QFF account hacked

[SeatBackForward]

Also a reminder if you do change your pin, you may need to contact QF for any existing upgrade requests.

 

[Boca68]

My QFF account was hacked into last night and the slime bags used 42300 points of mine to purchase a $250 woollies voucher.

Fortunately after a stat dec and other processes I'll be reimbursed my points, thanks Qantas.

It's amazing how much personal information is on my profile. Address and phone numbers aside, there are also saved credit card detail also. Not the whole card but the last 4 digits and expiry plus my full name and the type of card.

My password had also been changed as well.

Mane Qantas could sent an email for confirmation for a password change ??

A timely reminder to change passwords frequently.

I believe the option is there not to save this information. If it's on your file, ask for it to be removed. I'd suggest any other QFFers to do the same. And change your password as the OP suggested.

I have never ticked the box when making a booking to save the information for future use. Not only with Qantas, but any other online portals. I'd rather re-enter the CC info everytime, than save 10 seconds.

 

[flyingfan]

The worst crime committed here was the serious misuse of points. Seriously, 42300 points for a $250 Woolies eCard! What on earth are they thinking? ðŸ

At least you know it probably wasn't an AFF member then.

 

[exceladdict]

Getting hacked can also come down to how you authenticate when you call up.
Pretty sure they ask for your pin. If you in a public place anyone could listen to you. I remember calling a few times on the train heading to the airport.
But not sure what other way to authenticate that wouldn't require personal information to be given

Banks do it - you type in your password via keypad before the call centre operator answers the phone. This way the operator doesn't see your password either, it's system authenticated.

Although then the banks normally ask extra 'security questions' if you try to make changes to the account.

While I rarely call the call centre for QFF I do get irky reading my pin number out aloud when every security document everywhere says "We will never ask you for it" for other businesses.

 

[Mr_Orange]

I believe the option is there not to save this information. If it's on your file, ask for it to be removed. I'd suggest any other QFFers to do the same. And change your password as the OP suggested.

I have never ticked the box when making a booking to save the information for future use. Not only with Qantas, but any other online portals. I'd rather re-enter the CC info everytime, than save 10 seconds.

I'm the same. I used to save card details with all sorts of online retailers, but not anymore.

 

[Mr_Orange]

Getting hacked can also come down to how you authenticate when you call up.
Pretty sure they ask for your pin.

They do, and QF must be the only organisation that asks for your password over the phone. No other organisation that I deal with does this. They should have a more secure password to log in and maybe keep the PIN for authenticating upgrade requests and other redemptions.

 

[JohnK]

What I fail to understand is the gift card is delivered somewhere? Fictitious address? PO Box? Surely they are able to track where it's going and prosecute? Am I missing something?

I'm the same. I used to save card details with all sorts of online retailers, but not anymore.

What worries me us that some websites (IHG comes to mind, HotelClub is another) store credit card details without asking and no option to remove.

 

[offshore171]

For the OP, do you have any suspicions about how they got your details?


Eg:


Phishing email
Recent usage of a public internet terminal (eg in a lounge etc)
Using a suspect public wifi connection
Putting your login details into a third party app


Etc




If it wasn't any of these, it may have simply been a brute force attack - testing all 10,000 possibilities for a 4 digit pin.


Does the qantas site lock your account after a certain number of unsuccessful logins? If not, it seems that it should.

 

[TonyHancock]

What worries me us that some websites (IHG comes to mind, HotelClub is another) store credit card details without asking and no option to remove.

With IHG is it not a case of selecting "My TravelProfiles", then "Billing Preferences" and finally "Delete Credit Card Information"?

Serious question because I see it as an option but wonder if you only have one card there it won't let you delete it...and I can't be bothered trying to find out and potentially having to re-enter my card again.

 

[andye]

What I fail to understand is the gift card is delivered somewhere? Fictitious address? PO Box? Surely they are able to track where it's going and prosecute? Am I missing something?

Plenty of egift card options on the qantas site. Could send to a one use email address

 

[JohnK]

With IHG is it not a case of selecting "My TravelProfiles", then "Billing Preferences" and finally "Delete Credit Card Information"?

Serious question because I see it as an option but wonder if you only have one card there it won't let you delete it...and I can't be bothered trying to find out and potentially having to re-enter my card again.

I didn't realise there was option to delete credit card information. Would you then have to do the same thing after each booking?

 

[AustraliaPoochie]

One of those pod codes pin things that HSBC used to or still use could be implemented if QF wanted, no?

 

[opusman]

One of those pod codes pin things that HSBC used to or still use could be implemented if QF wanted, no?

Overkill, just a user-configurable password of 8-14 characters would be fine. A billion times (literally) more secure than a 4 digit PIN.

But considering you still can't even pick your own QCC PIN I suspect security "enhancements" like this are unlikely to happen.

 

[Hvr]

<snip>

But considering you still can't even pick your own QCC PIN I suspect security "enhancements" like this are unlikely to happen.

Actually on my log in page there is an option to change my PIN.

 

[ozbeachbabe]

Overkill, just a user-configurable password of 8-14 characters would be fine. A billion times (literally) more secure than a 4 digit PIN.

But considering you still can't even pick your own QCC PIN I suspect security "enhancements" like this are unlikely to happen.

Actually on my log in page there is an option to change my PIN.

I believe Opusman was saying you can't choose a pin for Qantas Cash (QCC) however you definitely can change the QF freq flyer pin.

 

[Hvr]

I believe Opusman was saying you can't choose a pin for Qantas Cash (QCC) however you definitely can change the QF freq flyer pin.

Sorry misread QCC as QFF.

 

[opusman]

Sorry misread QCC as QFF.

My fault, I seem to be picking up bad habits from AP

 

[RichardMEL]

I never save CC info to booking sites, qf.com etc for this very reason. I can type it in myself when I need to (yeah it can be a pita, but rather that than having details stolen somehow).

agree QFF profiles are a goldmine for identity thieves etc but so are utilities (power/water/phone) and the like.

Agree QF's pin is a joke. need to make it way more secure.

 

[teamhamsandwich]

Just out of interest I typed in #boardingpass into instagram. Only 59,622 pictures of peoples boarding passes came up. Thousands with all details visible. People are idiots!

 

[RichardMEL]

Reminds me of the case of that young lady with a winning Melbourne Cup ticket who put her winning ticket up on facebook, and some "friend" managed to scan the picture of the barcode in and take her winnings!!!

I mean stupid to do that, but geez.... and it was a real life "friend" she knew apparently. fair dinkum!