Aug 22, 2015, 2:16 pm
Last edit by: Prospero
This thread is dedicated to issues around American Airlines AAdvantage accounts being invaded, taken over or compromised resulting in theft of awards, miles, upgrades and other instruments - and related issues.
For issues about account freezes or closures, airline accusations of fraud against the AAdvantage programm and the like please see: Account audit / fraud: award / miles / SWU / VIP sale, barter, etc (consolidated).
If you find your account has been breached or have unexplained activity such as awards you did not arrange, contact AA immediately to protect and gain control over your account and to be made whole.
To help protect your account, be sure
If your email information is correct in aa.com, changes to your account should be sent to you as follows (even if someone changes your email address, though it's of no help if someone pirates your email account):
For issues about account freezes or closures, airline accusations of fraud against the AAdvantage programm and the like please see: Account audit / fraud: award / miles / SWU / VIP sale, barter, etc (consolidated).
If you find your account has been breached or have unexplained activity such as awards you did not arrange, contact AA immediately to protect and gain control over your account and to be made whole.
To help protect your account, be sure
- Have a strong, protected and secure password
- check your account periodically
- be aware and keep track of your transactions
- control or destroy documents such as boarding passes
- use antivirus software- if your personal computer is hacked they can gain control of your AA account
- Be very wary of logging into your account on public computers, like at internet cafés or the hotel business center, where keystroke loggers could be installed
If your email information is correct in aa.com, changes to your account should be sent to you as follows (even if someone changes your email address, though it's of no help if someone pirates your email account):
Dear JDiver,
Thanks for visiting AA.com. This email confirms that your account has been updated as follows.
Your contact information has been updated, but is not included in this e-mail for the security of your account.
If you did not change your contact information or if you have any concerns about your account, please contact aa.com Web Services.
If you have unsubscribed to one of our email products, we will remove your address from our mailing list as soon as possible. Please be aware that you may continue to receive emails for up to 10 business days.
If you have subscribed to AA email products and are not receiving them, your Internet Service Provider (ISP) may use filters to prevent unwanted emails from reaching your inbox. Sometimes, these filters also block messages you want to receive. In most cases, adding us to your list of trusted senders will solve this issue. In AOL, select "Add Address"; in Yahoo! Mail, Outlook or Outlook Express select "Add To Address Book"; or Hotmail or MSN, select "Save Address(es)". If you need further assistance, contact your ISP's technical support department and ask how to "whitelist" emails from AA.
AA.com
American Airlines
Thanks for visiting AA.com. This email confirms that your account has been updated as follows.
Your contact information has been updated, but is not included in this e-mail for the security of your account.
If you did not change your contact information or if you have any concerns about your account, please contact aa.com Web Services.
If you have unsubscribed to one of our email products, we will remove your address from our mailing list as soon as possible. Please be aware that you may continue to receive emails for up to 10 business days.
If you have subscribed to AA email products and are not receiving them, your Internet Service Provider (ISP) may use filters to prevent unwanted emails from reaching your inbox. Sometimes, these filters also block messages you want to receive. In most cases, adding us to your list of trusted senders will solve this issue. In AOL, select "Add Address"; in Yahoo! Mail, Outlook or Outlook Express select "Add To Address Book"; or Hotmail or MSN, select "Save Address(es)". If you need further assistance, contact your ISP's technical support department and ask how to "whitelist" emails from AA.
AA.com
American Airlines
Account fraud / breach: my account compromised, awards taken, etc.
Sep 16, 2015, 8:12 am
#227
FlyerTalk Evangelist
Join Date: Nov 2003
Location: South Florida
Programs: AA LTG (EXP), Hilton Silver (Dia), Marriott LTP (PP), SPG LTG (P) > MPG LTPP
Posts: 11,329
All those silly questions do is frustrate me. Especially when the answer changes over time. Such as "the name of your favorite restaurant". That can change overnight depending upon where I go to eat. Plus, having a large family the traditional questions like mother's maiden name is easily known by many or available from many sources. Fortunately they have no means to make sure I answer those questions with the truth. No one is going to guess Mamma James as the name of my high school.
Sep 16, 2015, 8:16 am
#228
Join Date: Apr 2009
Location: YYF/YLW
Programs: AA, DL, AS, VA, WS Silver
Posts: 5,955
Extra security questions being one of the most vulnerable parts of typical online account security. By their nature, they get reused. The best password in the world won't protect you if the company allows your password to be reset by answering relatively easy questions like that. Email and snail mail (uncommon for most accounts include airline ones, but my bank does snail mail notifications for password changes) notifications of password changes help with that (as long as the contact information is up to date and the email gets read!). Two-factor authentication for things like password resets is better.
Unless they're reading this forum!
Unless they're reading this forum!
Sep 16, 2015, 9:30 am
#230
Join Date: Dec 2005
Location: California
Programs: AA EXP...couple hotels and cars too
Posts: 4,548
Extra security questions being one of the most vulnerable parts of typical online account security. By their nature, they get reused. The best password in the world won't protect you if the company allows your password to be reset by answering relatively easy questions like that.
Ka&%$46SaaYx$&765
Sep 16, 2015, 10:45 am
#231
FlyerTalk Evangelist
Join Date: Jul 2003
Location: jfk area
Programs: AA platinum; 2MM AA, Delta Diamond, Hilton Diamond
Posts: 10,291
]
Sep 16, 2015, 10:57 am
#232
Join Date: Jun 2004
Location: ATL
Programs: Delta PlM, 1M
Posts: 6,365
The concept of these "security questions" reduce real security in order to placate morons. Even if one does not want to use a full password, at least respond with non personal data.
