A Point Hacks reader recently reached out to us to tell of his experience of having his Qantas Frequent Flyer account hacked.
I, therefore, thought that this is an opportune time to provide a refresher on the steps you can take to keep your frequent flyer account as secure as possible. In addition to our reader’s story below, I also reshare my personal story of having my Qantas Frequent Flyer account hacked in 2016.
Note that since that time, extra security initiatives such as 2 Factor Authentication (2FA) have been introduced by Qantas to help better secure your account, so some of the recommendations in my original article are now obsolete.
Our reader’s recent hacking story
While in bed asleep at his home, at 3.27 am on a Sunday morning last month, he received an SMS on my mobile stating the following:
“Thank you for your order on the Qantas Rewards Store. For Enquiries please contact us on 1300 662 859.
Your reference number ; ( 2 x 6 digit numbers Supplied )”
As he had not made any transactions recently, so he immediately logged into his Frequent Flyer Account and saw that 2 separate Fraudulent transactions were made to Purchase 2 x ‘Green Card – Digital Prepaid Mastercard’
These were not his transactions. There were over 160,000 points used from his Qantas Frequent Flyer Account. As the incident fell on a weekend, our reader had to unfortunately wait until the next Qantas Frequent Flyer contact available at 8 am the following Monday.
Qantas Fraud Department got in contact with him and immediately started an investigation. They did advise him that they had experienced a high number of calls regarding fraudulent activity in recent times.
The good news is that our reader has since managed to get all his points back, but had to go through the usual hoops, such as filling in a Statutory Declaration.
Lessons to be learned
There are a number of lessons that we can learn to ensure the maximum security of our accounts:
- Make sure to activate 2FA, as this provides another barrier for any potential would-be hacker to overcome, and is one that requires the physical mobile to present in order to continue through the logging in process.
- Make sure that your contact details are up to dates, such as your email and mobile number so that you are alerted to any activity in your account when it occurs.
- Frequently change your PIN and password
- Make sure to regularly check your account and look for any unauthorised transactions
Cyber hacking is becoming part and parcel of everyday life, and it is comforting to know that Qantas has a process in place to deal with these situations in a timely way when they occur. However, it doesn’t hurt to ensure that you are doing your bit to minimise the chances of falling victim to an unscrupulous hacker.
The original article is shown below.
How a hacker stole 400,000 points from my account – what you can do to prevent it happening to you
For the past few years, I have always been worried that one day, someone will gain unauthorised access to my frequent flyer account and wipe me clean after I experienced an iTunes account hack.
Unfortunately for me, that day came for me last week, when my Qantas Frequent Flyer was hacked.
When my iTunes account was hacked, the hackers changed my email address, password and my secret questions and answers. I was never able to gain access to that account again and lost thousands of dollars worth of digital content as a result. The same could have been the case with my points too.
My horror story
I logged into my Qantas account through their app, to discover my points balance was less than it should have been. I mean way less.
Thinking (and hoping) that it might simply be a glitch in the app, I logged into my iPad browser. Low and behold, there was no mistake. My Qantas points balance was 400,000 points less than it should have been.
Looking at my recent activity, I could see that 4 family transfers in 4 lots of 100,000 points were made to 4 separate accounts of members completely unknown to me.
Luckily for me, there were no other changes made to my account, unlike my previous iTunes hacking. Considering there are reported cases of members having their upcoming flights cancelled (and I currently have a First class reward trip booked to Europe for next year, which has no availability now), I consider myself especially lucky.
I had remembered that in the months leading up to the hacking, I would get a message the first time that I would log into my account for the day saying “You have made several unsuccessful attempts to login. The login function has been disabled for 1 hour”.
It was my mistake was to assume that this was a Qantas IT glitch and was happening to everyone. To my defence, it did begin to happen so often, that I eventually reported it to Qantas IT via the email feedback form just short of a month before the hacking.
While an automated reply form did say that I will receive a response, I never did – and to be honest had forgotten I had sent it.
The lesson I learned here was to always speak to a customer service agent, who would likely have put me through to the correct area, being the fraud team.
What can you do to better secure your account?
I learned a number of things from this experience, but mostly the same tactics to good online security for any account should apply to your frequent flyer account too.
- Check your balances and account frequently so you can quickly spot any problems.
- Consider using a points tracking app or website to help notify you of unexpected changes
- The minute you identify suspicious activity on your account, immediately notify the airline by contacting their customer service centre. Do not assume it’s simply a website glitch that is affecting everyone.
- Ensure you have a strong and unique password for frequent flyer programs that use username and password logins – most programs we use in Australia do, except Qantas.
