FF Account just hacked and almost 300,000 points taken

[opusman]

Re: FF Account just hacked and points taken

Considering how keen a lot of AFF members seem to be to give their QFF login details to third-party websites I'm actually surprised this doesn't happen more often

 

[Dannyism]

Re: FF Account just hacked and points taken

1
Sometimes being paranoid is really being prudent.

I have to concur here.

I have become increasing concerned about identity theft and you should be too.

 

[badseed]

Re: FF Account just hacked and points taken

The 4-digit PIN is really insecure - not just the PIN itself but also the wide number of points where it is used. Different websites, apps etc. Many of them take different data paths to the QF authentication servers, so many potential points of weakness where data can be intercepted.

Add to that two pieces of information (Surname and FF number) that are in pretty much every email from QFF to their customer base and you can see how these things happen.

I wrote a script for a lawyer mate back in the day who had 2M+ QFF points and was paranoid about them being stolen. He'd been stung by the AN collapse, and knew his work email had been compromised a couple of times. He just wanted something that would SMS him any time there was any negative change of 1000 points or more. He made sure that SMS number was unblocked from his phone and assigned it a loud and annoying alert tone. Quite a length to go to. And every time the QFF site or backend would change he'd message me in a panic to update the script. Thankfully he burned his points and has moved on from QFF so not my problem anymore ;-)

Simply offering the ability to set our own (complex) passwords, and adding mandatory two-factor authentication would clear up probably 80%+ of the fraud attempts.

 

[oz_mark]

Didn't you read the T&C? They have no value.

Well, the T&Cs say they have no monetary value, which is a bit different to having no value....

 

[Daver6]

What are Qantas now, a bank?

Of course not. However, security should be taken seriously for everything. Two factor authentication (2FA) should really be used for everything these days. It really isn't coughbersome at all.

If you have something of value that isn't money, do you treat it any differently. You wouldn't leave a pile of cash sitting in your car visible and same for gold bars (which aren't cash). Your QF points are valuable to you, so they should be secured as if they were cash.

 

[brettoau]

So to give a few more details of my specific case. I work in IT and am very aware of the security risks related to phishing, scam emails, etc.

In my case the only profile field that was changed was the email field. I never got a notification to the previous email address that anything was updated. The address details and phone number were never changed, which raises the question of where the gift vouchers were sent to??

To their credit Qantas support were very good. They were not at surprised it had happened and sent me a stat dec form to fill out and return, which they would attempt to process and credit points back in three business days.

 

[RAM]

To their credit Qantas support were very good. They were not at surprised it had happened and sent me a stat dec form to fill out and return, which they would attempt to process and credit points back in three business days.

Perhaps it is a bit like the senior exec/board level decisions I have unearthed personally or read about (Origin anyone?) where 'allegedly' the cost of fixing some issue is estimated to be more than the cost of Govt fines/penalties or compensation payouts.

Cost cutting knows no reasonable bounds unfortunately.

Then again, neither do senior executive remuneration packages....

 

[MEL_Traveller]

Of course not. However, security should be taken seriously for everything. Two factor authentication (2FA) should really be used for everything these days. It really isn't coughbersome at all.

Yes but cost of IT changes to implement vs the handful of points that get stolen and have to be refunded by QF. I guess QF has done their maths.

 

[OATEK]

Cost cutting knows no reasonable bounds unfortunately.

Then again, neither do senior executive remuneration packages....

A bit off-topic to bring Australia Post into this. I suspect some of the key components are quite old systems and require a major rebuild that QFF wants to delay as long as possible.

 

[brettoau]

Yes but cost of IT changes to implement vs the handful of points that get stolen and have to be refunded by QF. I guess QF has done their maths.

Sounds like a great scam to be running then, police don't care and qantas don't care.

 

[RAM]

A bit off-topic to bring Australia Post into this. I suspect some of the key components are quite old systems and require a major rebuild that QFF wants to delay as long as possible.

I was referring to Q senior executive packages specifically and the general practices as a whole.


