QANTAS security breach-2 separate flights were cancelled without Authorisation by my ex-husband through his QFF Account on-line.

[justinbrett]

Don't think anyone is really arguing otherwise. Suspect @Mr_Tee was simply positing a hypothetical based on @MEL_Traveller's post.

I think the person saying to call in the lawyers was.

 

[DejaBrew]

I think the person saying to call in the lawyers was.

Well, yes. Can't argue against that. But to be fair, that did seem to be a largely contrarian opinion.

 

[Mr_Tee]

There’s no such thing as MMT (manage my ticket). It’s manage my booking. One booking for multiple passengers.

Irrelevant to determine which pax is accessing MMB, as long as the name matches one of the pax.

I understand there is a warning the cancellation is for all passengers.

View attachment 478268

Again, we’re not talking about strangers here. Pax need to accept responsibility, and if one of the pax does something wrong, go after them, not the airline.

@justinbrett I think we are on the same page here.

I wasn't really using my example as a reference to the OP's situation or to suggest that I think that "Manage My Ticket (MMT)" as you have correctly described it does or should exist. It was actually pointing out, as you have also done in a different manner, that you can't "Manage My Ticket" and it is only "manage My Booking". As soon as anyone has the PNR and surname it's open doors.

 

[justinbrett]

As soon as anyone has the PNR and surname it's open doors.

Not even that, if someone books you with your frequent flyer number it will automatically appear in your list of bookings.

I guess my opinion is the system isn’t broken and doesn’t need fixing. Much more damage can be done with joint accounts after a breakup than an airline booking that was refunded.

 

[MEL_Traveller]

Here's an example:

Mrs Smith books a ticket for herself and her husband to fly from Melbourne to LA. It is a joint ticket in the names of Mrs Anne Smith and Mr Andrew Smith. Because they are joint tickets they share the same PNR.

For whatever reason, Mr Smith decides he wants to cancel his ticket (perhaps he has to reschedule his travel due to work commitments). So he goes to the MMB page of the website without logging in and is asked to enter the PNR and the surname of the traveller.

So the questions are:

1. How does the website know whether they are dealing with Mr Smith or Mrs Smith? Both have the same surname and PNR.
2. When the cancellation request is lodged, how does the website know that it is Mr Smith wanting to cancel the ticket only for Mr Smith and that it is not Mrs Smith wanting to cancel the ticket only for Mr Smith? And this quandary could exist even if it was Mr Smith and Mr Jones travelling on the same PNR.

As per my example… a mobile phone number is an additional requirement for each pax in the booking.

When any passenger comes to retrieve their booking, they provide the PNR, surname and mobile number.

2FA grants access to the booking and the system knows which passenger they are dealing with, and the extent of the authority.

A mobile phone field to retrieve any booking, at any time, would also prevent unauthorised or unintended access to bookings in cases such as fraud, or people being silly and posting their boarding pass on line, or leaving a boarding pass behind on board.

 

[DejaBrew]

A mobile phone field to retrieve any booking, at any time, would also prevent unauthorised or unintended access to bookings in cases such as fraud, or people being silly and posting their boarding pass on line, or leaving a boarding pass behind on board.

Fortunately Qantas hasn't had any data breaches that resulted in info such as surnames and mobile phone numbers being leaked....

PS> Appreciate you're referring to 2FA/MFA here for identity resolution.

 

[Mr_Tee]

As per my example… a mobile phone number is an additional requirement for each pax in the booking.

When any passenger comes to retrieve their booking, they provide the PNR, surname and mobile number.

2FA grants access to the booking and the system knows which passenger they are dealing with, and the extent of the authority.

A mobile phone field to retrieve any booking, at any time, would also prevent unauthorised or unintended access to bookings in cases such as fraud, or people being silly and posting their boarding pass on line, or leaving a boarding pass behind on board.

Is a mobile phone number a requirement for each passenger? I recently booked two domestic tickets - one for me and another for a friend on the same PNR and I am quite sure that I was not asked for the phone number of the other passenger. Only name.

Relying on mobile phones for 2FA can be tricky if the person is overseas and on a local SIM or Travel SIM and can't receive texts to their domestic mobile number when they try to make these changes.

Not saying it's a bad idea, but it is an imperfect solution, which most would be when compared with the current methods.

 

[oz_mark]

Is a mobile phone number a requirement for each passenger? I recently booked two domestic tickets - one for me and another for a friend on the same PNR and I am quite sure that I was not asked for the phone number of the other passenger. Only name.

Relying on mobile phones for 2FA can be tricky if the person is overseas and on a local SIM or Travel SIM and can't receive texts to their domestic mobile number when they try to make these changes.

Not saying it's a bad idea, but it is an imperfect solution, which most would be when compared with the current methods.

It's a problem - when you start thinking about changing well established procedures, you need to think them through very carefully.

 

[Steady]

Is a mobile phone number a requirement for each passenger? I recently booked two domestic tickets - one for me and another for a friend on the same PNR and I am quite sure that I was not asked for the phone number of the other passenger. Only name.

This is my experience as well - no phone number for any additional people on the PNR - just name and the option of adding FF details

 

[MEL_Traveller]

Is a mobile phone number a requirement for each passenger? I recently booked two domestic tickets - one for me and another for a friend on the same PNR and I am quite sure that I was not asked for the phone number of the other passenger. Only name.

Relying on mobile phones for 2FA can be tricky if the person is overseas and on a local SIM or Travel SIM and can't receive texts to their domestic mobile number when they try to make these changes.

Not saying it's a bad idea, but it is an imperfect solution, which most would be when compared with the current methods.

Yes, the requirement going forward could be for a phone number for each passenger in the booking. Or email or whatever so that authority to make changes can be given on a unique basis.

Plenty of circumstances, particularly banks, where you will get sent an authorisation text while you are overseas.

Me and my 5 friends are flying to Bali. I paid for the tickets. Friend #2 can just decide to cancel everyone’s booking. I have a problem with that!

 

[justinbrett]

Me and my 5 friends are flying to Bali. I paid for the tickets. Friend #2 can just decide to cancel everyone’s booking. I have a problem with that!

Find better friends?

 

[oz_mark]

I wouldn't have them on one booking.

 

[Aeryn]

Me and my 5 friends are flying to Bali. I paid for the tickets. Friend #2 can just decide to cancel everyone’s booking. I have a problem with that!

Book separately, or alternatively dont put their FF #s on the booking, so that they dont see the PNR in their account. Just give them flight details. They can add their FF# at the airport or retrospectively claim.

 

[dajop]

Or it might be cheaper for them just to have policy that provides some “goodwill” gestures for the fringe cases for where this turns out to be a genuine problem.

For fraud prevention IIRC most airlines have additional steps if you want to refund to something other than original form of payment or travel credit tied to the passenger. I assume QF is the same.