QANTAS Cyber Incident

gtrod said:
You don't need to worry about brute forcing individual accounts when you have so many pairs of FF# and surname.

You get 3 chances to guess the right number. That means for each account they try to access they have a 1 in 3,333 chance of guessing correctly.

They have 6,000,000 accounts.

So just guessing 3 numbers for each of the 6mil accounts will be successful 1,800 times.
Click to expand...
No, you would need their surname too. Where are they getting the surname for the FF #s, or are you suggesting anyone with the surname Smith better watch out?

Edit: Oh, I see, you're saying now. Well yes, hence my earlier point, it was a decent bar to clear until they leaked 6 million customer records. But it has never been just needing to brute force 4 digits as the original comment claimed, otherwise as you point out that would have been statistically problematic.
 
Matty F said:
leaking birth dates is a huge security violation, I'm surprised how their email attempts to downplay the severity 💣

I wish more people were aware of how sensitive & important it is to guard your birth date
Click to expand...
Whilst true, solid chance most of these information is already out there.
 
gtrod said:
Names were stolen as well weren't they?
Click to expand...
Yes, but I'd already pointed that out in the message you'd responded to, so I'd assumed you'd read it. Yes, now that the information is leaked, that's no longer a barrier to any attacker who has obtained that information.

Nor would it be if emails and passwords, or security / account recovery questions, or other details that can be used to access accounts but yes, the point stands, that will be enough to get an attacker through to the MFA prompt, should they successfully guess a 4 digit PIN before being stopped some other way such as via CAPTCHAs/WAFs/IP blocks/etc.
 
Daver6 said:
Highly unlikely. Most people wouldn't have all the info they need to complete it yet.
Click to expand...
They don't need to, you can start adding information such as deductions and offsets while the autofill comes in. It opens on 1 Jul each year. I'm finished but for my autofill data. I've also had large periods where I couldn't access it yesterday and today to get to this point.
 
33kft said:
Yes, now that the information is leaked, that's no longer a barrier to any attacker who has obtained that information.
Click to expand...
Yep, Qantas need to immediately change their verification to something better than 4 digit pin.

Keep in mind the hackers can just use the most common 4 digit pins to greatly enhance the number of successful attacks.

27% of all pins are the most common 20 numbers as can be seen on this page:
informationisbeautiful.net

Information is Beautiful

Distilling the world's data, information & knowledge into beautiful infographics & visualizations
informationisbeautiful.net informationisbeautiful.net

If you guess 3 numbers from the 20 most common pins you would likely be successful compromising 243,000 of the 6 million accounts.
 
sudoer said:
It is very hard to brute force when the account locks after 3 incorrect attempts, and requires a call to unlock ...
Click to expand...
You just move on to the next account when one gets locked.

Statistically you will be successful eventually. Especially if targeting the most common pins
 
gtrod said:
If you guess 3 numbers from the 20 most common pins you would likely be successful compromising 243,000 of the 6 million accounts.
Click to expand...
If you were the attacker who stole this data, and also had access to the FF's e-mail address or ported their mobile numbers, and they weren't using an authenticator, and weren't stopped when iterating through 6 million accounts, sure. Again the importance of any one control can't be downplayed but shouldn't be exaggerated either. It's significantly weakened QFF's security posture and they'll need to change something, either 6 million FF numbers or their authentication system, they don't necessarily need to do it immediately and they probably won't, from an optics perspective.
 
Check out the latest credit card signup bonus point offers
Read our AFF credit card guides and start earning more points now.

AFF Supporters can remove this and all advertisements

sudoer said:
It is very hard to brute force when the account locks after 3 incorrect attempts, and requires a call to unlock ...
Click to expand...

What info do you need to provide to unlock your account on the phone these days? Name, FF number, birthday, street address. Uh oh....
 
Daver6 said:
What info do you need to provide to unlock your account on the phone these days? Name, FF number, birthday, street address. Uh oh....
Click to expand...
They also have OTP available and I get asked for it periodically when logging into my account. I just can't recall precisely where and when it's used as it's not requested all the time?
 
gtrod said:
You just move on to the next account when one gets locked.

Statistically you will be successful eventually. Especially if targeting the most common pins
Click to expand...
Waste of time, compute power and cost for such little gain. Its cost to reward ratio doesn't make as much sense. And selling random individual data isn't very lucrative either compared with a big dataset.
 

Become an AFF member!

Join Australian Frequent Flyer (AFF) for free and unlock insider tips, exclusive deals, and global meetups with 65,000+ frequent flyers.

AFF members can also access our Frequent Flyer Training courses, and upgrade to Fast-track your way to expert traveller status and unlock even more exclusive discounts!

AFF forum abbreviations

Wondering about Y, J or any of the other abbreviations used on our forum?

Check out our guide to common AFF acronyms & abbreviations.

Recent Posts

Currently Active Users

... and 73 more.
Total: 1,066 (members: 123, guests: 943)
Back
Top