Amongst other entitlements for the Q senior execs are rights to share worth over $200,000,000 of which rights to 60 million shares were issued to the senior execs in 2014/15 - when the share price was around the current level.

Over $193 million from just rights entitlement to senior execs on top of cash remuneration and bonuses and super and other perks in one year...

Makes Aust Post look like amateur hour in comparison - no?

 

[OATEK]

Makes Aust Post look like amateur hour in comparison - no?

It was meant as a joke, hence the smiley. QANTAS, like Auspost, has a board - and perhaps one day they will earn their fees, but I am not holding my breath.

 

[MarcB]

Logged in to my QFF account yesterday to see that just under 150k points had been used to purchase some JB HIFI vouchers on Saturday afternoon via the Qantas Store. Thankfully, the order was still "in process" and I was able to start an online chat with the store and have the order cancelled and the points refunded. No details had been changed in my account. PIN, email address, phone number etc were all the same. Now super paranoid! What is weird is that 2 factor authentication has been active on my account for a couple of months now. Admittedly, not every login - but you'd think that before a purchase, it would be mandatory.

 

[Denali]

Logged in to my QFF account yesterday to see that just under 150k points had been used to purchase some JB HIFI vouchers on Saturday afternoon via the Qantas Store. ......

 

[docjames]

Logged in to my QFF account yesterday to see that just under 150k points had been used to purchase some JB HIFI vouchers on Saturday afternoon via the Qantas Store. Thankfully, the order was still "in process" and I was able to start an online chat with the store and have the order cancelled and the points refunded. No details had been changed in my account. PIN, email address, phone number etc were all the same. Now super paranoid! What is weird is that 2 factor authentication has been active on my account for a couple of months now. Admittedly, not every login - but you'd think that before a purchase, it would be mandatory.

I assume you've now changed your pin number?

 

[MarcB]

I assume you've now changed your pin number?

Yes.

 

[Steelo]

Today I logged into my QF account to discover almost 90,000 points stolen to purchase flights. Three separate transactions - and the ff centre was able to tell me the names in which they were purchased (most likely not their real names). The ff centre was supportive and advised that once I send in a Stat Dec they will reimburse the points. They do say I must report it to the police. Has anyone had any experience in reporting these fraudulent hacking to the Police?

 

[OATEK]

Today I logged into my QF account to discover almost 90,000 points stolen to purchase flights. Three separate transactions - and the ff centre was able to tell me the names in which they were purchased (most likely not their real names). The ff centre was supportive and advised that once I send in a Stat Dec they will reimburse the points. They do say I must report it to the police. Has anyone had any experience in reporting these fraudulent hacking to the Police?

Probably no different to a Credit Card hack, where they take a statement and a copy of any doco.

 

[KaiK]

I didn't realize the security processes before issuing credit was this bad!

Perhaps we should change our pins more regularly?

 

[Renato1]

Re: FF Account just hacked and points taken

The 4-digit PIN is really insecure - not just the PIN itself but also the wide number of points where it is used. Different websites, apps etc. Many of them take different data paths to the QF authentication servers, so many potential points of weakness where data can be intercepted.

Add to that two pieces of information (Surname and FF number) that are in pretty much every email from QFF to their customer base and you can see how these things happen.

I wrote a script for a lawyer mate back in the day who had 2M+ QFF points and was paranoid about them being stolen. He'd been stung by the AN collapse, and knew his work email had been compromised a couple of times. He just wanted something that would SMS him any time there was any negative change of 1000 points or more. He made sure that SMS number was unblocked from his phone and assigned it a loud and annoying alert tone. Quite a length to go to. And every time the QFF site or backend would change he'd message me in a panic to update the script. Thankfully he burned his points and has moved on from QFF so not my problem anymore ;-)

Simply offering the ability to set our own (complex) passwords, and adding mandatory two-factor authentication would clear up probably 80%+ of the fraud attempts.

True, but alternatively, just sending out vouchers the old fashioned way in the mail would solve much of the problem.

Or asking a secret question before allowing a voucher to be sent to a recently changed email address.
Regards,
Renato