Jessica and I were walking around the city of Novosibirsk earlier today, exploring Russia’s third largest city on our pit stop along the Trans-Siberian Railway. We had just finished looking at the Alexander Nevsky Cathedral when we decided to take cover from the sweltering mid-afternoon heat and sit down in the shade for a bit.
I open up my Gmail app, expecting to see a marketing email or two, or perhaps a reader email from a morning owl back home. Instead, I see two emails from Aeroplan about new bookings.
Okay, that’s weird. I haven’t booked any trips with Aeroplan recently, although I figured it might be a schedule change notification, or perhaps an earlier confirmation email that never arrived until now. I open up the messages, only to be confronted with this madness:
What in the World?!
It takes a few seconds for me to realize that I’ve been hacked. Fraudsters have gained access to my Aeroplan account, and were in the process of relieving it of the roughly 100,000 miles that were sitting in there.
They’ve just redeemed 80,000 miles for four one-way tickets from Zhanjiang (ZHA) to Beijing (PEK) on Air China Flight 1861, departing at 7pm local time on Thursday, July 12, which is about 24 hours from now. A brief glance at the passenger names and titles tells me that the passengers are an adult and three children, all female.
Hilariously, they’ve even used 1,650 miles to cover the $9.90 in departure taxes, presumably to avoid providing a potentially incriminating credit card number. These fraudsters were making a mockery of my hard-earned miles by redeeming them for taxes and fees at a terrible value. There is truly no honour among thieves.
I head to a nearby coffee shop to deal with this mess. I briefly try cancelling the tickets outright on the Aeroplan website, but of course, Aeroplan doesn’t actually give you a mileage refund if you cancel tickets within 22 days of departure; instead, you have to use up the value of the ticket within one year of cancellation.
To get my miles back, I was going to have to call Aeroplan and explain the situation. I had heard of this kind of stuff happening before and was confident that Aeroplan would make me whole by cancelling the tickets and refunding me my miles. But of course, this being Aeroplan, the call centre wouldn’t actually open until 7am Eastern Time, which meant that I had to wait around for a few hours.
I do all I can for now, which is to update my password and security questions – to be honest, I’m surprised the fraudsters hadn’t gotten to them first. But just as I was getting ready to leave the coffee shop and head towards my next Novosibirsk landmark, I was dealt yet another nasty surprise:
That’s right – not satisfied with redeeming 80,000 of my 100,000 miles, the fraudsters had issued yet another reward ticket to use up the remaining 20,000 miles, this time in the opposite direction from Beijing to Zhanjiang on Air China Flight 1861. This flight was departing at 6am local time on the 12th, which was in just about 12 hours’ time. And while this singular passenger’s surname is Zhang, I can assure you that there’s no relation.
I wasn’t panicking since I knew that a quick phone call to Aeroplan would resolve the situation, but even though I had heard about this kind of thing happening before, it was still quite jarring for it to actually happen to me.
Nevertheless, I put it aside for a moment to get our sightseeing done, and when the clock struck 7am Eastern Time, I was back at the hotel getting through to the Aeroplan call centre. A sleepy Aeroplan agent quickly sorted me out, cancelling the tickets and refunding the miles within a few minutes.
What’s Actually Going On Here
Frequent flyer accounts are routinely targeted by those seeking to commit fraud, and last-minute bookings are one of the most common ways for thieves to steal your hard-earned miles and points. They gain access to accounts through various ways – perhaps by brute-forcing a password, targeting a vulnerable security question, or through social engineering or phishing emails. Once they’re in control of an account, one of the most effective ways to “spend” the miles is to issue last-minute award tickets. The fraudsters might issue tickets for themselves or their friends or family, or work with travel agencies to sell tickets to unsuspecting travellers under the guise of “amazing deals”.
They almost always book last-minute travel, since the risk of detection is the lowest. Moreover, once the flight departs and the passenger actually travels, there’s no further action that can be taken against them for having used a stolen ticket.
Issues like these are why programs like Alaska Airlines Mileage Plan, for instance, have implemented stricter rules on last-minute award redemptions. This prevents bad actors from hacking accounts, spending the miles on a flight departing within the next few hours, and making out like bandits.
Aeroplan, on the other hand, is quite well-known among frequent flyer programs for having relatively loose security and fraud prevention measures. I mean, just look at their mandatory password requirements, which I noticed today when updating my password. Must be between 6 and 10 characters? No special characters? Why not?!
I wouldn’t be surprised if Aeroplan deals with dozens upon dozens of these situations every day. However, every frequent flyer program has the obligation of ensuring the integrity of its members’ accounts one way or another, so if this ever happens to you, rest assured that the program is of course obligated to refund the miles that were fraudulently deducted from your account – even if travel on the stolen tickets has already taken place.
In this scenario, I noticed what was going on as soon as the first tickets were issued, but keep in mind that I’m a heavy Aeroplan user and I look at every email that they send me. On the other hand, casual Aeroplan members might miss or skip over their emails, not realizing that anything untoward had happened until they check their accounts several months later, long after the stolen flight had already been flown. Even then, a phone call to Aeroplan should be all it takes to get the miles redeposited.
