Go Back  FlyerTalk Forums > Miles&Points > Airlines and Mileage Programs > American Airlines | AAdvantage
Reload this Page >

Account audit / blocked / fraud: award / miles / SWU / sale, barter, etc.

Old Jul 29, 2014, 10:15 am
FlyerTalk Forums Expert How-Tos and Guides
Last edit by: Prospero
This thread is dedicated to issues around American Airlines Corporate Security, AAdvantage Fraud division (AKA "Revenue Protection Unit"), and its enforcement of the AAdvantage Terms and Conditions - particularly to selling, buying and bartering awards, miles, upgrades and other instruments - and related issues.

It is okay at this time to gift awards, upgrades, etc. as long as there is absolutely no quid pro quo (no buying or selling or offer to do so, no barter or trade "you give me one now I'll give it back" or anything smacking of prohibited activity. AA is probably the strictest of the US airlines about this. They have a very active and expert AAdvantage Fraud division of the AA Corporate Fraud department, and they can both be aggressive and, some might say merciless - clawing back one's miles and instruments, even closing one's account and terminating status and ability to participate in the AAdvantage program n the future.

There are other ways to commit fraud in AAs eyes, such as fictitious or fraudulent bookings to try to block seats to increase ones chances if upgrades, generating tickets to access airside facilities (e.g. lounges) when there is no intent to fly, etc.

To read an example of how the US Department of Transportation has rules on punitive actions by AA, read Joel Hayes vs. American Airlines here (PDF).

Please read on for information and the consensus of knowledgeable members.

E.g. AAdvantage Terms and Conditions excerpt: "At no time may AAdvantage mileage credit or award tickets be purchased, sold, advertised for sale or bartered (including but not limited to transferring, gifting, or promising mileage credit or award tickets in exchange for support of a certain business, product or charity and/or participation in an auction, sweepstakes, raffle or contest). Any such mileage or tickets are void if transferred for cash or other consideration. Violators (including any passenger who uses a purchased or bartered award ticket) may be liable for damages and litigation costs, including American Airlines attorneys fees incurred in enforcing this rule." (This extends to other AA instruments such as Systemwide Upgrades, etc., selling of extra AirPass seats or baggage allowance, etc.)
Also see AAdvantage Program Terms and Conditions and

American Airlines Conditions of Carriage.

Originally Posted by SS255
<snip>"While you may consider the AAdvantage Miles in your account to be *your* property, they are actually the property of AA, and AA permits you to redeem them within the program rules set by AA. If AA detects any impropriety (real or perceived) in the use of AAdvantage miles, they reserve the right to confiscate the miles and/or close/delete the account."...
The typical email from AA Corporate Security can not be addressed by calling AAdvantage Customer Service or other methods - you must reply to the email address given. It likely will look like this:

My name is Fname Lname, and I am an analyst with American Airlines. One of my responsibilities is investigating possible instances of fraud, misrepresentation, and violations of the General AAdvantage Program Conditions. Today, Im writing you about your AAdvantage account # XXXXXXXX

We have reason to believe that the transactions listed below violate one or more of the AAdvantage program conditions. This includes, but is not limited to, prohibition of purchase, sale, or barter of mileage credit and or award tickets. As a result, American Airlines has suspended your AAdvantage membership privileges and use of AA.com in conjunction with your account and may terminate your account as a result of our findings. We are in the process of completing the investigation into this matter, and I would like to hear the events as they occurred from your perspective. Please respond to this message by <date> with complete and accurate information regarding the activities listed below:

<specific activity /activities in question>

Required Information:
  • Passenger name
    • Origin and destination cities on the travel itinerary
      • Purchaser name (individual, company and/or website), including:
        • Copy of any advertisements to which you responded offering to purchase/broker the use of your AAdvantage miles
          • Purchaser contact information, such as:
            • Mailing address
              • Email address
                • Telephone number
                  • Website profile name
                    • Your statement fully disclosing the details surrounding the sale/barter transaction referenced above
                      • Copy of all communication between yourself and the purchaser
                        • Documentation that you received payment


