QFF Points Theft

[strance]

why just hack the QFF account? they've probably got access to the e-mail account too!

 

[nate89]

I think you're right about it being on the screen, and also right about it being poor. I also don't think it should be given out when someone forgets it, and should be reset only with an appropriate number of ID questions (once before with a bank I had to answer 6 questions before they would reset a password - several of those would have been virtually impossible for someone to either predict or know the answer to).


Sent from my iPhone using AustFreqFly app

I won't go into depth about security of passwords and best practices for storage, etc. however if they are storing PIN's in raw form in their database so that their customer service people can see it then that is horrible.

I would hope that they ask you for your PIN and then they have to put in the PIN on their system which is then authenticated (rather then having the PIN shown to them and them verbally confirm). Having said that if people are already being supplied their PIN's when they have forgotten them then unfortunately it sounds like this is not the case.

In defense of QF though (and before we jump on the "beat QF" train) they may have some form of two-way encryption and decryption which means data is still secure-ish, but still this is not really the best practices...
Better to not let anyone know anyone's PIN except the account user themself and it makes it harder for hackers too.

 

[oz_mark]

I won't go into depth about security of passwords and best practices for storage, etc. however if they are storing PIN's in raw form in their database so that their customer service people can see it then that is horrible.

I have some doubts that the customer service people go into the database to have a look. My conjecture is that it shows on screen. This is not too uncommon. What seems a bit more uncommon is using that piece of data as your password.

I have telephone accounts with PIN's that operators can see. However, that PIN is not used when I log into my account on the internet. So, I think, Qantas are using the PIN in a way that it should not be being used.

 

[DeKa]

Isn't the PIN a legacy from pre www days? Back then, you'd call up, tell them your ff number and PIN and then discuss your business.

They then transferred the same authentication to the website whenever they started that.

It's probably time for an update.

 

[nate89]

I have some doubts that the customer service people go into the database to have a look. My conjecture is that it shows on screen. This is not too uncommon. What seems a bit more uncommon is using that piece of data as your password.

I have telephone accounts with PIN's that operators can see. However, that PIN is not used when I log into my account on the internet. So, I think, Qantas are using the PIN in a way that it should not be being used.

Oh I don't think they go in directly to the DB - it would be retrieved through a script of some sort is my guess and then show on their screen...

But yes, I think we all agree that a PIN isn't ideal. They should just implement a second password (or make a new first password and use the PIN as the second password...) which is also a pretty common way of adding another layer of security (ANZ E-Trade and many online games use this method).

[edit]
Clarifying the second password - the second password would only be needed when making an actual transaction or change to the account whereas the first password would just be to login to see your account.

 

[NM]

As far as I am aware Qantas staff do not have access to our pin.

They certainly do. See my previous explanation regarding my parent's accounts. My mother was provided, over the phone, with both her and Dad's PINs for their accounts. They didn't even know there was a PIN and certainly did not know what it was. Both accounts had similar but different PINs and neither was meaningful to them so it seems they may have been the original default PIN that had never been used or reset. But the fact remains that the PINs were provided over the phone and then with those PINs and their FF account numbers I was able to perform the family transfers (with their consent obviously).

 

[MEL_Traveller]

speaking of lax security - I've always been bothered by the QF lounge in HKG - First class. They scan your boarding pass and your information, in about size 128 font, appears on the screen including your name and FF status. This might be ok if the lounge is busy and details change, but I have been there several times when it is quiet and that information is simply left on screen for all to see as they exit the lounge (you can't help but see the details as you walk past).

 

[Stoopidsteve]

I have had the same 4 digit access code since I joined QFF in 1998 (never accumulated millions of points). I will be changing it now...but does that mean they've had the same security/access system (or lack thereof?) since at least then?

 

[MrJetset]

SPG have a good system where you can choose a different phone password to give to agents, separate to your online password.

 

[BAM1748]

They certainly do. See my previous explanation regarding my parent's accounts. My mother was provided, over the phone, with both her and Dad's PINs for their accounts. They didn't even know there was a PIN and certainly did not know what it was. Both accounts had similar but different PINs and neither was meaningful to them so it seems they may have been the original default PIN that had never been used or reset. But the fact remains that the PINs were provided over the phone and then with those PINs and their FF account numbers I was able to perform the family transfers (with their consent obviously).

