QF Points taken and fast response from Qantas | Australian Frequent Flyer
Australian Frequent Flyer

Welcome to Australia's leading independent Frequent Flyer and Travel Resource since 1998!
Our site contains tons of information that will improve your travel experience.

Joining AFF is fast, simple & absolutely free - register now and take immediate advantage of these great BENEFITS.

Once registered, this box will disappear. And you will see fewer advertisements :)

QF Points taken and fast response from Qantas

DoctorSimon

Junior Member
Joined
Nov 14, 2005
Messages
31
Flights
My Map
Hi,

I checked my QFF account on Easter Monday and found 185,000 points had been spent by someone (unknown) two days earlier (Easter Saturday) on a booking for 3 adults. Rang Qantas and advised, they cancelled the reservations. I sent in a stat dec with the details late on Easter Monday night and the QFF points were back in my account the next morning.

Thank you Qantas - excellent, prompt response.

However, how did they get into my account? Why didn't I get a TXT confirming the log-on from a new computer? Why didn't I get an email of the itinerary, confirming deduction of the points? etc, etc.

Seems it is too easy to steal from a QFF account, when it is effectively a bank account.
 

levelnine

Member
Joined
Nov 7, 2009
Messages
306
Strikes me as a pointless form of theft (pun intended). Unless you are booking flights for the exact same day, the tickets will be cancelled (unlike money, which can be withdrawn from an ATM). I guess it relies on the thief selling the points to some unsuspecting person and/or hoping that the theft is never detected.

As to how they got into your account, logged into to your Qantas account via an email link? Details have could been phished.
 

goldenhorn

Member
Joined
Apr 11, 2011
Messages
264
I can relate. I had 150,000 points stolen from from my QFF account a couple of years ago. They had booked flights and had already taken one departing Bali for the Middle East.

I too didn’t receive any confirmations of travel booked etc. Luckily I accidentally stumbled across it when I logged into my account (these were the days before I was points chasing and checking my account balance multiple times a week lol)

I had a similar positive experience and points were returned quickly after a stat dec. to Qantas.

The culprit for me was using a computer in an executive lounge in the Beijing Hilton to log into my QF account. I suspect my login details were scraped by hackers.
 

jetpack

Member
Joined
Mar 21, 2014
Messages
393
I had a similar thing happen to my Velocity account. As it turns out, the phone agent I spoke to that day accidentally took points out of my account for a booking she made for the subsequent caller. Hackers are not always the reason.
 

DoctorSimon

Junior Member
Joined
Nov 14, 2005
Messages
31
Flights
My Map
Thanks for the kind thoughts 'I love to travel' :).

levelnine, I get a code texted to my mobile if I log on to my Qantas account from a different computer. I assume clicking on a link would initate the same?
 

sinophile888

AFF Supporter
Joined
Mar 17, 2008
Messages
640
Flights
My Map
Mr.s. had 50000 points taken from his account a year or so ago. The hackers bought iTunes vouchers which I understand are more tradable that flight tickets. They changed Mr. s's contact details, so Qantas had trouble contacting him. Qantas quickly refunded the points. SInce then, I have moved his points to my account on a regular basis. Besides, he wouldn't know what to do with the points anyway.
 

33kft

AFF Supporter
Joined
Jun 19, 2018
Messages
395
If you have 2FA enabled for the account, it's very unlikely that it was another person redeeming those points. Just as @jetpack has pointed out above, it's much more likely that the wrong FF account number was supplied somewhere in the chain and the points were incorrectly debited from your account, which would not require logging in nor 2FA. It also suggests why the points were likely reinstated so quickly without investigation (the audit logs probably indicated who went wrong where)