To protect and retain the integrity of the AAdvantage program, it is vital that firm action be taken as a result of any violation of the AAdvantage Program Conditions, whether intentional or not. Failure to respond completely and accurately by <insert date>, will result in the termination of your AAdvantage membership and all its benefits, including all remaining AAdvantage miles in your account and any award tickets issued from it. Please, understand that our overall motivation is to preserve the benefits of the AAdvantage program, rather than to take punitive action against individuals. To that end, its not unusual for us to release the AAdvantage account suspension once we receive all the detail we request and reconcile it with the results of our investigation. We hope to hear from you soon.

Regards,

Fname Lname, etc.
Excellent summaries of information (based on the sum of experiences we have seen in this thread over time) of how to respond:

Blogger Gary Leff: "If you made that mistake and got caught, American usually will go light on first-time offenders provided that they come clean and are forthcoming about whom a systemwide was sold to or purchased from and what the terms were. They are most interested in serial brokers and are willing to plea bargain with minor offenders to get the Evip-lords. There may be a consequence but it should fall short of account shutdown and forfeiture of miles." Link
Originally Posted by sbrower
I am going to try and provide a summary of the advice. For the record, this is 90% from Jon (JonNYC) and a little bit from other comments and circumstances, I am just trying to provide an easy summary, without all the explanations and reasons. I am happy to have others update/correct.

1. Respond to the questions in the email which you received. Don't try to call or email that person, or anyone else, at AA or DOT or whatever. Just answer the email.

2. Answer every question, in detail, with the facts. Don't use sarcasm or "you should know" or anything else that sounds like to you are avoiding the exact question being asked.

3. Assume that they know more about the true facts than you do. It might not always be true, but in most cases they have way more information than you might assume. So go back to #2, above.

4. If you did ANYTHING that was wrong (not under your interpretation of what you think the rules should be, but based on what the rules actually say) then, if you want to continue to participate in the AAdvantage program, tell them about your error and tell them that you are prepared to pay a correct penalty for your mistake (miles/status/etc) and then go back to #2, above.
From JonNYC, our resident expert on this:

Originally Posted by JonNYC
Perfect and 100%.
<snip>

The analysts that do this for a living have the same reactions that any humans do to being lied to and/or condescended to. Therefore, as well as being 100% truthful, go out of your way NOT to be:

-condescending
-brusque
-sharp, terse and/or sounding like you're being inconvenienced
-insulting
-just generally slippery, aloof, evasive and unforthcoming. As mentioned; they know more than you think they do. Always.

DO be apologetic, contrite and extremely cooperative.

Finally, any version of "...in which case, I'll be emailing [insert name or department here] to tell them how I, a [insert years flying AA, status, MMer, $$ spent, etc] customer is being treated" and/or mention of your lawyer, DOT, Chris Elliot (), this forum, any blogger, etc. DO NOT DO THIS.
Older posts have been archived to the
archived thread.

A number of posts regarding AA's confiscation of 60,000 miles from "Mr. Hayes" for allegedly making "fictitious" bookings in search of whether his upgrade would be likely to progress or not, AA IT issues that might have led to this (or not), AA's replies and the USDOT complaint have been moved to a new thread: Hayes, USDOT and AA: "fictitious bookings" and checking upgrades.

NOTE: Posts about members experiencing account security breaches, fraud, theft of awards and instruments have moved to Account fraud / breach: my account compromised, awards stolen, etc..

Print Wikipost

Account audit / blocked / fraud: award / miles / SWU / sale, barter, etc.

