“Your Velocity Points have been transferred”. I feel a strong sense of foreboding as I read those words because I certainly haven’t authorised any transfers. But it’s true – my account has been cleaned out and all the points have been transferred to a name I don’t recognise.
Cleverly, the thieves have done this on a Sunday night where I can’t call Velocity until the next morning. To add insult to injury, they’ve changed my email on file, and I can’t log back in or reset my password.
‘Hacked accounts’ are becoming all too common
Unfortunately, this is an increasingly common phenomenon, especially if the anecdotes on Australian Frequent Flyer are anything to go by. Point Hacks understands that Velocity Frequent Flyer is in the process of implementing multi-factor authentication (MFA) in the near future.
For now, the ability to transfer Velocity Points online has been disabled. You need to call up to transfer points instead (naturally, the fee to do so is currently waived).
These incidents aren’t from ‘hacking’ in the sense of something being broken into at Velocity. Instead, thieves are most likely harvesting logins from previously leaked data, including email addresses and passwords, and trying their luck.
I am guilty of recycling passwords, even after knowing my data has previously been exposed. I’ve learned my lesson now. There’s one simple way to avoid this issue altogether: use a completely unique password for each of your banking and loyalty accounts.
Did I get my stolen points back?
The short answer is yes! The team at Velocity Frequent Flyer were quick to reassure me of that when I called them up the following morning. But I still had to wait some time for an investigation. Here’s the general process:
- Report the breach to Velocity Frequent Flyer.
- They lock down the account and investigate for around 30 business days.
- Once complete, they will ask you to create a new account.
- They will reinstate the points to your old account and then merge your old and new accounts together.
During the audit process, I couldn’t use Velocity Points or gain status benefits on partner airlines like Singapore Airlines. But I could still earn Velocity Points as usual, and I had no issues accessing my Velocity Platinum perks (mainly Economy X seating and lounge access) on Virgin Australia’s own flights.
There have also been reports of Qantas Frequent Flyer members having their points stolen. But such incidences appear to be rarer since the introduction of MFA – an important feature that Velocity will hopefully be able to implement soon.
Morals of the story: change all of your account passwords if they’re not unique. And if you notice any suspicious transactions, contact the loyalty program as soon as possible.
Stay up to date with the latest news, reviews and guides by subscribing to Point Hacks’ email newsletter.
My husband was on his usual 3 x week Qantas flight as CEO of his company.
He died unexpectedly ( very young) before his return flight, which his PA called to cancel.
Reservations agent asked if she needed to rebook and his PA said No all ok he passed away.
End of conversation.
600K+ points gone which were to be used to take the family 2A 4C to USA Disneyland.
At NO POINT did Qantas as k for verification of his death, by way of Death Certificate.
No one at Qantas called me, his wife and next of kin on record.
ANYONE could have picked up a Boarding Pass with his FF Status displayed, and called to cancel his account.
ZERO verification required.
My argument to Qantas was all of the above, not to mention his company’s loyalty to Qantas after Velocity tried to poach him.
Yes it’s in the TC’s. But how many other airlines around the world treat their Platinum Member’s for over 30+ years like this.
How disgraceful not to reach out to the family, even with a condolence email card etc…
I have vowed never to fly Qantas or Jetstar and have changed my husband’s staff travel policy for his company, to velocity.
As the best comment in Pretty Woman was
“ Big Mistake, Big mistake “