QFF Points Theft

[fbrimfield]

This happened to me once, a former partner who had access to my account details went in and transferred all my points after the relationship fell out.

Qantas were not really that helpful but I bypassed dealing with them by getting a court order (as a part of a larger complaint) to have the points reinstated by the individual concerned. Qantas was notified of the situation, but their involvement was limited.

 

[NM]

In the Activity history it should say the surname first initial and ff # of who the points were transferred to.. did you check that?


My mother in law transferred me points earlier this year and in her activity list I can see my name and ff number and how many points were transferred.

indeed, it will be listed as:

FAMILY POINTS TRANSFERRED TO [QFF account number] [Surname]/[Initial]

 

[Major]

When a pin is reset, an email is sent to the registered email address advising so.

This does not help if the email has fallen into disuse.

It is also noted on your activity statement as...PIN CHANGED and the date

 

[NM]

It is also noted on your activity statement as...PIN CHANGED and the date

In some circumstances, they will tell you your PIN over the phone. My parents both have QFF accounts but have not used them for some time. They had a few thousands points each that were going to expire. So I suggested we sweep the points from Mrs NM's account to my mother's then to my father's and then to mine (neither of my parents had the minimum 5000 points in their accounts). But they did not know their PIN and probably never looked at the their account on-line in the past. So they called QFF and the agent told them their PIN numbers over the phone. They just needed to confirm a few details like address. I don't know the exact confirmation questions they were asked. But I am sure I could have answered any identification questions on their behalf (e.g. full name, address, DoB etc).

I thought I could probably make the phone call to QFF for them, but it was better for them to call as it was their accounts. Once they knew the PINs for their accounts, sweeping the points through was a simple task.

 

[Shelf]

Best of luck having the points returned, this would be a nightmare for QF to followup.

 

[davocns]

I received an e-mail from QF FF this afternoon with my "new pin number", rang QF spoke to a very helpful operator , told him I did not request a new pin etc. He replied someone had tried to access my acc at 2.53pm multiple times and failed, hence the new pin. He reset my old pin for me and suggested that I check my acc every few days ,also may have been someone entering a similar membership number but by mistake put mine in and their pin would not open the account .

 

[pshepvic]

In some circumstances, they will tell you your PIN over the phone. My parents both have QFF accounts but have not used them for some time. They had a few thousands points each that were going to expire. So I suggested we sweep the points from Mrs NM's account to my mother's then to my father's and then to mine (neither of my parents had the minimum 5000 points in their accounts). But they did not know their PIN and probably never looked at the their account on-line in the past. So they called QFF and the agent told them their PIN numbers over the phone. They just needed to confirm a few details like address. I don't know the exact confirmation questions they were asked. But I am sure I could have answered any identification questions on their behalf (e.g. full name, address, DoB etc).

I thought I could probably make the phone call to QFF for them, but it was better for them to call as it was their accounts. Once they knew the PINs for their accounts, sweeping the points through was a simple task.

That's absolutely appalling that they would give out a PIN over the phone. They don't know if you use that same PIN for other purposes, and have no right to give it out even if security questions are asked. They should only be able to reset it and nothing else.

In any case, Qantas system shouldn't even allow them to see the online PIN, and they should have a different phone password (like pretty much all banks do). Alternatively, the PIN should have to be entered into the phone when you key in your FF number rather than the call centre asking for it. They have some serious security and privacy issues there, which seems strange considering the nature of the business and the level of security required in other areas.


Sent from my iPhone using AustFreqFly app

 

[NM]

That's absolutely appalling that they would give out a PIN over the phone. They don't know if you use that same PIN for other purposes, and have no right to give it out even if security questions are asked. They should only be able to reset it and nothing else.

In any case, Qantas system shouldn't even allow them to see the online PIN, and they should have a different phone password (like pretty much all banks do). Alternatively, the PIN should have to be entered into the phone when you key in your FF number rather than the call centre asking for it. They have some serious security and privacy issues there, which seems strange considering the nature of the business and the level of security required in other areas.

The PIN is a strange concept for an FF program. With my AAdvantage account, I have a password that is used for access to my on-line account, but no PIN or phone password for identification when I call. When calling AAdvantage, you speak your AAdvantage account number (which is not just numbers) and they use that to determine your status and hence call routing. Then you may be asked to verify things like mailing address and that is about it. So making an award booking using someone else's account would be easy if you know their name, AAdvantage number and postal address.

I am not sure if AAdvantage will allow you to change/reset your email address or password over the phone. Reset of password can be done on-line and they email you a link to verify and reset your password. Not sure what happens of the email address is no longer valid.

 

[simongr]

That's absolutely appalling that they would give out a PIN over the phone. They don't know if you use that same PIN for other purposes, and have no right to give it out even if security questions are asked. They should only be able to reset it and nothing else.

What legislation would prevent them providing the PIN to the account you hold with them? If you really value your personal information security then you shouldn't use the same pass/PIN for multiple accounts.

 

[JohnK]

Not good news to hear docjames!

