again next time I'm there & see if that is their norm.

Timely to check all accounts. I was feeling a little relaxed till this.

 

[irv]

and the irony of changing your PIN, only to have to give it out straight away to an operator to process your upgrade. That could go on forever!!

Does it mean you have to advise what you PIN has been changed to, or that you have changed your PIN?

 

[Buzzard]

One of the banks I use sends a varification PIN to my registered mobile phone. When I perform certain on line transactions I need to enter said PIN in order for the transaction to proceed. A message is also sent to my mailbox advising that a particular transaction has been performed and that I should contact the bank if it is not authorised. OK, so you need to check your banking mailbox but the varification PIN seems to be a good idea.

Could this work for the QFF account?

 

[DC3]

So in other words, if someone has your name and FF number there is a 1 in 3333 chance of them gaining access. In the grand scheme of what is at stake, those odds aren't nearly long enough!

There's probably better even better odds than that. Start with the last 4 digits of the QF # on the boarding pass, then try 1234 if that doesn't work.