Login Now to remove this and all advertisements (GOLD and SILVER members)
Not a member? Register Now for free

Qantas website. How secure is it?

Status
Not open for further replies.

Beesem

Newbie
Joined
Jan 23, 2015
Messages
2
Hi all, this is my first post here so forgive me if this has been mentioned before.

It's always struck me that the log-on/security approach that Qantas uses for its frequent flyer website is, how shall I put it?, quaint!

They want three bits of information, a name, a member number, and a 4 digit PIN. It was always that 4 digit pin that worried me. Just 4 digits? Most passwords to be secure need 12 or so randomised characters, and Qantas is still running with a 4 digit, numbers only, PIN? I figured though that the additional combination of name and member number made it harder to crack.

But reading the article entitled "Password Re-use Fuels Starwood Fraud Spike" at the KrebsonSecurity website (You'll need to Google it because I can't post the link here being a newbie), has made me realise how unsecure the Qantas site is.

The article refers to a US based, loyalty rewards website called Starwood Preferred Guest, that has had many user accounts compromised and the users' points syphoned off, and sold on the black market.

The mass compromise of Starwood accounts began in earnest less than a week ago. That roughly coincides with a Starwoods-specific account-checking tool that was released for free onLeakforums[dot]org, an English-language forum dedicated to helping (mostly low-skilled) misfits monetize compromised credentials from various online services, particularly e-retailers, cloud-based services and points or rewards accounts

According to a tutorial posted on the forum, hijacked account buyers “cash out” their purchases by creating new Starwood accounts and then forcing the hijacked account to transfer its account balance to the new account. The reward points are then exchanged for gift cards that can be used as cash.

Not sure how easy it would be for crooks to take advantage of a compromised Qantas user account, but reading about how those crooks attacked the Starwood accounts, I reckon it must be a doddle for them to attack Qantas website with its ridiculous 4 digit PIN.

Any half smart cyber crook only needs to get hold of member numbers and names from somewhere and a simple brute force attack will open up user accounts in seconds.

I reckon Qantas better get their act together on this one pronto before people start seeing their points disappear before their eyes.

Anyone else see this as a risk?
 

Mr_Orange

Established Member
Joined
Jun 17, 2013
Messages
4,595
Flights
My Map
Hi all, this is my first post here so forgive me if this has been mentioned before.

It's always struck me that the log-on/security approach that Qantas uses for its frequent flyer website is, how shall I put it?, quaint!

They want three bits of information, a name, a member number, and a 4 digit PIN. It was always that 4 digit pin that worried me. Just 4 digits? Most passwords to be secure need 12 or so randomised characters, and Qantas is still running with a 4 digit, numbers only, PIN? I figured though that the additional combination of name and member number made it harder to crack.

But reading the article entitled "Password Re-use Fuels Starwood Fraud Spike" at the KrebsonSecurity website (You'll need to Google it because I can't post the link here being a newbie), has made me realise how unsecure the Qantas site is.

The article refers to a US based, loyalty rewards website called Starwood Preferred Guest, that has had many user accounts compromised and the users' points syphoned off, and sold on the black market.

The mass compromise of Starwood accounts began in earnest less than a week ago. That roughly coincides with a Starwoods-specific account-checking tool that was released for free onLeakforums[dot]org, an English-language forum dedicated to helping (mostly low-skilled) misfits monetize compromised credentials from various online services, particularly e-retailers, cloud-based services and points or rewards accounts

According to a tutorial posted on the forum, hijacked account buyers “cash out” their purchases by creating new Starwood accounts and then forcing the hijacked account to transfer its account balance to the new account. The reward points are then exchanged for gift cards that can be used as cash.

Not sure how easy it would be for crooks to take advantage of a compromised Qantas user account, but reading about how those crooks attacked the Starwood accounts, I reckon it must be a doddle for them to attack Qantas website with its ridiculous 4 digit PIN.

Any half smart cyber crook only needs to get hold of member numbers and names from somewhere and a simple brute force attack will open up user accounts in seconds.

I reckon Qantas better get their act together on this one pronto before people start seeing their points disappear before their eyes.

Anyone else see this as a risk?
3 wrong PIN attempts and you are locked out I think with a forced reset of PIN using other personal data to verify. Someone else might need to confirm my facts though.
 

aaflyer

Member
Joined
Jul 24, 2014
Messages
217
Starwood uses email and password, perhaps the least secure of any authentication method (in terms of people using the same email/pass for *everything*, with insecure easy-to-remember passwords).

They do also allow account number/password logins, but you can have both.