Old Jun 9, 2023, 10:43 pm
  #946  
A FlyerTalk Posting Legend
 
Join Date: Jan 2002
Posts: 44,785
Originally Posted by chix
Do you all think this is fair to make me change my AAdvantage number AND email address?
It seems a pretty trivial requirement.
Global321, FAA1996 and Antarius like this.
Dave Noble is offline  
Old Jun 10, 2023, 1:02 am
  #947  
 
Join Date: Jul 2009
Location: SJC
Programs: AA, AS, Marriott
Posts: 6,114
Originally Posted by chix
Do you all think this is fair to make me change my AAdvantage number AND email address?
This is standard procedure for when an AAdvantage account gets compromised. I haven't heard about the e-mail address change requirement, but I've known others whose AAdvantage numbers have changed after miles were taken out of their accounts. In this case, at least the account was secured before the fraudsters did any damage. It's unfortunate since many of us have sentimental attachment to a number with a long tenure, but I wouldn't worry about the change since everything will transfer over in kind.
JJeffrey and LowValueCustomer like this.

Last edited by Majuki; Jun 10, 2023 at 1:22 am
Majuki is online now  
Old Jun 10, 2023, 7:55 am
  #948  
 
Join Date: Jan 2011
Location: Washington, D.C.
Programs: AA, but I play the field
Posts: 1,444
Originally Posted by chix
They say that if I choose to keep my old number (nostalgic number from the 80’s), I will forfeit their ability to guarantee me they will protect me against fraud (get my miles back).

Do you all think this is fair to make me change my AAdvantage number AND email address?.
I sympathize with your plight, but based on what you've said above they aren't making you do anything, they are giving you a choice: you can choose to keep your old number (contrary to their security recommendation) but then you must also assume the resultant security risk. To me that is the definition of fair.

Last edited by ZenFlyer; Jun 10, 2023 at 3:24 pm
ZenFlyer is offline  
Old Jun 11, 2023, 8:07 am
  #949  
 
Join Date: Jan 2000
Location: Baltimore/Washington, USA
Programs: AA LT Platinum, Hilton LT Diamond, Marriott Titanium
Posts: 3,076
Originally Posted by ZenFlyer
I sympathize with your plight, but based on what you've said above they aren't making you do anything, they are giving you a choice: you can choose to keep your old number (contrary to their security recommendation) but then you must also assume the resultant security risk. To me that is the definition of fair.
What if I have a single personal email and a business email? How can they expect me to open an additional email AND get a new AAdvantage number?

Thats too much and unreasonable.
chix is offline  
Old Jun 11, 2023, 8:12 am
  #950  
 
Join Date: Jan 2011
Location: Philadelphia, PA
Programs: AAdvantage Exec Platinum, Hertz #1 Club Gold Five Star, IHG Platinum, Marriott Gold, HHonors Silver
Posts: 2,043
Originally Posted by chix
What if I have a single personal email and a business email? How can they expect me to open an additional email AND get a new AAdvantage number?

Thats too much and unreasonable.
You can open up a free one on many sites (Gmail, Yahoo, etc.) and have all emails from AA automatically forwarded to your primary account. It'll take all of 5 minutes of your time to set this up. If you aren't a technical person, just Google how to do this and you'll get numerous step-by-step instructions/videos on how to do this.

Unfortunately, sometimes after a data security breach at an important account like this (or your credit card, etc.), you need to put in a little bit of extra effort to resolve it. That's the world we live in today. You can complain all you want that it is "too much and unreasonable", but no one at AA (or much of the internet) is going to cry the blues over this for you.
GNRMatt is offline  
Old Jun 11, 2023, 9:16 am
  #951  
 
Join Date: Jan 2011
Location: Washington, D.C.
Programs: AA, but I play the field
Posts: 1,444
Originally Posted by chix
What if I have a single personal email and a business email? How can they expect me to open an additional email AND get a new AAdvantage number?

