Last edit by: Prospero
This thread is dedicated to issues around American Airlines Corporate Security, AAdvantage Fraud division (AKA "Revenue Protection Unit"), and its enforcement of the AAdvantage Terms and Conditions - particularly to selling, buying and bartering awards, miles, upgrades and other instruments - and related issues.
It is okay at this time to gift awards, upgrades, etc. as long as there is absolutely no quid pro quo (no buying or selling or offer to do so, no barter or trade "you give me one now I'll give it back" or anything smacking of prohibited activity. AA is probably the strictest of the US airlines about this. They have a very active and expert AAdvantage Fraud division of the AA Corporate Fraud department, and they can both be aggressive and, some might say merciless - clawing back one's miles and instruments, even closing one's account and terminating status and ability to participate in the AAdvantage program n the future.
There are other ways to commit fraud in AA’s eyes, such as fictitious or fraudulent bookings to try to block seats to increase one’s chances if upgrades, generating tickets to access airside facilities (e.g. lounges) when there is no intent to fly, etc.
To read an example of how the US Department of Transportation has rules on punitive actions by AA, read Joel Hayes vs. American Airlines here (PDF).
Please read on for information and the consensus of knowledgeable members.
Also see AAdvantage Program Terms and Conditions and
American Airlines Conditions of Carriage.
The typical email from AA Corporate Security can not be addressed by calling AAdvantage Customer Service or other methods - you must reply to the email address given. It likely will look like this:
Excellent summaries of information (based on the sum of experiences we have seen in this thread over time) of how to respond:
From JonNYC, our resident expert on this:
Older posts have been archived to the
archived thread.
A number of posts regarding AA's confiscation of 60,000 miles from "Mr. Hayes" for allegedly making "fictitious" bookings in search of whether his upgrade would be likely to progress or not, AA IT issues that might have led to this (or not), AA's replies and the USDOT complaint have been moved to a new thread: Hayes, USDOT and AA: "fictitious bookings" and checking upgrades.
NOTE: Posts about members experiencing account security breaches, fraud, theft of awards and instruments have moved to Account fraud / breach: my account compromised, awards stolen, etc..
It is okay at this time to gift awards, upgrades, etc. as long as there is absolutely no quid pro quo (no buying or selling or offer to do so, no barter or trade "you give me one now I'll give it back" or anything smacking of prohibited activity. AA is probably the strictest of the US airlines about this. They have a very active and expert AAdvantage Fraud division of the AA Corporate Fraud department, and they can both be aggressive and, some might say merciless - clawing back one's miles and instruments, even closing one's account and terminating status and ability to participate in the AAdvantage program n the future.
There are other ways to commit fraud in AA’s eyes, such as fictitious or fraudulent bookings to try to block seats to increase one’s chances if upgrades, generating tickets to access airside facilities (e.g. lounges) when there is no intent to fly, etc.
To read an example of how the US Department of Transportation has rules on punitive actions by AA, read Joel Hayes vs. American Airlines here (PDF).
Please read on for information and the consensus of knowledgeable members.
E.g. AAdvantage Terms and Conditions excerpt: "At no time may AAdvantage mileage credit or award tickets be purchased, sold, advertised for sale or bartered (including but not limited to transferring, gifting, or promising mileage credit or award tickets in exchange for support of a certain business, product or charity and/or participation in an auction, sweepstakes, raffle or contest). Any such mileage or tickets are void if transferred for cash or other consideration. Violators (including any passenger who uses a purchased or bartered award ticket) may be liable for damages and litigation costs, including American Airlines attorneys’ fees incurred in enforcing this rule." (This extends to other AA instruments such as Systemwide Upgrades, etc., selling of extra AirPass seats or baggage allowance, etc.)
American Airlines Conditions of Carriage.
<snip>"While you may consider the AAdvantage Miles in your account to be *your* property, they are actually the property of AA, and AA permits you to redeem them within the program rules set by AA. If AA detects any impropriety (real or perceived) in the use of AAdvantage miles, they reserve the right to confiscate the miles and/or close/delete the account."...