I once had a case where the site was "verifying" my selected answers. They asked me for my mother's birthday, I entered 17/43/3017. It rejected it as invalid. How f'ing stupid.
Even worse, IMO, was when some companies started asking questions based on data trawling (as opposed used selected answers). "When did you get your first mortgage" type idiocy. These questions could be answered better by a hacker than the real person.
BTW: Did OP ever get an email to his original email account that his account was being changed? That failure would be a serious screwup.
Last edited by exwannabe; Sep 16, 2015 at 11:02 am
Sep 16, 2015, 11:12 am
#233
FlyerTalk Evangelist
Join Date: Jul 2003
Location: jfk area
Programs: AA platinum; 2MM AA, Delta Diamond, Hilton Diamond
Posts: 10,291
Agree 100%.
The concept of these "security questions" reduce real security in order to placate morons. Even if one does not want to use a full password, at least respond with non personal data.
I once had a case where the site was "verifying" my selected answers. They asked me for my mother's birthday, I entered 17/43/3017. It rejected it as invalid. How f'ing stupid.
Even worse, IMO, was when some companies started asking questions based on data trawling (as opposed used selected answers). "When did you get your first mortgage" type idiocy. These questions could be answered better by a hacker than the real person.
BTW: Did OP ever get an email to his original email account that his account was being changed? That failure would be a serious screwup.
The concept of these "security questions" reduce real security in order to placate morons. Even if one does not want to use a full password, at least respond with non personal data.
I once had a case where the site was "verifying" my selected answers. They asked me for my mother's birthday, I entered 17/43/3017. It rejected it as invalid. How f'ing stupid.
Even worse, IMO, was when some companies started asking questions based on data trawling (as opposed used selected answers). "When did you get your first mortgage" type idiocy. These questions could be answered better by a hacker than the real person.
BTW: Did OP ever get an email to his original email account that his account was being changed? That failure would be a serious screwup.
Two step acct. log-in has much more security than what AA and most other on merchants now use.
Sep 16, 2015, 3:06 pm
#234
Join Date: Apr 2011
Location: New York
Programs: AA EXP 1.0mm, not sure where I am with hotels these days
Posts: 2,795
Sep 16, 2015, 6:37 pm
#235
Join Date: Dec 2012
Posts: 814
Yes, on using fake answers to the questions. And vary the answers for each site. A password manager is a useful way to keep track of the various answers you gave to the questions. My first pet has a number of very awkward names.
+1 on two-factor authentication.
Of course, none of this is worth much if the organization you gave your information to is sloppy about security. I'm looking at a certain insurance company that let my unencrypted personal data be stolen.
+1 on two-factor authentication.
Of course, none of this is worth much if the organization you gave your information to is sloppy about security. I'm looking at a certain insurance company that let my unencrypted personal data be stolen.
Last edited by MrTemporal; Sep 16, 2015 at 6:45 pm
Sep 16, 2015, 7:58 pm
#236
Join Date: Apr 2003
Location: SLC/HEL/Anywhere with a Beach
Programs: Marriott Ambassador; AA EXP 3MM; AS MVP, Hilton Gold, CH-47/UH-60/C-23/C-130 VET
Posts: 5,234
Or just good Googling, last year the nurse told a patient that Dr. KMersh will be in to see you in a few minutes and as I entered the room the patient's wife had already Googled, Dr. Kmersh and had obtained my full CV, moved on to find out my Wife's name and her full CV, it was impressive and scary all wrapped up in one, the patient's Wife even knew about a fund raiser that my Wife and I had attended and commented that it looked like a lot of fun.
Granted, she did not (or at least I do not think she did) know my dogs name or any other info on me, but I guess someone devoted enough could probably get almost anything.
Granted, she did not (or at least I do not think she did) know my dogs name or any other info on me, but I guess someone devoted enough could probably get almost anything.
In any event, logic suggests that someone closer to us would be more likely to be aware of the information to get into our accounts than a random googler. I suspect those who investigate issues like this might have reached the same conclusion.
Sep 17, 2015, 5:38 am
#237
Join Date: Mar 2015
Posts: 1,625
Granted, I do not have a dog in the fight and I admit that, but I am still bothered by American Airlines tone with regards to the victim. In the case here and in the case of my Colleague, I would have liked to see American take the position of we will get you back your miles, it may take some time while we do our investigation but rest assured we have your back.
Instead the messages seems to be, everyone is guilty in our eyes and you have to prove to us that you are innocent before we begin to help you. It would seem to me that unless one is in such need of attention that even negative attention is desired, why would one lie about their miles being stolen when they did something nefarious with them instead? That at least to my brain just does not make sense.
It smells of another security group that I am less than fond of who takes the stance that you are guilty until proven innocent, rather than innocent until prove
Instead the messages seems to be, everyone is guilty in our eyes and you have to prove to us that you are innocent before we begin to help you. It would seem to me that unless one is in such need of attention that even negative attention is desired, why would one lie about their miles being stolen when they did something nefarious with them instead? That at least to my brain just does not make sense.
It smells of another security group that I am less than fond of who takes the stance that you are guilty until proven innocent, rather than innocent until prove
Sep 17, 2015, 6:20 am
#238
Join Date: Dec 2003
Location: NYC
Posts: 6,441
Sep 18, 2015, 11:48 am
#239
Moderator, OneWorld
Original Poster
Join Date: Feb 2002
Location: SEA
Programs: RAA RIP; AA ExEXP
Posts: 11,808
AA has acknowledged receipt of the police report and has asked me to sign an affidavit stating various things, e.g. I don't know the ticket users, the brokerage, etc., which I have done. Account still locked.
Sep 18, 2015, 11:51 am
#240
Join Date: Sep 2009
Location: Global
Posts: 6,004
Keep the faith!