Thats too much and unreasonable.
Suppose your home was burglarized and there was no sign of forced entry; someone used a key to obtain access. If you subsequently declined to change the locks, should the insurance company be held liable for future losses?
hurnik, Antarius, argonath and 2 others like this.
ZenFlyer is offline  
Old Jun 11, 2023, 9:28 am
  #952  
 
Join Date: Sep 2019
Location: NYC, SEA
Programs: Hyatt Glob, Marriott Titanium, AA EXP, DL PM, AS 100k (fake), B6 M3 (fake), BA Gold (fake), UA FO.
Posts: 764
Originally Posted by ZenFlyer
Suppose your home was burglarized and there was no sign of forced entry; someone used a key to obtain access. If you subsequently declined to change the locks, should the insurance company be held liable for future losses?
I agree with those saying that this could have resulted in much worse than the loss of an FFN, but that said, I don't think it's really unreasonable to expect to keep the FFN. If AA believes that the FFN affects security, that suggests that AA's fraud prevention team is using the FFN as a supplemental authentication credential, like a second password. That seems to be the truly unreasonable practice here. If AA is not comfortable with its password system alone (without relying on any perceived residual protection that a non-private identifier like an FFN may provide), then AA needs to mandate MFA of some sort, such as a text or app push message. Short of MFA, the airline should insure against fraud losses without pushing aggravating changes on affected customers merely to achieve dubious security benefits.
LowValueCustomer is offline  
Old Jun 11, 2023, 9:49 am
  #953  
 
Join Date: Aug 2022
Programs: AA Executive Platinum (Oneworld Emerald)
Posts: 135
Originally Posted by LowValueCustomer
I agree with those saying that this could have resulted in much worse than the loss of an FFN, but that said, I don't think it's really unreasonable to expect to keep the FFN. If AA believes that the FFN affects security, that suggests that AA's fraud prevention team is using the FFN as a supplemental authentication credential, like a second password. That seems to be the truly unreasonable practice here. If AA is not comfortable with its password system alone (without relying on any perceived residual protection that a non-private identifier like an FFN may provide), then AA needs to mandate MFA of some sort, such as a text or app push message. Short of MFA, the airline should insure against fraud losses without pushing aggravating changes on affected customers merely to achieve dubious security benefits.
AA likely wants the FFN changed for 2 (legitimate) reasons:
1) Chances are reasonably high that OPs new password (or at least, most people in OPs position) is substantially similar to his previous one, and that will be the starting point for anyone wanting to regain control of the account.
2) AA requires the user's last name to match the FFN when logging in. Without a change to a new random FFN, this check is worthless, since the current attackers (and depending on the source of the leak, potentially many more) know who owns the existing FFN.

As for wanting a new email address, since the attackers changed the email address they obviously now know the prior one, and can target that email address to get back into the account, if they wish. It's also possible (from AA's POV) that the email account was how the AA account got compromised in the first place.

Agreed that MFA would be a good addition, but given the likely implementation (SMS messages), it will end up being annoying and have limited security usefulness. Ideally they'd use something actually good like U2F or WebAuthn, but those tend to be outside the technical competence of most users.

Source: I'm a professional Software Engineer who has previously worked in internet security.

Edit: That said, most airlines DO use the FFN in ways that aren't particularly secure, generally expecting them to be reasonably secret. For AA for example, if you're at an airport you can use the kiosks with just an FFN to be able to modify someone's reservation. This is likely an intentional tradeoff being made between security and usability (I always use my FFN at the kiosks to print my BP, rather than the PNR).
wrp96, ZenFlyer and Antarius like this.
Acidity is offline  
Old Jun 11, 2023, 11:30 am
  #954  
 
Join Date: Jan 2000
Location: Baltimore/Washington, USA
Programs: AA LT Platinum, Hilton LT Diamond, Marriott Titanium
Posts: 3,076
Originally Posted by Acidity
AA likely wants the FFN changed for 2 (legitimate) reasons:
1) Chances are reasonably high that OPs new password (or at least, most people in OPs position) is substantially similar to his previous one, and that will be the starting point for anyone wanting to regain control of the account.
2) AA requires the user's last name to match the FFN when logging in. Without a change to a new random FFN, this check is worthless, since the current attackers (and depending on the source of the leak, potentially many more) know who owns the existing FFN.