Luckily I check my account regularly and expect to see the balance increasing and if not then do a quick scan of the activity statement.

I reset the pin of a friends account yesterday so I can put in a missing flights claim for him. I have his email address and password anyway and the email with the temporary pin arrived at that email address. So I suspect in your situation perhaps a staff member has helped themselves to the points.

Actually, Qantas security features are pretty woeful. A simple 4 digit PIN as a password isn't much security at all.

A 4 digit pin is not that simple if you do not know that 4 digit pin. How many invalid attempts before account is locked on Qantas website? Is it 3?

And with so many accounts these days I really do not like some of the different rules for passwords. 4 characters! 4 digits! 6 characters! 6 digits! At least 6 characters! At least 6 characters with at least one digit! At least 8 characters with at least 2 digits! At least 8 characters with at least one upper case character and one lower case character and 2 digits! Way too confusing and not easy for me to remember let alone a hacker....

 

[nlagalle]

It's 3 attempts and your account is locked.

 

[whatmeworry]

How long before the account is unlocked? In theory with brute force code breaking it might not take that long.
Just wondering if there people at the airport that go through the garbage looking to hack into accounts?

 

[*A Flyer]

I'd be pretty concerned about the idea that employees (bar a very select few) would be able to do this (as is suggested) without an additional layer of checking.

 

[nlagalle]

How long before the account is unlocked? In theory with brute force code breaking it might not take that long.
Just wondering if there people at the airport that go through the garbage looking to hack into accounts?

Pretty sure you need to call QF to have it unlocked. Not sure what checks they perform to unlock it

 

[pshepvic]

What legislation would prevent them providing the PIN to the account you hold with them? If you really value your personal information security then you shouldn't use the same pass/PIN for multiple accounts.

National Privacy Principle 4: Data security

"4.1 An organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure."


Giving out a PIN could be proven to be a breach of this principle, particularly if sufficient identifying questions are not asked. I doubt the staff member asked more than a couple of identifying questions (DOB and address seem quite standard these days, which are not that hard to find out) and that would easily be challenged as being insufficient and therefore giving out the PIN would be unauthorised disclosure.

The only way Qantas could properly protect themselves from a potential breach of this principle would be not to give out a PIN, and instead reset the PIN. I'm actually going to have a guess that the Qantas policy actually would be to reset the PIN and not give it out, and that in this case the staff member has probably breached the policy.

As an example of my experience around areas like this when it comes to privacy principles, I've worked in a number of large ISPs over the last 10 years, and they will never give out a password if you forget it - they will always reset it (in fact, most of the time it is not even visible to staff). Quite frankly the PIN at Qantas should not be visible to staff either - when staff ask you for it for ID they should be forced to type it in and have it validated rather than be able to access and see it on any account. Qantas are leaving themselves wide open to fraudulent activity here.


Sent from my iPhone using AustFreqFly app

 

[JohnK]

As far as I am aware Qantas staff do not have access to our pin. I have called on a number of occassions for seat allocations etc and have been asked for my pin.

Surely this could not be for verification purposes but possibly required to make changes.

 

[pshepvic]

As far as I am aware Qantas staff do not have access to our pin. I have called on a number of occassions for seat allocations etc and have been asked for my pin.

Surely this could not be for verification purposes but possibly required to make changes.

According to NM's post above, the PIN was given out when a customer requested it. I have a big issue with this, and it obviously means that staff can see it. I think the PIN is asked for as ID to allow them to make changes, as in my experience they don't ever ask any other questions.


Sent from my iPad using Aust Freq Fly app

 

[oz_mark]

As far as I am aware Qantas staff do not have access to our pin. I have called on a number of occassions for seat allocations etc and have been asked for my pin.

Surely this could not be for verification purposes but possibly required to make changes.

The PIN may well be on screen and they just check your answer against what is on screen.

I still think that, for what is basically single factor authentication, a 4 digit PIN is pretty poor.

 

[pshepvic]

The PIN may well be on screen and they just check your answer against what is on screen.

I still think that, for what is basically single factor authentication, a 4 digit PIN is pretty poor.

I think you're right about it being on the screen, and also right about it being poor. I also don't think it should be given out when someone forgets it, and should be reset only with an appropriate number of ID questions (once before with a bank I had to answer 6 questions before they would reset a password - several of those would have been virtually impossible for someone to either predict or know the answer to).


Sent from my iPhone using AustFreqFly app

 

[MrJetset]

Strange.

When you change the email associated with your FF account, an automatic email is generated to the original email address advising the change.

When the PIN is changed, an automatic email is also generated.

When you do a family transfer, an automatic email is also generated advising of the amount and to whom they are being transferred.

Supposing the culprit did at least two of the above, then two emails would have been generated, including advice that if they did not action this, they should call QF.

Obviously if your parents are older, and don't use email often, they may not notice immediately, however they should have noticed eventually. What is plausible is if the person had access to the email account and was able to delete the notification emails immediately after performing the transfer.