Go Back  FlyerTalk Forums > Miles&Points > Airlines and Mileage Programs > Air Canada | Aeroplan
Reload this Page >

Aeroplan Tickets Repeatedly Fraudulently Redeemed From My Account

Aeroplan Tickets Repeatedly Fraudulently Redeemed From My Account

Old Nov 24, 22, 8:52 am
  #1  
Original Poster
 
Join Date: Nov 2022
Posts: 3
Aeroplan Tickets Repeatedly Fraudulently Redeemed From My Account

So I've had fraudulent bookings being redeemed with my Aeroplan account with points for 3 days in a row now. Each day the Aeroplan people are nice on the phone and can reverse the bookings, but they have no suggestions past changing email & Air Canada passwords which I have already done.

The pattern is a booking is made for flights in/out of India, on behalf of Air India. The 2FA enabled on my GMail and Air Canada accounts do not fire at all meaning there is still some access pattern allowed for these bookings for fraudsters. Comically the 2FA emails only fire for AC when I log into my account to check the fraud in the morning.

The only option with the agent this morning was to freeze the account for a while hoping they give up - which does not solve the root cause of their poor security at all.

In the meantime I'm going to do a full virus scan of my computer since I suppose there could be a keylogger somewhere. Anyone else have suggestions?

I'm an experienced software developer myself so am generally careful with my security - wonder if I'm off track thinking there's an active session somewhere Air Canada hasn't blocked using a previous password, or just having an Aeroplan + demographic info from some prior data breach allows permanent access to book flights?

EDIT: Forgot to mention there is no security info in the Air Canada websites like most sites give you (e.g. active sessions, logging out all other devices, locations of access) so it's hard to diagnose anything yourself. Plus the Air Canada security + fraud teams refuse to communicate at all or send me any data. I understand fraud/compliance teams have to keep most things secret (I worked in the anti financial crime industry myself for years) but some basic info about IPs, locations, times the account was logged into could rule out a few things and wouldn't compromise their fraud program.
WithIntent likes this.
gigabear is offline  
Old Nov 24, 22, 10:15 am
  #2  
 
Join Date: Aug 2020
Programs: Aeroplan
Posts: 179
If it's happened multiple times, is it possible you have spyware, or a keystroke logger on your computer? If you're consistently changing your password and they're still getting in, then it's clear you're being surveilled in some way. If that's the case AC/Aeroplan can't really help you beyond freezing your account until your computer is cleared of any malware.
Kishiwada is offline  
Old Nov 24, 22, 10:23 am
  #3  
Original Poster
 
Join Date: Nov 2022
Posts: 3
I agree Kishiwada that's a possibility however one reason that seems unlikely now is that the 2FA emails do not fire at all when the fraud occurs. So when I check my air canada account in the morning there is a 2FA email with a code, but whenever this fraud happens there isn't a 2FA warning from air canada nor from Google. The Google 2FA is also quite strict and I can monitor the devices connected. I think it's more likely that there is an active session somewhere that isn't being logged out with the password changes or an air canada agent is being social engineered with my aeroplan + demographic info.
pilot007 likes this.
gigabear is offline  
Old Nov 24, 22, 10:27 am
  #4  
Moderator, Air Canada; FlyerTalk Evangelist
 
Join Date: Feb 2015
Location: YYC
Programs: AC SE MM, WS Plat, DL PM, BA Bronze, Marriott Titanium, Accor/Hilton/Radisson Gold
Posts: 14,637
Originally Posted by gigabear View Post
I think it's more likely that there is an active session somewhere that isn't being logged out with the password changes or an air canada agent is being social engineered with my aeroplan + demographic info.
The AC website is very aggressive at logging you out. If you reset the password, I think the app will also log you out. So I suspect it's far more likely they're just phoning in and redeeming tickets that way.
WithIntent, Kishiwada and wrp96 like this.
Adam Smith is offline  
Old Nov 24, 22, 11:24 am
  #5  
 
Join Date: Jan 2010
Location: YYZ/SFO
Programs: *G^2, Bonvoyed, NEXUS
Posts: 3,027
Did Aeroplan tell you if the bookings were made online vs. on the phone? That should be easy for them to tell you.

also you can setup a phone PIN with aeroplan that needs to be given before they can access your account as well.
D582 is online now  
Old Nov 24, 22, 11:26 am
  #6  
 
Join Date: Mar 2002
Location: London, Vancouver, Tokyo, San Francisco, NYC
Posts: 243
Just wondering if the booking was made by your name or a third-person? If the former, what is the persons intention Or if the later, is he registered as a family sharing or as a companion of yourself?
cozysuite is offline  
Old Nov 24, 22, 11:32 am
  #7  
Original Poster
 
Join Date: Nov 2022
Posts: 3
It's by random third party people - Air Canada tells me it's a common scam they hear about where if they don't get to the fraud fast enough, the people actually board the flight. Which is why the flights are usually within a few hours or 1 day. I have a phone PIN set up as well, one agent said the bookings were done online, and another agent said they can't see that info, so not sure now.
gigabear is offline  
Old Nov 24, 22, 11:45 am
  #8  
Moderator, Air Canada; FlyerTalk Evangelist
 
Join Date: Feb 2015
Location: YYC
Programs: AC SE MM, WS Plat, DL PM, BA Bronze, Marriott Titanium, Accor/Hilton/Radisson Gold
Posts: 14,637
Originally Posted by D582 View Post
also you can setup a phone PIN with aeroplan that needs to be given before they can access your account as well.
But what if you forget the PIN? Presumably they'll ask for name and address and such that someone who had previously hacked the account would probably have.

