My Aeroplan Account Got Hacked!

Jessica and I were walking around the city of Novosibirsk earlier today, exploring Russia’s third largest city on our pit stop along the Trans-Siberian Railway. We had just finished looking at the Alexander Nevsky Cathedral when we decided to take cover from the sweltering mid-afternoon heat and sit down in the shade for a bit.

I open up my Gmail app, expecting to see a marketing email or two, or perhaps a reader email from a morning owl back home. Instead, I see two emails from Aeroplan about new bookings.

Okay, that’s weird. I haven’t booked any trips with Aeroplan recently, although I figured it might be a schedule change notification, or perhaps an earlier confirmation email that never arrived until now. I open up the messages, only to be confronted with this madness:

What in the World?!

It takes a few seconds for me to realize that I’ve been hacked. Fraudsters have gained access to my Aeroplan account, and were in the process of relieving it of the roughly 100,000 miles that were sitting in there.

They’ve just redeemed 80,000 miles for four one-way tickets from Zhanjiang (ZHA) to Beijing (PEK) on Air China Flight 1861, departing at 7pm local time on Thursday, July 12, which is about 24 hours from now. A brief glance at the passenger names and titles tells me that the passengers are an adult and three children, all female.

Hilariously, they’ve even used 1,650 miles to cover the $9.90 in departure taxes, presumably to avoid providing a potentially incriminating credit card number. These fraudsters were making a mockery of my hard-earned miles by redeeming them for taxes and fees at a terrible value. There is truly no honour among thieves.

I head to a nearby coffee shop to deal with this mess. I briefly try cancelling the tickets outright on the Aeroplan website, but of course, Aeroplan doesn’t actually give you a mileage refund if you cancel tickets within 22 days of departure; instead, you have to use up the value of the ticket within one year of cancellation.

To get my miles back, I was going to have to call Aeroplan and explain the situation. I had heard of this kind of stuff happening before and was confident that Aeroplan would make me whole by cancelling the tickets and refunding me my miles. But of course, this being Aeroplan, the call centre wouldn’t actually open until 7am Eastern Time, which meant that I had to wait around for a few hours.

I do all I can for now, which is to update my password and security questions – to be honest, I’m surprised the fraudsters hadn’t gotten to them first. But just as I was getting ready to leave the coffee shop and head towards my next Novosibirsk landmark, I was dealt yet another nasty surprise:

That’s right – not satisfied with redeeming 80,000 of my 100,000 miles, the fraudsters had issued yet another reward ticket to use up the remaining 20,000 miles, this time in the opposite direction from Beijing to Zhanjiang on Air China Flight 1861. This flight was departing at 6am local time on the 12th, which was in just about 12 hours’ time. And while this singular passenger’s surname is Zhang, I can assure you that there’s no relation.

I wasn’t panicking since I knew that a quick phone call to Aeroplan would resolve the situation, but even though I had heard about this kind of thing happening before, it was still quite jarring for it to actually happen to me.

Nevertheless, I put it aside for a moment to get our sightseeing done, and when the clock struck 7am Eastern Time, I was back at the hotel getting through to the Aeroplan call centre. A sleepy Aeroplan agent quickly sorted me out, cancelling the tickets and refunding the miles within a few minutes.

What’s Actually Going On Here

Frequent flyer accounts are routinely targeted by those seeking to commit fraud, and last-minute bookings are one of the most common ways for thieves to steal your hard-earned miles and points. They gain access to accounts through various ways – perhaps by brute-forcing a password, targeting a vulnerable security question, or through social engineering or phishing emails. Once they’re in control of an account, one of the most effective ways to “spend” the miles is to issue last-minute award tickets. The fraudsters might issue tickets for themselves or their friends or family, or work with travel agencies to sell tickets to unsuspecting travellers under the guise of “amazing deals”.

They almost always book last-minute travel, since the risk of detection is the lowest. Moreover, once the flight departs and the passenger actually travels, there’s no further action that can be taken against them for having used a stolen ticket.

Issues like these are why programs like Alaska Airlines Mileage Plan, for instance, have implemented stricter rules on last-minute award redemptions. This prevents bad actors from hacking accounts, spending the miles on a flight departing within the next few hours, and making out like bandits.

Aeroplan, on the other hand, is quite well-known among frequent flyer programs for having relatively loose security and fraud prevention measures. I mean, just look at their mandatory password requirements, which I noticed today when updating my password. Must be between 6 and 10 characters? No special characters? Why not?!

Screen Shot 2018-07-12 at 1.59.27 AM.png

I wouldn’t be surprised if Aeroplan deals with dozens upon dozens of these situations every day. However, every frequent flyer program has the obligation of ensuring the integrity of its members’ accounts one way or another, so if this ever happens to you, rest assured that the program is of course obligated to refund the miles that were fraudulently deducted from your account – even if travel on the stolen tickets has already taken place.

In this scenario, I noticed what was going on as soon as the first tickets were issued, but keep in mind that I’m a heavy Aeroplan user and I look at every email that they send me. On the other hand, casual Aeroplan members might miss or skip over their emails, not realizing that anything untoward had happened until they check their accounts several months later, long after the stolen flight had already been flown. Even then, a phone call to Aeroplan should be all it takes to get the miles redeposited.

Screen Shot 2018-07-12 at 2.01.21 AM.png

Of course, we all hope that it doesn’t come to that, and the prudent thing to do is to use robust passwords and security questions, making sure to change them every few months. You want to be especially careful with the security questions, since the answers to common questions like “What’s your pet’s name?” can be easily sourced on social media accounts. Use questions and answers that are as secret as possible, or better yet, just use straight-up false answers that are known only to yourself (but take care not to forget them).

Lastly, as much as I’m usually the first to defend my compatriots, there’s no doubt that the overwhelming majority of these frequent flyer hackers operate within China. These people look for ways to defraud the airlines, hotels, and credit cards in various black-hat ways that make maximizing credit card bonuses look positively benevolent.

In my situation, I think the most likely scenario is that the passengers on these bookings were sold “amazing deals” by the hackers, who are presumably based in Zhanjiang, a city in Guangdong Province. I do feel a tinge of sympathy for the passengers, as they’re quite likely to be the ones paying the price – after all, if the hackers don’t make alternate arrangements for them (read: use other hacked accounts to re-issue tickets), poor Ms. Yang and (presumably) her daughters are going to be stranded at Zhanjiang Airport tomorrow, and they aren’t going to be very happy!

Conclusion

As you work on earning and redeeming points to travel the world, make sure you’re keeping your accounts secure! Frequent flyer programs will always send you an email when miles have been redeemed from your account or when your security preferences have changed, so be sure to monitor these emails and act accordingly if you didn’t initiate a certain action. And if one day the unthinkable happens and your miles do indeed vanish into a handful of intra-China one-ways, remember that you don’t have to panic, since Aeroplan – for all its faults in allowing things like this to happen in the first place – will always do right by you and make you whole.