My name is Fname Lname, and I am an analyst with American Airlines. One of my responsibilities is investigating possible instances of fraud, misrepresentation, and violations of the General AAdvantage Program Conditions. Today, I’m writing you about your AAdvantage account # XXXXXXXX
We have reason to believe that the transactions listed below violate one or more of the AAdvantage program conditions. This includes, but is not limited to, prohibition of purchase, sale, or barter of mileage credit and or award tickets. As a result, American Airlines has suspended your AAdvantage membership privileges and use of AA.com® in conjunction with your account – and may terminate your account as a result of our findings. We are in the process of completing the investigation into this matter, and I would like to hear the events as they occurred from your perspective. Please respond to this message by <date> with complete and accurate information regarding the activities listed below:
<specific activity /activities in question>
Required Information:·
To protect and retain the integrity of the AAdvantage program, it is vital that firm action be taken as a result of any violation of the AAdvantage Program Conditions, whether intentional or not. Failure to respond completely and accurately by <insert date>, will result in the termination of your AAdvantage membership and all its benefits, including all remaining AAdvantage miles in your account and any award tickets issued from it. Please, understand that our overall motivation is to preserve the benefits of the AAdvantage program, rather than to take punitive action against individuals. To that end, it’s not unusual for us to release the AAdvantage account suspension once we receive all the detail we request and reconcile it with the results of our investigation. We hope to hear from you soon.
Regards,
Fname Lname, etc.
We have reason to believe that the transactions listed below violate one or more of the AAdvantage program conditions. This includes, but is not limited to, prohibition of purchase, sale, or barter of mileage credit and or award tickets. As a result, American Airlines has suspended your AAdvantage membership privileges and use of AA.com® in conjunction with your account – and may terminate your account as a result of our findings. We are in the process of completing the investigation into this matter, and I would like to hear the events as they occurred from your perspective. Please respond to this message by <date> with complete and accurate information regarding the activities listed below:
<specific activity /activities in question>
Required Information:·
- Passenger name·
- Origin and destination cities on the travel itinerary·
- Purchaser name (individual, company and/or website), including:·
- Copy of any advertisements to which you responded offering to purchase/broker the use of your AAdvantage miles·
- Purchaser contact information, such as:·
- Mailing address·
- Email address·
- Telephone number·
- Website profile name·
- Your statement fully disclosing the details surrounding the sale/barter transaction referenced above·
- Copy of all communication between yourself and the purchaser·
- Documentation that you received payment
- Copy of all communication between yourself and the purchaser·
- Your statement fully disclosing the details surrounding the sale/barter transaction referenced above·
- Website profile name·
- Telephone number·
- Email address·
- Mailing address·
- Purchaser contact information, such as:·
- Copy of any advertisements to which you responded offering to purchase/broker the use of your AAdvantage miles·
- Purchaser name (individual, company and/or website), including:·
- Origin and destination cities on the travel itinerary·
To protect and retain the integrity of the AAdvantage program, it is vital that firm action be taken as a result of any violation of the AAdvantage Program Conditions, whether intentional or not. Failure to respond completely and accurately by <insert date>, will result in the termination of your AAdvantage membership and all its benefits, including all remaining AAdvantage miles in your account and any award tickets issued from it. Please, understand that our overall motivation is to preserve the benefits of the AAdvantage program, rather than to take punitive action against individuals. To that end, it’s not unusual for us to release the AAdvantage account suspension once we receive all the detail we request and reconcile it with the results of our investigation. We hope to hear from you soon.
Regards,
Fname Lname, etc.
Blogger Gary Leff: "If you made that mistake and got caught, American usually will go light on first-time offenders provided that they ‘come clean’ and are forthcoming about whom a systemwide was sold to or purchased from and what the terms were. They are most interested in serial brokers and are willing to ‘plea bargain’ with minor offenders to get the Evip-lords. There may be a consequence but it should fall short of account shutdown and forfeiture of miles." Link
I am going to try and provide a summary of the advice. For the record, this is 90% from Jon (JonNYC) and a little bit from other comments and circumstances, I am just trying to provide an easy summary, without all the explanations and reasons. I am happy to have others update/correct.
