FF Account just hacked and almost 300,000 points taken

Status
Not open for further replies.
Today I logged into my QFF account to check the details of a flight booking for next week and discovered 203,680 points transferred out of my account (family transfer) to someone I don't know. The transfer had taken place today so I immediately called Qantas.

Qantas quickly reset my secret question answers and asked me to create a new pin.

The transfer shows the surname, first initial and QFF number of the recipient and Qantas suspended that account which still had a points balance equal to the amount transferred out of my account.

Qantas referred me to the Police and asked me to submit a stat dec both of which I did this afternoon. I haven't received the points back into my account but I trust they will do this in due course.

I work in IT and take my online security seriously, I don't reuse passwords across multiple sites and don't have social media accounts where I'm publishing pictures of boarding passes or personal details. Having said that I can't say that I securely destroy boarding passes or luggage receipts when I have them.

If it isn't bad enough having this play out I'm now concerned that whoever accessed my account now has my home address and also knows when I am going to be away from home based on my upcoming bookings!

I have read that Qantas are slowly rolling out two factor authentication to customers but after having this occur I wish they would roll it out to everyone asap.
 
Just checked my account and it is showing a zero balance. Also checked Mrs Want2flymore’s account and it is showing a zero balance as well. Qantas call centre is now closed. Does anyone know an after hours number?
 
I’m glad you noticed the unauthorised transfer before the thief could spend them from their account. It shows the value of regularly visiting your account and reinforces the need of two factor authorisation. I hope the police prosecute the perpetrator.
 
Struggling to Redeem Your Frequent Flyer Points?
The Frequent Flyer Concierge team takes the hard work out of finding reward seat availability. Using their expert knowledge and specialised tools, they'll help you book a great trip that maximises the value for your points.

AFF Supporters can remove this and all advertisements

Want2flymore said:
Just checked my account and it is showing a zero balance. Also checked Mrs Want2flymore’s account and it is showing a zero balance as well. Qantas call centre is now closed. Does anyone know an after hours number?
Click to expand...

Only the standard number, the FF desk might be closed though.

If both of your accounts are empty, when was the last time you earned points? All points will expire if you haven't had any activity on the account for 18 months. If that's the case the FF centre may offer you a points challenge.
 
Sponsored Post

Struggling to use your Frequent Flyer Points?

Frequent Flyer Concierge takes the hard work out of finding award availability and redeeming your frequent flyer or credit card points for flights.

Using their expert knowledge and specialised tools, the Frequent Flyer Concierge team at Frequent Flyer Concierge will help you book a great trip that maximises the value for your points.

chatwithtristan said:
Today I logged into my QFF account to check the details of a flight booking for next week and discovered 203,680 points transferred out of my account (family transfer) to someone I don't know. The transfer had taken place today so I immediately called Qantas.
Click to expand...

Sounds like it will end OK.

Welcome to AFF :). Hope you'll stick around.
 
Want2flymore said:
All good now. Points are back. Must have been a glitch in the matrix. I think I will go and have a quiet drink to calm my nerves.
Click to expand...

There's a problem with the system at the moment. I've got 0 points and NaN Status Credits :)

Activity looks ok though...
 
For a site/service that deals in such important personal information and huge $$$ value of transactions... the security on QFF is abysmal, boarding on negligent. The only thing between Users and Hackers is a pathetically weak four digit PIN. Probably stored in plain-text at the back-end.

Which is why I will never store any payment details in my QFF account, despite the total PITA of having to enter manually every time I make a booking.

QF made decent money this year.... wish they would use some of it to upgrade the security of the QFF website login to a minimum of allowing LONG & STRONG passwords and the option to enable 2FA.

I realise QF is not alone here.... many of the other airline and travel sites I use have the same low-bar security measure, prioritising user convenience over user security. But for an enterprise the size of QF.... this should not be a hard decision, nor hard to do.
 
In February, 2017, my husband's QF FF account was relieved of 50 000 points which were used to buy iTunes vouchers. Some of the details were changed on his account. Qantas were very quick to sort out the return of the points. He have since changed his password and now, I kindly relieve him of any worry by transferring all the points into my account.
 
timjohns said:
For a site/service that deals in such important personal information and huge $$$ value of transactions... the security on QFF is abysmal, boarding on negligent. The only thing between Users and Hackers is a pathetically weak four digit PIN. Probably stored in plain-text at the back-end.

Which is why I will never store any payment details in my QFF account, despite the total PITA of having to enter manually every time I make a booking.

QF made decent money this year.... wish they would use some of it to upgrade the security of the QFF website login to a minimum of allowing LONG & STRONG passwords and the option to enable 2FA.

I realise QF is not alone here.... many of the other airline and travel sites I use have the same low-bar security measure, prioritising user convenience over user security. But for an enterprise the size of QF.... this should not be a hard decision, nor hard to do.
Click to expand...

I can't say with certainty, but storing your credit card details with Qantas "should" be safe. Assuming they're using a third party gateway, all they actually store is a token, not your credit card details. Even if that token is compromised, it would be useless to anyone who steals it as using it would credit the money to Qantas' account, not theirs.
 
Unfortunately with the NSA's hacking tools being made public (illegally as NSA say they were hacked/stolen and DID NOT plant them on the TVs in Trump tower before the Presidential election) - it really is only a matter of time before any and every major organsiation is hacked one way or another.

A simple precaution that delays the risk is to NEVER allow your device to remember a password.

Going on 'free' public wifi is like playing Russian Roulette. Never use a bank account or credit card to do a transaction, check a balance etc etc when on public wifi - NEVER.

There have been many unreported (due to commercial concerns aka protecting one's backside) cases where public wifi has been penetrated across the globe. Those in the industry are zealots for buying internet access when travelling. There have been enough reports on AFF of hotel wifi scams/disasters.

With passwords (of course AFFers would not fall into this group) still the majority are easily cracked by trialling the 20 most used or by accessing people's social media accounts. More are lost that way (a recent study) than by phishing supposedly.

A good 'safety' feature is to regularly use a 3rd party security program to do a deep scan of your device.

BTW - how many people have installed security programs (aka apps) on their smart phones?

In Australia the degree that identity theft has gone to includes peoples' houses sold while they were on a long (greater than 2 month) holiday.

Cannot be too careful.

QN - Have you changed the factory default password on your modem/router?
 
Qantas have already reinstated the stolen points less than 24hrs after I made it known to them, I'm quite happy with how they have dealt with this issue. After receiving notification from them I went to login but my account was locked out due to too many login attempts so clearly someone has been trying to access my account again after the pin had been changed yesterday.

I just realised that it was only a couple of weeks ago that I setup the 'Qantas Skill' on the Amazon Echo Plus at home, that required me to enter my Qantas credentials...I wonder if it isn't as secure as it should be.
 
I’m guessing it’s a bit difficult to steal then spend points so quickly. As AFF’s we probably look at our accounts more frequently than most.
 
I have been specifically told many times that they cannot ask and use your pin.
though when changing a flight I am always asked the number and pin of the person giving me the points.
what is it yes or no????
 
Status
Not open for further replies.

Enhance your AFF viewing experience!!

From just $6 we'll remove all advertisements so that you can enjoy a cleaner and uninterupted viewing experience.

And you'll be supporting us so that we can continue to provide this valuable resource :)


Sample AFF with no advertisements? More..

Recent Posts

Currently Active Users

... and 13 more.
Total: 1,170 (members: 63, guests: 1,107)
Back
Top