How 46,700 points were stolen from my Velocity account
And how I managed to get them back from Virgin Australia.
When I logged into my Velocity account on 12 May this year, I got a rude shock.
I was checking to make sure that points I'd transferred from flybuys as part of one of Virgin Australia's regular bonus points promotions had shown up.
Instead, my account had far fewer points in it than it should. Rather than the 70,000-odd I knew I had accumulated, there were under 30,000 there. What had happened?
Checking the My Activity section, I discovered that a flight redemption had been booked on 25 April, chewing up 46,700 points in the process. I hadn't made that booking. (That was Anzac Day, and I was on holiday in Canberra, ignoring my laptop.)
Velocity's online system doesn't show you flight details for redemptions but does include a booking reference number. I searched for that in my Gmail account. That turned up a booking confirmation email, but unhelpfully, Gmail had classified it as spam. That's why I hadn't seen the email as soon as the booking was made.
The booking showed that the points had been used for a one-way Silk Air flight from Singapore to Shenzhen for 26 April, booked under a name I'd never heard of. Someone had somehow hacked into my account or the Velocity system, booked a flight with my points, and already taken it. Ugh.
So after changing the password for my Velocity account as a precaution, it was time to get on the phone to Velocity.
Straight up, this was a slow process. The initial call took nearly an hour, most of which was spent on hold. I got passed across to three different people and had to repeat my story to each of them.
I also had to explain repeatedly that no, I didn't use a common password, I didn't use the same password I'd used elsewhere, I hadn't shared that password with anyone else or with points-tracking software packages, and I hadn't logged into my account on a public computer or using public Wi-Fi. And no, I hadn't made the booking myself.
I've been writing about tech for 25 years. I know not to do those things. But I understand the support staff have to ask.
Waiting for a solution
At the end of the hour, this was the outcome. Virgin "suspended" my account, meaning I couldn't make any redemptions from it. (I could still earn points though.) An investigation would be launched. Unpromisingly, this would take up to 30 business days. Once completed, and assuming Virgin concluded I wasn't a pathological liar, the points would be restored to my account. Virgin would contact me when that happened, either by phone or by email. I promised to keep an eye on my spam folder in case the message ended up there again.
And then I waited. And waited. I finally received an email from Virgin on 4 June (19 business days after the initial contact). It asked me to confirm (again) that I hadn't shared my password and to confirm that I hadn't made a booking.
It also told me that I needed to submit a report to the Australian Cybercrime Online Reporting Network (ACORN) about the incident, and send a copy. Once that was done, the points would be restored. Virgin also recommended that I also switch to an entirely new account number associated with a different email address. I was happy to do that.
ACORN is, to be kind, a bit of a mess. When I first tried to submit a report, the submission site was broken. A month after I finally submitted it, ACORN sent me an email confirming there would not be a formal investigation. That was good. What was less impressive was that it also sent the same message to 359 other people who had submitted reports, and we could all see each other's email addresses. For an organisation promoting cyber security, that's a massively stupid thing to do. Blind copy is not a new function in email. But I digress.
After receiving the ACORN reply, I rang Virgin to organise the creation of a new account. This turned out to be a less painful call than the original. Within 30 minutes the task was completed, and a day later my new account was in operation, with all points present and correct.
While the process was slow, I was happy with how Virgin handled the incident. I can appreciate that investigation takes a while, and that the airline has to eliminate the possibility I'm trying to pull a fast one. Ultimately, everything got sorted out.
So what actually happened?
Virgin wouldn't provide any details about the actual cause of the problem. That's not surprising; it doesn't want to highlight areas scammers and cyber-criminals might take advantage of. But there are a few possibilities, even after eliminating password error on my part.
The first is that there's a vulnerability somewhere in Velocity which enables flight redemptions to be made even if you don't have a log-in password. That's frightening if true, but if that was the case I'd expect to hear a lot more about it.
The second is that the system was exploited by someone with internal access, either a staff member working in Velocity support or someone else in the travel industry. The IT used by travel agents isn't the fanciest in the world, and it's likely there are holes that can be exploited.
Whatever the cause, I can't do anything about Virgin's own internal systems. What I can do is make sure my hard-earned points stay safe.
Tips to protect your frequent flyer account
The single most important lesson from my experience is this: regularly check all your frequent flyer accounts. That's something you should be doing every time you're earning points, whether that's from flying, spending on your credit card, transferring from another loyalty program or shopping with an airline partner. But even when you're not earning, make sure you check in at least once a month and look at your activity statement.
Listen: Tips from a hacker on protecting your identity
You also need to follow basic security principles:
- Make sure the password for your frequent flyer account is unique. Don't reuse a password you've used elsewhere. For maximum effectiveness, use password management software.
- Don't share your password with other people. Don't write it on a Post-it note next to your computer.
- Don't respond to emails requesting your frequent flyer information; they're likely to be phishing scams designed to steal your identity or your points.
- If you do detect any unusual activity, contact your frequent flyer program by phone. Yes, you'll be on hold for a while, but it's the only way to get a resolution.
Angus Kidman's Findings column looks at new developments and research that help you save money, make wise decisions and enjoy your life more. It appears regularly on Finder.
- Virgin Australia sale drops fares from $69 across 300,000 seats
- Fly across Australia from $99 with Qantas’s 2020 Boxing Day sale
- Score $75 flights with the Virgin Australia Boxing Day sale
- Take off across the country from $75 with this Virgin Australia sale
- Get in early with this $89 Virgin Australia sale
Picture: Getty Images