1. Respond to the questions in the email which you received. Don't try to call or email that person, or anyone else, at AA or DOT or whatever. Just answer the email.
2. Answer every question, in detail, with the facts. Don't use sarcasm or "you should know" or anything else that sounds like to you are avoiding the exact question being asked.
3. Assume that they know more about the true facts than you do. It might not always be true, but in most cases they have way more information than you might assume. So go back to #2, above.
4. If you did ANYTHING that was wrong (not under your interpretation of what you think the rules should be, but based on what the rules actually say) then, if you want to continue to participate in the AAdvantage program, tell them about your error and tell them that you are prepared to pay a correct penalty for your mistake (miles/status/etc) and then go back to #2, above.
1. Respond to the questions in the email which you received. Don't try to call or email that person, or anyone else, at AA or DOT or whatever. Just answer the email.
2. Answer every question, in detail, with the facts. Don't use sarcasm or "you should know" or anything else that sounds like to you are avoiding the exact question being asked.
3. Assume that they know more about the true facts than you do. It might not always be true, but in most cases they have way more information than you might assume. So go back to #2, above.
4. If you did ANYTHING that was wrong (not under your interpretation of what you think the rules should be, but based on what the rules actually say) then, if you want to continue to participate in the AAdvantage program, tell them about your error and tell them that you are prepared to pay a correct penalty for your mistake (miles/status/etc) and then go back to #2, above.
Perfect and 100%.
<snip>
The analysts that do this for a living have the same reactions that any humans do to being lied to and/or condescended to. Therefore, as well as being 100% truthful, go out of your way NOT to be:
-condescending
-brusque
-sharp, terse and/or sounding like you're being inconvenienced
-insulting
-just generally slippery, aloof, evasive and unforthcoming. As mentioned; they know more than you think they do. Always.
DO be apologetic, contrite and extremely cooperative.
Finally, any version of "...in which case, I'll be emailing [insert name or department here] to tell them how I, a [insert years flying AA, status, MMer, $$ spent, etc] customer is being treated" and/or mention of your lawyer, DOT, Chris Elliot (
), this forum, any blogger, etc. DO NOT DO THIS.
<snip>
The analysts that do this for a living have the same reactions that any humans do to being lied to and/or condescended to. Therefore, as well as being 100% truthful, go out of your way NOT to be:
-condescending
-brusque
-sharp, terse and/or sounding like you're being inconvenienced
-insulting
-just generally slippery, aloof, evasive and unforthcoming. As mentioned; they know more than you think they do. Always.
DO be apologetic, contrite and extremely cooperative.
Finally, any version of "...in which case, I'll be emailing [insert name or department here] to tell them how I, a [insert years flying AA, status, MMer, $$ spent, etc] customer is being treated" and/or mention of your lawyer, DOT, Chris Elliot (
![Big Grin](https://www.flyertalk.com/forum/images/smilies/biggrin.gif)
archived thread.
A number of posts regarding AA's confiscation of 60,000 miles from "Mr. Hayes" for allegedly making "fictitious" bookings in search of whether his upgrade would be likely to progress or not, AA IT issues that might have led to this (or not), AA's replies and the USDOT complaint have been moved to a new thread: Hayes, USDOT and AA: "fictitious bookings" and checking upgrades.
NOTE: Posts about members experiencing account security breaches, fraud, theft of awards and instruments have moved to Account fraud / breach: my account compromised, awards stolen, etc..
Account audit / blocked / fraud: award / miles / SWU / sale, barter, etc.
#947
Join Date: Jul 2009
Location: SJC
Programs: AA, AS, Marriott
Posts: 6,192
This is standard procedure for when an AAdvantage account gets compromised. I haven't heard about the e-mail address change requirement, but I've known others whose AAdvantage numbers have changed after miles were taken out of their accounts. In this case, at least the account was secured before the fraudsters did any damage. It's unfortunate since many of us have sentimental attachment to a number with a long tenure, but I wouldn't worry about the change since everything will transfer over in kind.
