I got three push notifications just as I got to my seat before I left to Melbourne from Dubai.
One from Instagram, as a comment to something I posted on an Instagram story: “You should delete this.”
One from Facebook Messenger: “Hey. Are you still in Dubai?”
One from Gmail: “TERENCE, your Qantas Frequent Flyer PIN had been reset.”
I didn’t reset my PIN.
“I didn’t believe it would be that easy.”
Turns out, one of my friends wanted to test out Qantas’ security processes and tried to reset my PIN (and, obviously succeeded). He told me later that he “didn’t believe it would be that easy” and “please don’t sue [him]” (I’m not.)
He managed to get my Qantas Frequent Flyer number from my Instagram story, which I accidentally posted. Thankfully, I’m not one of those Instagram “influencers” that get many views—the audience was limited to just my friendship circle.
He also answered all the security questions based on information he got just by browsing my Facebook profile.
I wish I could say I couldn’t believe that he managed to get all of the information he needed from my Facebook, but I could actually. In fact, I was surprised how little information Qantas asked to verify my identity to change a PIN.
In a mad panic, I went and bought WiFi access on my Emirates flight so I could try and recover my account. I didn’t realise at the time my friend was the one who compromised my account. The connection was so slow, but I persevered and — despite the numerous network time-outs and long waiting screens — managed to change the PIN to something that I knew.
To verify my identity, Qantas asked the following questions:
- What was my mother’s maiden name?
- What was my postcode?
- What was my date of birth?
- When did I join the Qantas Frequent Flyer program?
I knew this process beforehand — I needed to login whilst I was travelling in the UK but I was using a local SIM card and hence I didn’t receive the six digit code they sent to my Australian number.
I didn’t question how lax those security questions were because I just wanted to get into my account.
Well, until now.
A lot of the information that Qantas asked for can be found on my Facebook — or in any public medium, like Twitter or Instagram — by making some educated guesses.
For example, only my Facebook friends and Twitter followers that I follow back can see my birthday without the year. However, my age is pretty common knowledge — so hiding that is clearly redundant.
I guess the only good thing was that this was a friend that I’ve known for a long time that did this as a bit of a test to see how secure it was; as opposed to a stalker, disgruntled colleague or someone who wanted to maliciously attack me.
This blog post was going to be a massive rant about how lax those security questions were. That plan changed, however, when I went in to change those security questions and saw they changed all the questions.
“When was this changed?” I wondered.
It has been a long time since I had to set up the security questions on my Qantas Frequent Flyer account — in fact, I think I haven’t changed the questions and answers since the day I signed up for the program, since I was asked to answer those questions during the registration process.
They are somewhat more secure than the previous set of questions; and are no longer things someone can answer by simply browsing your public social media accounts. Instead of your date of birth and postcode, the new questions include “what was your favourite book?” and the last name of your third grade teacher.
I especially like the “miscellaneous word or sentence” option, which definitely can make it harder for an attacker to pretend to be you. I created another password field on 1Password and randomly generated four words to create a de facto verification password.
If you are a member of the Qantas Frequent Flyer program, I would strongly recommend you have a look and change your security questions to something more secure. Especially if you’re seeing those really weak questions asking for your birthdate and postcode to verify your identity.
Is a four-digit PIN really protecting your account?
When you start thinking about how really secure your Qantas Frequent Flyer account is, there is one glaring issue that Qantas has not bothered to change — the four digit PIN.
In 2020, it is ridiculous to think that a four digit PIN is protecting your account from being compromised.
Yes, Qantas has introduced some level of two-factor authentication by letting you verify your identity by sending you a one-time token via SMS — though, it’s considered the worst form of two-factor authentication because there have been numerous cases of people stealing phone numbers and intercepting messages using known flaws in mobile networks.
And yes, they also limit the number of incorrect attempts to three — so an attacker can’t simply run through all four digit PIN combinations to see what works and what doesn’t.
But, to me, that seems like side-stepping the issue entirely. Don’t get me wrong, having two-factor authentication is a good thing. But I want that coupled with a strong and secure password with any number of characters of an unspecified length. Not a four digit PIN.
The irony is that Qantas’ insistence on its four digit PIN doesn’t follow the advice it gives to members about security on it’s very own website:
Just like passwords, PINs need to be strong and unique to you. PINs should be a random mix of numbers, letters and characters. You should avoid using obvious patterns like 1234, postcodes, birthdays or other significant dates and numbers.
Very hard to generate a strong and unique PIN code when you’re limiting it to 10,000 possible combinations.
What can you do to better secure your account?
Well, first things first, don’t be like me and accidentally reveal your Qantas Frequent Flyer number in a public forum. Treat your Qantas Frequent Flyer number like your passport number.
Second, make sure you review your security questions. Change them to use the new set of questions that don’t involve asking for the cliché (“what’s your mother’s maiden name?” or “what’s your date of birth?”). Those can be easily found — especially if your attacker is really persistent.
Lastly, keep an eye on your account and check for any suspicious activity or issues. Never assume it is a glitch unless otherwise stated by the airline itself on official channels.
If you do find anything wrong, contact the airline as soon as possible. Based on this article on Points Hack, Qantas will make you fill in a statutory declaration (a written statement signed by you, in front of a witness, that says you did not authorise the transfer) before handing the case to their Fraud team.
As a bit of a sidenote: Yes, I know that using public WiFi to change passwords (or, in this case, PIN codes) is not good security practice. I changed the PIN code again once I got back home as a precautionary measure.