As for wanting a new email address, since the attackers changed the email address they obviously now know the prior one, and can target that email address to get back into the account, if they wish. It's also possible (from AA's POV) that the email account was how the AA account got compromised in the first place.

Agreed that MFA would be a good addition, but given the likely implementation (SMS messages), it will end up being annoying and have limited security usefulness. Ideally they'd use something actually good like U2F or WebAuthn, but those tend to be outside the technical competence of most users.

Source: I'm a professional Software Engineer who has previously worked in internet security.

Edit: That said, most airlines DO use the FFN in ways that aren't particularly secure, generally expecting them to be reasonably secret. For AA for example, if you're at an airport you can use the kiosks with just an FFN to be able to modify someone's reservation. This is likely an intentional tradeoff being made between security and usability (I always use my FFN at the kiosks to print my BP, rather than the PNR).
Thanks for the explanation. I am now ok with changing my coveted old school AAdvantage number. But not necessarily my email. When I speak with account security tomorrow, I will ask why they dont use MFA like other airlines and hotels do.

I do have another personal email address I could use, but its for SPAM type stuff and I only push it to my iPad, not iPhone that I carry everywhere.

I think thats reasonable to keep my email, dont you?
chix is offline  
Old Jun 11, 2023, 11:32 am
  #955  
 
Join Date: Sep 2009
Location: Global
Posts: 6,028
Originally Posted by chix
Thanks for the explanation. I am now ok with changing my coveted old school AAdvantage number. But not necessarily my email. When I speak with account security tomorrow, I will ask why they don’t use MFA like other airlines and hotels do.

I do have another personal email address I could use, but it’s for SPAM type stuff and I only push it to my iPad, not iPhone that I carry everywhere.

I think that’s reasonable to keep my email, don’t you?
If it is really that important to keep your email, and personally I don't get it, you could open a free gmail account, get your AA account up and running and then switch it back to your current email. I don't advise it, but this seems really important to you.
Antarius likes this.
Global321 is offline  
Old Jun 11, 2023, 12:01 pm
  #956  
FlyerTalk Evangelist
 
Join Date: Aug 2012
Location: KHOU/KIAH
Programs: AA EXP | Marriott Bonvoy Titanium| Hyatt Globalist
Posts: 11,350
Originally Posted by chix
Thanks for the explanation. I am now ok with changing my coveted old school AAdvantage number. But not necessarily my email. When I speak with account security tomorrow, I will ask why they don’t use MFA like other airlines and hotels do.

I do have another personal email address I could use, but it’s for SPAM type stuff and I only push it to my iPad, not iPhone that I carry everywhere.

I think that’s reasonable to keep my email, don’t you?
I think you've heard what everyone here has to say and don't like the answer.

If you've made up your mind, go forth. That said, there are consequences and if you're OK with them, there's nothing wrong with it.

Originally Posted by LowValueCustomer
I agree with those saying that this could have resulted in much worse than the loss of an FFN, but that said, I don't think it's really unreasonable to expect to keep the FFN. If AA believes that the FFN affects security, that suggests that AA's fraud prevention team is using the FFN as a supplemental authentication credential, like a second password. That seems to be the truly unreasonable practice here. If AA is not comfortable with its password system alone (without relying on any perceived residual protection that a non-private identifier like an FFN may provide), then AA needs to mandate MFA of some sort, such as a text or app push message. Short of MFA, the airline should insure against fraud losses without pushing aggravating changes on affected customers merely to achieve dubious security benefits.
The unknown is how the account got compromised. if it was found compromised as part of a sold batch of FFNs, then changing the number eliminates it from being used in the future, allows subsequent use attempts to be tracked knowing that it is fraud and also reduces the ability for a non-tech savvy human to screw up. I know so many people who have accounts compromised only to reset the password to the same one as before or similar - if the OP did this, then the account is back to square one. (not saying the OP would do this, just that it is a risk that is likely as AA has many non-tech savvy customers). Acidity above explains it very well and likely has lived these problems a lot more than many by virtue of their job.