Last edited by Majuki; Jun 10, 2023 at 1:22 am
#948
Join Date: Jan 2011
Location: Washington, D.C.
Programs: AA, but I play the field
Posts: 1,530
I sympathize with your plight, but based on what you've said above they aren't making you do anything, they are giving you a choice: you can choose to keep your old number (contrary to their security recommendation) but then you must also assume the resultant security risk. To me that is the definition of fair.
Last edited by ZenFlyer; Jun 10, 2023 at 3:24 pm
#949
Join Date: Jan 2000
Location: Baltimore/Washington, USA
Programs: AA LT Platinum, Hilton LT Diamond, Marriott Titanium
Posts: 3,078
I sympathize with your plight, but based on what you've said above they aren't making you do anything, they are giving you a choice: you can choose to keep your old number (contrary to their security recommendation) but then you must also assume the resultant security risk. To me that is the definition of fair.
That’s too much and unreasonable.
#950
Join Date: Jan 2011
Location: Philadelphia, PA
Programs: AAdvantage Exec Platinum, Hertz #1 Club Gold Five Star, IHG Platinum, Marriott Gold, HHonors Silver
Posts: 2,070
Unfortunately, sometimes after a data security breach at an important account like this (or your credit card, etc.), you need to put in a little bit of extra effort to resolve it. That's the world we live in today. You can complain all you want that it is "too much and unreasonable", but no one at AA (or much of the internet) is going to cry the blues over this for you.
#951
Join Date: Jan 2011
Location: Washington, D.C.
Programs: AA, but I play the field
Posts: 1,530
Suppose your home was burglarized and there was no sign of forced entry; someone used a key to obtain access. If you subsequently declined to change the locks, should the insurance company be held liable for future losses?
#952
Join Date: Sep 2019
Location: NYC, SEA
Programs: Hyatt Glob, Marriott Titanium, AA EXP, DL PM, AS 100k (fake), B6 M3 (fake), BA Gold (fake), UA FO.
Posts: 786
I agree with those saying that this could have resulted in much worse than the loss of an FFN, but that said, I don't think it's really unreasonable to expect to keep the FFN. If AA believes that the FFN affects security, that suggests that AA's fraud prevention team is using the FFN as a supplemental authentication credential, like a second password. That seems to be the truly unreasonable practice here. If AA is not comfortable with its password system alone (without relying on any perceived residual protection that a non-private identifier like an FFN may provide), then AA needs to mandate MFA of some sort, such as a text or app push message. Short of MFA, the airline should insure against fraud losses without pushing aggravating changes on affected customers merely to achieve dubious security benefits.
#953
Join Date: Aug 2022
Programs: AA Executive Platinum (Oneworld Emerald)
Posts: 135
I agree with those saying that this could have resulted in much worse than the loss of an FFN, but that said, I don't think it's really unreasonable to expect to keep the FFN. If AA believes that the FFN affects security, that suggests that AA's fraud prevention team is using the FFN as a supplemental authentication credential, like a second password. That seems to be the truly unreasonable practice here. If AA is not comfortable with its password system alone (without relying on any perceived residual protection that a non-private identifier like an FFN may provide), then AA needs to mandate MFA of some sort, such as a text or app push message. Short of MFA, the airline should insure against fraud losses without pushing aggravating changes on affected customers merely to achieve dubious security benefits.
1) Chances are reasonably high that OPs new password (or at least, most people in OPs position) is substantially similar to his previous one, and that will be the starting point for anyone wanting to regain control of the account.
2) AA requires the user's last name to match the FFN when logging in. Without a change to a new random FFN, this check is worthless, since the current attackers (and depending on the source of the leak, potentially many more) know who owns the existing FFN.
As for wanting a new email address, since the attackers changed the email address they obviously now know the prior one, and can target that email address to get back into the account, if they wish. It's also possible (from AA's POV) that the email account was how the AA account got compromised in the first place.
Agreed that MFA would be a good addition, but given the likely implementation (SMS messages), it will end up being annoying and have limited security usefulness. Ideally they'd use something actually good like U2F or WebAuthn, but those tend to be outside the technical competence of most users.
