How a hacker stole 400,000 points from my account – what you can do to prevent it happening to you

For the past few years, I have always been worried that one day, someone will gain unauthorised access to my frequent flyer account and wipe me clean after I experienced an iTunes account hack.

Unfortunately for me, that day came for me last week, when my Qantas Frequent Flyer was hacked.

When my iTunes account was hacked, the hackers changed my email address, password and my secret questions and answers. I was never able to gain access to that account again, and lost thousands of dollars worth of digital content as a result. The same could have been the case with my points too.

My horror story

I logged into my Qantas account through their app, to discover my points balance was less than it should have been. I mean way less.

Thinking (and hoping) that it might simply be a glitch in the app, I logged into my iPad browser. Low and behold, there was no mistake. My Qantas points balance was 400,000 points less than it should have been.

Looking at my recent activity, I could see that 4 family transfers in 4 lots of 100,000 points were made to 4 separate accounts of members completely unknown to me.

Luckily for me, there were no other changes made to my account, unlike my previous iTunes hacking. Considering there are reported cases of members having their upcoming flights cancelled (and I currently have a First class reward trip booked to Europe for next year, which has no availability now), I consider myself especially lucky.

I had remembered that in the months leading up to the hacking, I would get a message the first time that I would log into my account for the day saying “You have made several unsuccessful attempts to login. The login function has been disabled for 1 hour”.

It was my mistake was to assume that this was a Qantas IT glitch and was happening to everyone. To my defence, it did begin to happen so often, that I eventually reported it to Qantas IT via the email feedback form just short of a month before the hacking.

While an automated reply form did say that I will receive a response, I never did – and to be honest had forgotten I had sent it.

The lesson I learned here was to always speak to a customer service agent, who would likely have put me through to the correct area, being the fraud team.

What can you do to better secure your account?

I learned a number of things from this experience, but mostly the same tactics to good online security for any account should apply to your frequent flyer account too.

  1. Check your balances and account frequently so you can quickly spot any problems.
  2. Consider using a points tracking app or website to help notify you of unexpected changes
  3. The minute you identify suspicious activity on your account, immediately notify the airline by contacting their customer service centre. Do not assume it’s simply a website glitch that is affecting everyone.
  4. Ensure you have a strong and unique password for frequent flyer programs that use username and password logins – most programs we use in Australia do, except Qantas.
  5. Use a password manager to remember that unique and strong password
  6. Change your password or Qantas PIN on as regular basis as possible – as often as you can handle the inconvenience of doing so

One downside to changing your Qantas PIN – if you have any requested, but unconfirmed Qantas Point upgrades in the system you’ll need to call after each PIN change and get them to also update the PIN in the upgrade request, or the request won’t go through down the track.

What can frequent flyer programs do better?

Airlines need to play their part as well. In 2016, it’s inconceivable that 2-step verification is not available for members to protect their account. Amazon? Yes. Apple? Yes. Your bank? Usually. Frequent flyer programs – why not?

2-step verification, which is a security process in which the user provides two means of identification from separate categories of credentials usually being one memorised, such as a password or PIN, and one physical, such as a mobile phone or key fob token.

Without 2-step verification, if a hacker is able to get hold of your frequent flyer number and surname, which is easy to do (think boarding pass left in the back seat pocket) and your password or PIN, it’s game over.

Frequent changes of your password, or extending the number of characters of your PIN or password is akin to strengthening the lock chain on a door. It might slow the thief a bit, but do very little to prevent the burglary.

I concede that 2-step verification is not 100% fool-proof either, but does put up some serious barriers to hopefully deter a hacker.

So what is the process to recover your lost points?

Depending on whether you’re a top-tier status or Qantas Club member, or an entry level Bronze member, determines whether the process to restore your stolen points is somewhat pain-free or a prolonged frustrating experience.

Coincidentally, the day I discovered the hacking was the last day of my paid Qantas Club membership, which meant that my initial call to the Frequent Flyer Centre was answered within a minute due to my Qantas Club membership granting me priority assistance.

My follow-up call a few days later after I was relegated to a Bronze frequent flyer, was a much longer 45 minute wait.

The Frequent Flyer Centre consultant was fully up to speed with the process, advising me that I would need to fill in a Statutory Declaration, stating:

  • The date my account was hacked
  • How many points were transferred
  • That the member accounts that received the transfer were unknown to me
  • I did not authorise the transfer
  • Request to have my points restored

I’d then have to email that back to the Frequent Flyer Centre, where it would be forwarded to the Fraud team and an investigation would begin.

Three days later, I received an email advising me that my points had been restored.

Summing Up

Current cyber security measures implemented by airlines leave members with the very real likelihood of having your frequent flyer account hacked at some point.

It is reassuring to know that airlines do restore points in these events, however, these events are disruptive and eat up your time by having to fill in a Statutory Declaration, finding a JP to sign it, emailing the form back and changing your passwords and PINs (and not just for the hacked account).

If the hacking was severe, it would also mean trying to restore cancelled flights, and trying to prove that you are the legitimate owner of the hacked account.

While airlines state that frequent flyer points have ‘no monetary value’, they are a legitimate medium of exchange, such as redeeming points for gift cards.

As such, it’s my opinion that the same level of protection we come to expect from banks and financial intermediaries should be provided to frequent flyer programs.

How a hacker stole 400,000 points from my account – what you can do to prevent it happening to you was last modified: April 23rd, 2017 by Daniel Sciberras