Originally Posted by gigabear View Post
I have a phone PIN set up as well, one agent said the bookings were done online, and another agent said they can't see that info, so not sure now.
It should be in the remarks on the PNR, I would think, which they can definitely see. You could also see whether the phone booking fee shows up on the confirmation or the PNR cowtool. If it does, it was very definitely booked by phone.
Adam Smith is offline  
Old Nov 24, 22, 12:14 pm
  #9  
 
Join Date: Mar 2001
Location: Toronto, ON
Programs: AC 75K
Posts: 5,919
Some examples I've seen, the fraudsters set up rules within the email account to send the Air Canada 2FA emails to junk or a separate folder so you never seem then triggered. May not be relevant to this one given it sounds like you've got 2FA on your email account too.
ChrisA330 is offline  
Old Nov 24, 22, 2:00 pm
  #10  
 
Join Date: Mar 2002
Location: London, Vancouver, Tokyo, San Francisco, NYC
Posts: 243
Originally Posted by gigabear View Post
It's by random third party people
How can the agent or AC website issue a reward ticket without account owner/family shared person If that is common practice, that is all AC's fault/bug isn't it?
cozysuite is offline  
Old Nov 24, 22, 2:08 pm
  #11  
 
Join Date: Mar 2001
Location: Toronto, ON
Programs: AC 75K
Posts: 5,919
Originally Posted by cozysuite View Post
How can the agent or AC website issue a reward ticket without account owner/family shared person If that is common practice, that is all AC's fault/bug isn't it?
You are allowed to redeem your Aeroplan points for someone else. Nothing wrong or abnormal about that.
Adam Smith likes this.
ChrisA330 is offline  
Old Nov 24, 22, 3:06 pm
  #12  
 
Join Date: Nov 2022
Posts: 74
Originally Posted by ChrisA330 View Post
You are allowed to redeem your Aeroplan points for someone else. Nothing wrong or abnormal about that.
The award will be much less valuable if you can only redeem for yourself.
ChristiCyvr is offline  
Old Nov 24, 22, 3:51 pm
  #13  
Moderator: United Airlines; FlyerTalk Evangelist
 
Join Date: Jun 2007
Location: SFO
Programs: UA Plat 1.85MM, Hyatt Discoverist, Marriott Plat/LT Gold, Hilton Silver, IHG Plat
Posts: 61,430
Have you changed your account information from another device?Avoiding a keylogger potential on the original device
roberto99 and wrp96 like this.
WineCountryUA is offline  
Old Nov 24, 22, 4:06 pm
  #14  
 
Join Date: Apr 2016
Location: YYZ
Programs: TK *G
Posts: 2,334
I am not familiar with the exact procedures to change email or reset password for AC/Aeroplan, or have much experience with their authentication in general. A few things I can think of:

IMO the first step is to determine if your Gmail account is compromised or not, or only AC account. It would be extremely difficult to hack a Google account, but I wouldnt rule out that possibility prematurely. Do you have any other account tied to that Gmail account? Noticed any other account that might be compromised?

If I understood this correctly, you changed the email and password of the AC/AP account, yet fraud activities still occurred? Did the email or password get changed on your AC/AP account by the attackers? If not, it seems like attackers were using an existing session somehow. You can inspect the network requests and find out if requests are authenticated via cookie or JWT, and possibly finding out the session TTL.

How often did you access your AC/AP account before the attack happened? If you accessed your account regularly from North America (I assume), then its quite strange that you get 2FA challenges while the attackers in India (presumably) do not.

If you want to reach to ACs fraud team, the best bet IMO is to create a ticket with CS and ask them to escalate to the right department. Though keep in mind that fraud team is an operations team, not an engineering team, so it may take quite sometime before they can find out a systematic solution to stop this attack altogether.
songsc is offline  
Old Nov 25, 22, 9:04 am
  #15  
 
Join Date: Jul 2006
Location: YYZ/LHR/SFO
Programs: AC SE100K, BA
Posts: 228
Originally Posted by songsc View Post
IMO the first step is to determine if your Gmail account is compromised or not, or only AC account. It would be extremely difficult to hack a Google account, but I wouldnt rule out that possibility prematurely. Do you have any other account tied to that Gmail account? Noticed any other account that might be compromised?
To add to this: at the bottom of the Gmail UI click details (or something similar, I dont remember exactly what its called) to see other sessions. You can sign out all other sessions. And get a security key and enable advanced account protection.
pilot007 is offline  

Thread Tools
Search this Thread