Source: I'm a professional Software Engineer who has previously worked in internet security.
Edit: That said, most airlines DO use the FFN in ways that aren't particularly secure, generally expecting them to be reasonably secret. For AA for example, if you're at an airport you can use the kiosks with just an FFN to be able to modify someone's reservation. This is likely an intentional tradeoff being made between security and usability (I always use my FFN at the kiosks to print my BP, rather than the PNR).
#954
Join Date: Jan 2000
Location: Baltimore/Washington, USA
Programs: AA LT Platinum, Hilton LT Diamond, Marriott Titanium
Posts: 3,078
AA likely wants the FFN changed for 2 (legitimate) reasons:
1) Chances are reasonably high that OPs new password (or at least, most people in OPs position) is substantially similar to his previous one, and that will be the starting point for anyone wanting to regain control of the account.
2) AA requires the user's last name to match the FFN when logging in. Without a change to a new random FFN, this check is worthless, since the current attackers (and depending on the source of the leak, potentially many more) know who owns the existing FFN.
As for wanting a new email address, since the attackers changed the email address they obviously now know the prior one, and can target that email address to get back into the account, if they wish. It's also possible (from AA's POV) that the email account was how the AA account got compromised in the first place.
Agreed that MFA would be a good addition, but given the likely implementation (SMS messages), it will end up being annoying and have limited security usefulness. Ideally they'd use something actually good like U2F or WebAuthn, but those tend to be outside the technical competence of most users.
Source: I'm a professional Software Engineer who has previously worked in internet security.
Edit: That said, most airlines DO use the FFN in ways that aren't particularly secure, generally expecting them to be reasonably secret. For AA for example, if you're at an airport you can use the kiosks with just an FFN to be able to modify someone's reservation. This is likely an intentional tradeoff being made between security and usability (I always use my FFN at the kiosks to print my BP, rather than the PNR).
1) Chances are reasonably high that OPs new password (or at least, most people in OPs position) is substantially similar to his previous one, and that will be the starting point for anyone wanting to regain control of the account.
2) AA requires the user's last name to match the FFN when logging in. Without a change to a new random FFN, this check is worthless, since the current attackers (and depending on the source of the leak, potentially many more) know who owns the existing FFN.
As for wanting a new email address, since the attackers changed the email address they obviously now know the prior one, and can target that email address to get back into the account, if they wish. It's also possible (from AA's POV) that the email account was how the AA account got compromised in the first place.
Agreed that MFA would be a good addition, but given the likely implementation (SMS messages), it will end up being annoying and have limited security usefulness. Ideally they'd use something actually good like U2F or WebAuthn, but those tend to be outside the technical competence of most users.
Source: I'm a professional Software Engineer who has previously worked in internet security.
Edit: That said, most airlines DO use the FFN in ways that aren't particularly secure, generally expecting them to be reasonably secret. For AA for example, if you're at an airport you can use the kiosks with just an FFN to be able to modify someone's reservation. This is likely an intentional tradeoff being made between security and usability (I always use my FFN at the kiosks to print my BP, rather than the PNR).
I do have another personal email address I could use, but it’s for SPAM type stuff and I only push it to my iPad, not iPhone that I carry everywhere.
I think that’s reasonable to keep my email, don’t you?
#955
Join Date: Sep 2009
Location: Global
Posts: 6,092
Thanks for the explanation. I am now ok with changing my coveted old school AAdvantage number. But not necessarily my email. When I speak with account security tomorrow, I will ask why they don’t use MFA like other airlines and hotels do.
I do have another personal email address I could use, but it’s for SPAM type stuff and I only push it to my iPad, not iPhone that I carry everywhere.
I think that’s reasonable to keep my email, don’t you?
I do have another personal email address I could use, but it’s for SPAM type stuff and I only push it to my iPad, not iPhone that I carry everywhere.
I think that’s reasonable to keep my email, don’t you?
#956
FlyerTalk Evangelist
Join Date: Aug 2012
Location: KHOU/KIAH
Programs: AA EXP | Marriott LT Plat | Hyatt Discoverist
Posts: 11,551
Thanks for the explanation. I am now ok with changing my coveted old school AAdvantage number. But not necessarily my email. When I speak with account security tomorrow, I will ask why they don’t use MFA like other airlines and hotels do.