The lack of 2FA is inexcusable, I agree. Then again, 2FA with email doesn't help if the email is compromised. U2F is several decades too advanced for AA IT.
Majuki, Global321, wrp96 and 1 others like this.

Last edited by Antarius; Jun 11, 2023 at 3:18 pm
Antarius is offline  
Old Jun 11, 2023, 3:22 pm
  #957  
A FlyerTalk Posting Legend
 
Join Date: Jan 2002
Posts: 44,785
Originally Posted by chix
Thanks for the explanation. I am now ok with changing my coveted old school AAdvantage number. But not necessarily my email. When I speak with account security tomorrow, I will ask why they dont use MFA like other airlines and hotels do.

I do have another personal email address I could use, but its for SPAM type stuff and I only push it to my iPad, not iPhone that I carry everywhere.

I think thats reasonable to keep my email, dont you?
The airline isn't going to bring in MFA just for you. The login to the AA account is via use of either account number plus password or email address plus password. The person who gained access to your account obviously must have had your email address or account number in order to be able to access the account. If the email address and account number remain unchanged, then there is a good starting point for a subsequent attack

Setting up a new email address is trivial and free - just get emails forwarded from the new address

As far as reasonableness goes, AA seems to be being reasonable. Change the ids or any future risk is on you. Which is more important to you.
Global321 likes this.
Dave Noble is offline  
Old Jun 11, 2023, 6:46 pm
  #958  
Original Member
 
Join Date: May 1998
Location: CT/NY
Programs: UA 1K/1MM, AA EXP, Marriott LT Titanium, Hyatt Globalist, IHG Plat Amb
Posts: 6,062
Originally Posted by chix
Thanks for the explanation. I am now ok with changing my coveted old school AAdvantage number. But not necessarily my email. When I speak with account security tomorrow, I will ask why they dont use MFA like other airlines and hotels do.

I do have another personal email address I could use, but its for SPAM type stuff and I only push it to my iPad, not iPhone that I carry everywhere.

I think thats reasonable to keep my email, dont you?
Well, if you have an Gmail account, you can just add a period somewhere for AA to think it's a new account, but still delivers to the same inbox. For example, if you account is [email protected], you can just do flyer.talk, or fl.y.er.tal.k.
PTahCha is online now  
Old Jun 11, 2023, 7:40 pm
  #959  
 
Join Date: Jan 2000
Location: Baltimore/Washington, USA
Programs: AA LT Platinum, Hilton LT Diamond, Marriott Titanium
Posts: 3,076
I think the main issue with my email is I was an early adopter Meaning its my lastnamefirstnameinitial.com. So it could be that the hacking $@*hole just starts With the easy stuff. He or she tried my [email protected] . People suck!
chix is offline  
Old Jun 11, 2023, 9:30 pm
  #960  
 
Join Date: Sep 2019
Location: NYC, SEA
Programs: Hyatt Glob, Marriott Titanium, AA EXP, DL PM, AS 100k (fake), B6 M3 (fake), BA Gold (fake), UA FO.
Posts: 764
Not that it makes any practical difference, but as a cybersecurity professional myself, I have to reiterate my strong objection to using something like an FFN as a security credential. If the concern is a similar password, that suggests that AA needs better prior password restrictions. But blindly relying on a non-private data element like an FFN to do your security hygiene for you by random chance strikes me personally as supremely ill-advised.
​​
Global321 likes this.
LowValueCustomer is offline  

Thread Tools
Search this Thread

Contact Us - Manage Preferences - Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service -

This site is owned, operated, and maintained by MH Sub I, LLC dba Internet Brands. Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Designated trademarks are the property of their respective owners.