- Use a password manager to remember that unique and strong password
- Change your password or Qantas PIN on as regular basis as possible – as often as you can handle the inconvenience of doing so
One downside to changing your Qantas PIN – if you have any requested, but unconfirmed Qantas Point upgrades in the system you’ll need to call after each PIN change and get them to also update the PIN in the upgrade request, or the request won’t go through down the track.
What can frequent flyer programs do better?
Airlines need to play their part as well. In 2016, it’s inconceivable that 2-step verification is not available for members to protect their account. Amazon? Yes. Apple? Yes. Your bank? Usually. Frequent flyer programs – why not?
2-step verification, which is a security process in which the user provides two means of identification from separate categories of credentials usually being one memorised, such as a password or PIN, and one physical, such as a mobile phone or key fob token.
Without 2-step verification, if a hacker is able to get hold of your frequent flyer number and surname, which is easy to do (think boarding pass left in the back seat pocket) and your password or PIN, it’s game over.
Frequent changes of your password, or extending the number of characters of your PIN or password is akin to strengthening the lock chain on a door. It might slow the thief a bit, but do very little to prevent the burglary.
I concede that 2-step verification is not 100% fool-proof either, but does put up some serious barriers to hopefully deter a hacker.
So what is the process to recover your lost points?
Depending on whether you’re a top-tier status or Qantas Club member, or an entry-level Bronze member, determines whether the process to restore your stolen points is somewhat pain-free or a prolonged frustrating experience.
Coincidentally, the day I discovered the hacking was the last day of my paid Qantas Club membership, which meant that my initial call to the Frequent Flyer Centre was answered within a minute due to my Qantas Club membership granting me priority assistance.
My follow-up call a few days later after I was relegated to a Bronze frequent flyer, was a much longer 45 minute wait.
The Frequent Flyer Centre consultant was fully up to speed with the process, advising me that I would need to fill in a Statutory Declaration, stating:
- The date my account was hacked
- How many points were transferred
- That the member accounts that received the transfer were unknown to me
- I did not authorise the transfer
- Request to have my points restored
I’d then have to email that back to the Frequent Flyer Centre, where it would be forwarded to the Fraud team and an investigation would begin.
Three days later, I received an email advising me that my points had been restored.
Summing Up
Current cybersecurity measures implemented by airlines leave members with the very real likelihood of having your frequent flyer account hacked at some point.
It is reassuring to know that airlines do restore points in these events, however, these events are disruptive and eat up your time by having to fill in a Statutory Declaration, finding a JP to sign it, emailing the form back and changing your passwords and PINs (and not just for the hacked account).
If the hacking was severe, it would also mean trying to restore cancelled flights, and trying to prove that you are the legitimate owner of the hacked account.
While airlines state that frequent flyer points have ‘no monetary value’, they are a legitimate medium of exchange, such as redeeming points for gift cards.
As such, it’s my opinion that the same level of protection we come to expect from banks and financial intermediaries should be provided to frequent flyer programs.
Cheers Bruce
Qantas Frequent Flyer security requirements for passwords are woefully, pathetically lacking. To only allow for a 4 digit PIN as a key to your account is patently ridiculous in 2006, let alone 2016. As the author points out, it is quite easy to obtain someone’s last name and FF#. Even if someone picks a completely random PIN, that still only leaves 10,000 potential PINs; and as we’ve seen, they can easily keep trying them until they hit on the right one. Compare that with a mere 8 character password that included letters, numbers & special characters, which would shake out to about 6.6 quadrillion unique combinations.
Although you can’t with Qantas, all your passwords should be long, random, and be different for each account. (e.g. GW8uJMxf-ayiy#oQ1S is a good password; some combination of names of people, special dates, and a few special characters replacing a letter (S –> $), whilst better than nothing, is not a good password).
However, when you’re juggling multiple bank accounts and multiple frequent flyer accounts, unless you’re Rainman, it is impossible to achieve this. So you should consider paying a small fee to get an account with LastPass, 1Password, or similar. Do your research when choosing what company to go with, but these services will allow you to generate and manage the types of passwords you need to stay as secure as possible. When you tally up all of the utilities, banks, frequent flyers, hotel programs, social media accounts, email, etc that you have, I wouldn’t be surprised if you have 80-100 accounts with less than 10 unique passwords.
2FA definitely should be implemented in more places – sadly Amazon only seems to offer it on their US site so far, not on the UK one.
I am not sure recommending a points tracking app or website is necessarily a good idea though. The less people who have your FF account details the better and without knowing what security they have in place, I think it is a bit of a risk.