Qantas are using three factor, which is better, but not by much. People tend to know your last name, and a 4 digit pin is not overly secure. I guess the thing they have going for them is not many websites do a 4 digit pin, so you're not going to be spreading that around much, and as Mr_Orange says, 3 wrong attempts and your account is locked out.

I change my Qantas PIN regularly. I consider points like cash (although not much these days thanks to fuel surcharges), so protect them.
 

Shan Man

Member
Joined
Jan 19, 2014
Messages
268
ATM Card pin's are a min of 4 digits.

Id value my actual cash more than my FF history tbh.
 

mannej

Senior Member
Joined
Mar 16, 2009
Messages
9,831
Why single out one airline when a lot of other FFP logins are similar.

Yes there are cases from time to time but you don't hear about it a lot on here do you?
 

exceladdict

Established Member
Joined
Mar 26, 2014
Messages
2,588
Qantas
Bronze
Virgin
Gold
Flights
My Map
In terms of cashing out to 'steal' points, a lot of info needs to be given to actually benefit. ie, how can you use points you stole without getting caught? Only thing I can think of is cashing in for digital gift cards used at a self check out, even then you'd be caught on camera. Or delivery of something physical to a false address.

And if your account was hacked would Qantas refund?
 

blackcat20

Enthusiast
Joined
Jan 7, 2011
Messages
11,876
Flights
My Map
Starwood uses email and password, perhaps the least secure of any authentication method (in terms of people using the same email/pass for *everything*, with insecure easy-to-remember passwords).

They do also allow account number/password logins, but you can have both.

Qantas are using three factor, which is better, but not by much. People tend to know your last name, and a 4 digit pin is not overly secure. I guess the thing they have going for them is not many websites do a 4 digit pin, so you're not going to be spreading that around much, and as Mr_Orange says, 3 wrong attempts and your account is locked out.

I change my Qantas PIN regularly. I consider points like cash (although not much these days thanks to fuel surcharges), so protect them.
IHG use pin, and so does Hilton if you take that option.
 

Cynicor

Established Member
Joined
Jun 13, 2007
Messages
3,851
IHG use pin, and so does Hilton if you take that option.
The issue is not really with a pin so much as the number of attempts allowed. Hilton never had a lockout so it was possible to brute force every account's pin. This resulted in a mass hacking of HH and the introduction of the new captcha process.

Similarly with banks, you can't easily brute force a pin and card because you'll need a physical card, and their systems would notice multiple failed attempts.

QF have a 3 attempt system as mentioned above, leaving it relatively secure, for an online pin.
 
Trying to access your favourite Australian websites when overseas only to discover they have been geo-blocked? Concerned about your internet privacy especially when using unsecured wifi? NordVPN will solve both these common problems.

Recommended by the Australian Frequent Flyer

OzEire

Established Member
Joined
Aug 4, 2013
Messages
1,365
At least the QF site now uses SSL.

Few years back Qantas.com users would transmit their login details (PIN and all) openly while logging in... Anyone could, for example, sit in a terminal with free wifi and hoover-up credentials.
 

grussellt

Active Member
Joined
Mar 18, 2008
Messages
908
In terms of cashing out to 'steal' points, a lot of info needs to be given to actually benefit. ie, how can you use points you stole without getting caught? Only thing I can think of is cashing in for digital gift cards used at a self check out, even then you'd be caught on camera. Or delivery of something physical to a false address.

And if your account was hacked would Qantas refund?
There are several threads on AFF about stolen QFF points. AFAIK all points have been reinstated.
 

clazman

Established Member
Joined
Apr 20, 2014
Messages
1,807
Flights
My Map
Lets be honest, every website is hackable.

Just remember same basics to follow

1. Different passwords for every site
2. Include letters, numbers, characters, uppercase and 8 characters minimum
3. Change your password on a regular basis
 

Beesem

Newbie
Joined
Jan 23, 2015
Messages
2
Why single out one airline when a lot of other FFP logins are similar.

Yes there are cases from time to time but you don't hear about it a lot on here do you?
i only single out Qantas, because that's the one I use, and when I logged in last I was struck by the apparent weakness of their security.

I suppose that a lockout after three attempts makes it more secure, but even so, my corporate login has a three strike lockout, and it requires a much more secure password than a 4 digit Pin.

I reckon that we'll be reading about compromised Qantas accounts before too long. Not much I can do though, It's not as though I can transfer my points to the bank for safe keeping.
 
Last edited:
Status
Not open for further replies.

Community Statistics

Threads
86,413
Messages
2,088,107
Members
53,792
Latest member
Dinozaz
Top