In terms of suggesting that the regulation/liabilities around FF accounts should be similar to financial institutions because of a perceived similarity - as someone who works in that arena and has seen what happens when a single regulator in a single country introduces regulations that require global banks which trade (in whatever minor/major capacity) in that country/region to either shut down their entire retail operation or spend $xxxM to retrofit the entire core banking infrastructure globally to accommodate it... any FF program with a shred of risk assessment capability would immediately find a way to shut down and bow out
 

nannieann

Newbie
Joined
Sep 15, 2011
Messages
6
I have always thought that the Qantas system of logging in is open to abuse. If you leave your boarding pass on a table for all to see or in the seat pocket or just throw it away, it is very easy for another person to see the name and FF number. Because the password only has four numbers, it's then just a matter of entering up to 9999 digits to unlock the account online. I always bring my boarding pass home and shred it.
 

opusman

AFF Supporter
Joined
Jun 27, 2006
Messages
5,266
Because the password only has four numbers, it's then just a matter of entering up to 9999 digits to unlock the account online
You only get a few tries before the account is locked so would be very unlucky to break into by chance. I don't disagree that it's insecure though. 2FA is definitely an improvement though I wish they supported Authenticator apps rather than just SMS.
 

33kft

AFF Supporter
Joined
Jun 19, 2018
Messages
395
it's then just a matter of entering up to 9999 digits to unlock the account online.
The same amount of numbers that (usually, I get some are 5/6 digits) stops you from withdrawing all of the money off a card you find in the street, and more than you need to make a purchase using a paywave card in most cases. Not nearly as trivial as you're making out - if every attempt took 20 seconds (ignoring the lockout component) it would take you up to 2 and a third days to brute force, not budgeting any time for sleeping, eating, just non stop PIN guessing.
 

Travelbugz

AFF Supporter
Joined
May 31, 2011
Messages
3
I had 850,000 points stolen through 10 separate transactions over the course of 3 days in December of last year. Luckily I noticed within a day of the last transaction appearing in my account and Qantas reinstated the points within hours of receiving my stat declaration. The points were used for flight bookings and Jetstar extras. I was more annoyed that the thief was better able to find award bookings than I have been which is the reason for the large accumulation of points :rolleyes:.
 

Flying Fox

AFF Supporter
Joined
Jul 13, 2006
Messages
2,655
Flights
My Map
I can relate. I had 150,000 points stolen from from my QFF account a couple of years ago. They had booked flights and had already taken one departing Bali for the Middle East.
I hope the rest of the itinerary got cancelled and that they got stuck somewhere terrible!!!
 

timjohns

Member
Joined
Sep 16, 2013
Messages
107
Flights
My Map
I question the efficacy of the 2FA that Qantas has deployed for the Frequent Flyer accounts.

* I recently set up AwardWallet to monitor my QFF and many other loyalty-points accounts.
* Part of that process involves giving AW the login details for your QFF account - so they can log-in and update points balances and activities etc.
* I've worked out now that AW does this weekly on a Saturday arvo because I now get a regular SMS from the QF 2FA service with a code for me to use to login.
* I do nothing with this SMS code.... yet AW is able to access my account and update what it needs to, and send me a weekly summary of the changes to my QFF account... all without ever receiving or knowing the one-time 2FA SMS code.
* As far as I know, there is no read-only API from QF that AW is using to update my QFF account details. And that AW is using full-login rights to do what they do.

So what good are the QF 2FA SMS codes?

Happy (eager) to be corrected in my observations and conclusions...
 

33kft

AFF Supporter
Joined
Jun 19, 2018
Messages
395
4. I don’t have my mobile with me or have recently changed my mobile number. Can I still log in to my account?
If you cannot access your mobile or the verification code for any reason, simply select ‘I need to verify another way’, as shown in the window below. You’ll then be taken through a series of security questions, allowing you to log in.
You gave those security question answers to awardwallet and it uses them to log in. You'll still get the SMS as that is sent automatically when someone tries to log into your QFF account.
 

timjohns

Member
Joined
Sep 16, 2013
Messages
107
Flights
My Map
OK... that now makes sense... thankyou for finding that.

I do remember having to setup those questions in my QFF account, and then give AwardWallet those details. So that's how they are avoiding needing the SMS.
 

Community Statistics

Threads
81,234
Messages
1,873,033
Members
49,072
Latest member
restore
Top