How the Qantas Frequent Flyer program taught me about bad security practices

Terence Huynh
The Startup
Published in
5 min readFeb 10, 2020

Aeroplane with the Qantas “Flying Kangaroo” logo on the tail.
Photo from Simon_sees/Flickr (CC BY 2.0)

I got three push notifications just as I got to my seat before I left to Melbourne from Dubai.

One from Instagram, as a comment to something I posted on an Instagram story: “You should delete this.”

One from Facebook Messenger: “Hey. Are you still in Dubai?”

One from Gmail: “TERENCE, your Qantas Frequent Flyer PIN had been reset.”

I didn’t reset my PIN.

Well, fuck.

“I didn’t believe it would be that easy.”

Turns out, one of my friends wanted to test out Qantas’ security processes and tried to reset my PIN (and, obviously succeeded). He told me later that he “didn’t believe it would be that easy” and “please don’t sue [him]” (I’m not.)

He managed to get my Qantas Frequent Flyer number from my Instagram story, which I accidentally posted. Thankfully, I’m not one of those Instagram “influencers” that get many views—the audience was limited to just my friendship circle.

He also answered all the security questions based on information he got just by browsing my Facebook profile.

I wish I could say I couldn’t believe that he managed to get all of the information he needed from my Facebook, but I could actually. In fact, I was surprised how little information Qantas asked to verify my identity to change a PIN.

In a mad panic, I went and bought WiFi access on my Emirates flight so I could try and recover my account. I didn’t realise at the time my friend was the one who compromised my account. The connection was so slow, but I persevered and — despite the numerous network time-outs and long waiting screens — managed to change the PIN to something that I knew.

To verify my identity, Qantas asked the following questions:

  • What was my mother’s maiden name?
  • What was my postcode?
  • What was my date of birth?
  • When did I join the Qantas Frequent Flyer program?

I knew this process beforehand — I needed to login whilst I was travelling in the UK but I was using a local SIM card and…

Terence Huynh
The Startup

Software Engineer at Atlassian. Founder/Organiser at UNIHACK (@UNIHACKHQ). Tech Blogger and Writer.