I'm not so sure, I think when they issue a new PIN and read it out, not so sure they can see existing ones. So while you parents may be been provided with PINs they may have been brand new issued there and then.

Not that it is any better of course.

 

[NM]

I'm not so sure, I think when they issue a new PIN and read it out, not so sure they can see existing ones. So while you parents may be been provided with PINs they may have been brand new issued there and then.

My mother was specifically told they already had a PIN so no need to add one to their account, and was told the existing PIN. She was surprised there was already a PIN since they had never accessed the account on-line and the PIN provided was meaningless to them as far as the number goes.

In their case there was only 2000 points in each account from a return domestic trip a while back, so little at stake. But the process does reveal some flaws in protecting information and privacy. While it was my mother who made the phone call to get their PINs (my Father's hearing is failing and its very hard for him to use the phone now), I am fairly certain I could have made the same phone call on their behalf, claiming to be my father.

 

[Happy Trails]

speaking of lax security - I've always been bothered by the QF lounge in HKG - First class. They scan your boarding pass and your information, in about size 128 font, appears on the screen including your name and FF status. This might be ok if the lounge is busy and details change, but I have been there several times when it is quiet and that information is simply left on screen for all to see as they exit the lounge (you can't help but see the details as you walk past).

Yes, I've noticed that too and had the same thought.

 

[docjames]

Phone call from Qantas today (Security area in Head Office).

Told to file police report, and "it must be your computer" which has beenhacked. Which is baloney as it has up to date virus, and no other account of any form has been hacked. And the gall to follow "As a gesture of goodwill we'll refund the points" provided they "send them a copy of the police report".


I cant say my relatives are overly happy with how this has been handled. I guess they will now wait and see what happens post police report.

 

[nate89]

Phone call from Qantas today (Security area in Head Office).

Told to file police report, and "it must be your computer" which has beenhacked. Which is baloney as it has up to date virus, and no other account of any form has been hacked. And the gall to follow "As a gesture of goodwill we'll refund the points" provided they "send them a copy of the police report".


I cant say my relatives are overly happy with how this has been handled. I guess they will now wait and see what happens post police report.

Surely they can tell you who took them? That's a load of bull if they can't.

 

[docjames]

Surely they can tell you who took them? That's a load of bull if they can't.

The relative's partner (who is higher ranking with QFF) is calling back "to seek clarification" (let's put it that way.....).

We can see who took them (Surname, Initial, FF number listed on activity statement!).

 

[mannej]

Surely they can tell you who took them? That's a load of bull if they can't.

That information is on the activity statement. It isn't as easy to divulge information or to provide names.

I am aware of organisations that will not provide names in situations like this but then suggest to report it to the police.

Just because AV software is up to date doesn't mean it is a load of BS.

Yes it is frustrating, but your relatives will be getting their points back won't they?

 

[docjames]

I assume so once the police report is finalised.

Speaking to my relatives, it has been a very frustrating process dealing with QF. Or more specifically, it has been more the attitude towards some very top end FFers that they would waste their time trying to deceive Qantas out of 100,000pts. They have better things to do with their time (like travel!), but are certainly not going to sit by and watch their points be stolen.

Re: Antivirus - I'm no IT guru, there's plenty of posts here about hacking, but all I can say is no other accounts of any kind have been hacked, the software is up to date - what else should they do?


Oh, and after further discussion with QF - and I dont want to be too specific for obvious reasons - other (non-standard) steps have been taken to secure the account for the future. And let's hope the police track the thief down and they go to court and/or get fined (or jailed if it's a serial offence).

I'll try and drag this thread out in the future if there's any more updates (or indeed if anyone else has similar issues feel free to start it up again).


Thanks everyone for their input.

 

[moa999]

Given the PIN reset, fairly poor form for Qantas to claim a hack.
Whilst it may be a hack, suspect it was a "Social Engineering" hack and QF was the one hacked!

 

[nate89]

Sorry I mean who as well as when, how, etc. - QF should have logs of all that.

Anyway it is disappointing that they didn't help out a little more (or be more polite at least) with the claim though especially considering they are pretty frequent customers by the sounds of it.

FYI from what you have said it sounds like it is unlikely they would have a compromised computer. It begs the question though - how did they get in?! I really want to know now

 

[ReLoad]

It begs the question though - how did they get in?! I really want to know now

Easy, refer to:

Spaceballs 12345 - YouTube