I do have another personal email address I could use, but it’s for SPAM type stuff and I only push it to my iPad, not iPhone that I carry everywhere.
I think that’s reasonable to keep my email, don’t you?
I do have another personal email address I could use, but it’s for SPAM type stuff and I only push it to my iPad, not iPhone that I carry everywhere.
I think that’s reasonable to keep my email, don’t you?
If you've made up your mind, go forth. That said, there are consequences and if you're OK with them, there's nothing wrong with it.
I agree with those saying that this could have resulted in much worse than the loss of an FFN, but that said, I don't think it's really unreasonable to expect to keep the FFN. If AA believes that the FFN affects security, that suggests that AA's fraud prevention team is using the FFN as a supplemental authentication credential, like a second password. That seems to be the truly unreasonable practice here. If AA is not comfortable with its password system alone (without relying on any perceived residual protection that a non-private identifier like an FFN may provide), then AA needs to mandate MFA of some sort, such as a text or app push message. Short of MFA, the airline should insure against fraud losses without pushing aggravating changes on affected customers merely to achieve dubious security benefits.
The lack of 2FA is inexcusable, I agree. Then again, 2FA with email doesn't help if the email is compromised. U2F is several decades too advanced for AA IT.
Last edited by Antarius; Jun 11, 2023 at 3:18 pm
#957
A FlyerTalk Posting Legend
Join Date: Jan 2002
Posts: 44,981
Thanks for the explanation. I am now ok with changing my coveted old school AAdvantage number. But not necessarily my email. When I speak with account security tomorrow, I will ask why they don’t use MFA like other airlines and hotels do.
I do have another personal email address I could use, but it’s for SPAM type stuff and I only push it to my iPad, not iPhone that I carry everywhere.
I think that’s reasonable to keep my email, don’t you?
I do have another personal email address I could use, but it’s for SPAM type stuff and I only push it to my iPad, not iPhone that I carry everywhere.
I think that’s reasonable to keep my email, don’t you?
Setting up a new email address is trivial and free - just get emails forwarded from the new address
As far as reasonableness goes, AA seems to be being reasonable. Change the ids or any future risk is on you. Which is more important to you.
#958
Original Member
Join Date: May 1998
Location: CT/NY
Programs: UA 1K/1MM, AA EXP, Marriott LT Titanium, Hyatt Globalist, IHG Plat Amb
Posts: 6,148
Thanks for the explanation. I am now ok with changing my coveted old school AAdvantage number. But not necessarily my email. When I speak with account security tomorrow, I will ask why they don’t use MFA like other airlines and hotels do.
I do have another personal email address I could use, but it’s for SPAM type stuff and I only push it to my iPad, not iPhone that I carry everywhere.
I think that’s reasonable to keep my email, don’t you?
I do have another personal email address I could use, but it’s for SPAM type stuff and I only push it to my iPad, not iPhone that I carry everywhere.
I think that’s reasonable to keep my email, don’t you?
#959
Join Date: Jan 2000
Location: Baltimore/Washington, USA
Programs: AA LT Platinum, Hilton LT Diamond, Marriott Titanium
Posts: 3,078
I think the main issue with my email is I was an early adopter…… Meaning it’s my lastnamefirstnameinitial.com. So it could be that the hacking $@*hole just starts With the easy stuff. He or she tried my [email protected] . People suck!
#960
Join Date: Sep 2019
Location: NYC, SEA
Programs: Hyatt Glob, Marriott Titanium, AA EXP, DL PM, AS 100k (fake), B6 M3 (fake), BA Gold (fake), UA FO.
Posts: 786
Not that it makes any practical difference, but as a cybersecurity professional myself, I have to reiterate my strong objection to using something like an FFN as a security credential. If the concern is a similar password, that suggests that AA needs better prior password restrictions. But blindly relying on a non-private data element like an FFN to do your security hygiene for you by random chance strikes me personally as supremely ill-advised.