Of course, we all hope that it doesn’t come to that, and the prudent thing to do is to use robust passwords and security questions, making sure to change them every few months. You want to be especially careful with the security questions, since the answers to common questions like “What’s your pet’s name?” can be easily sourced on social media accounts. Use questions and answers that are as secret as possible, or better yet, just use straight-up false answers that are known only to yourself (but take care not to forget them).
Lastly, as much as I’m usually the first to defend my compatriots, there’s no doubt that the overwhelming majority of these frequent flyer hackers operate within China. These people look for ways to defraud the airlines, hotels, and credit cards in various black-hat ways that make maximizing credit card bonuses look positively benevolent.
In my situation, I think the most likely scenario is that the passengers on these bookings were sold “amazing deals” by the hackers, who are presumably based in Zhanjiang, a city in Guangdong Province. I do feel a tinge of sympathy for the passengers, as they’re quite likely to be the ones paying the price – after all, if the hackers don’t make alternate arrangements for them (read: use other hacked accounts to re-issue tickets), poor Ms. Yang and (presumably) her daughters are going to be stranded at Zhanjiang Airport tomorrow, and they aren’t going to be very happy!
Conclusion
As you work on earning and redeeming points to travel the world, make sure you’re keeping your accounts secure! Frequent flyer programs will always send you an email when miles have been redeemed from your account or when your security preferences have changed, so be sure to monitor these emails and act accordingly if you didn’t initiate a certain action. And if one day the unthinkable happens and your miles do indeed vanish into a handful of intra-China one-ways, remember that you don’t have to panic, since Aeroplan – for all its faults in allowing things like this to happen in the first place – will always do right by you and make you whole.
I was playing gold today, forgot that I needed to look for a plane ticket… I didn’t have the AP Android app installed on the phone so I go on the play store download it, login, do my search and logout… Not even 15 minutes later I get 50 spams (the ones not filtered by the gmail app…) and I notice two AP email saying some of my creds were changed, but I never saw the ticket booked? It’s just that when I got back home and logged with my desktop that I see all those miles being booked and auto refunded.I’ve been told their system detected that because nobody uses the miles to pay for taxes.
But now the annoying thing… What were the odds that this would happen 15 minutes after installing their stupid app!?! I don’t click on spam etc…
Lol this just happen to me today July 12 2019, 1 year it happen to you and we came to the same conclusion, they hacked my Aeroplan account and yes Aeroplan still only allow 6-10 char with no special char. It is asking to be hacked and I asked why no 2 form factor authentication and why not Geo location validate if login from an unknown device.
This time the hacker got my email from Aeroplan and started to spam my email with hundreds of subscription hoping I would delete all these emails including the Aeroplan ones.
It’s really quite unbelievable. That’s a pretty genius tactic too, spamming your inbox. Happy to hear you remained vigilant and alert to the attack.
Just happened to me too last night. I woke up to an email about last minute booking from Beijing to Newark in business class on United UA88. Booking was made literally minutes after I went to bed as if those thieves were watching me! Passenger was a Chinese female. It was already up in the air by the time I woke up. Called Aeroplan right away and the lady on the phone asked me to change my password which I did right on the spot and told me I should get my ~82k miles back in a couple of days. Based on her reaction it seemed like this is very routine for them. I am too extremely surprised at the lack of prevention from Aeroplan’s side. It is such a huge red flag when someone is booking a last minute flight for someone else in a completely different part of the world and it must cost them a fortune to just keep on reimbursing without doing anything to make it more difficult to do this in a first place. Being unable to change password into something that’s longer than 10 symbols and has special characters is a good indication why I guess…
Totally crazy! Good to know to keep an eye out
happened to me last night… toronto -> vancouver last minute booking, interestingly my password was not changed and I didn’t receive any email about booking. I found out because , I randomly logged into my account to see, i was short 20k miles..
aeroplan resolved the issue and refunded..
Glad to hear it worked out. Those pesky fraudsters, they’re everywhere.
This just happened to me today! I’m happy I came across your post so that I knew what to do. My heart sank when I saw all my hard-earned points gone.
Glad to hear it all worked out. It can definitely be a jarring moment, but thankfully Aeroplan are very good about protecting their members in situations like these.
Your AP account was not hacked, you were p0wn3d – probably due to some dodgy websites/apps usage. The AP website is no longer susceptible to brute force password attacks – and quite frankly, those type of attacks are far too expensive to perform in terms of time and resources required, when the average plebes are more than eager to divulge the information to p0wn them and their accounts.
It all boils down to the very old adage – there is no patch for human stupidity.
Ew… p0wn3d? It’s fucking pwnd you pleb. You can’t even do leet speak properly.
You’re probably right. However, "My Aeroplan Account Got P0wn3d" would be a rather silly blog title 🙂
You handled this very calmly. Curious as to what did you use to call aeroplan from Russia. The wait can be long and the cost of the phone call can start to add up.
If you have a decent wifi connection, a Skype call to any toll free number (e.g. 1800, 1888, etc.) is free.
Great shout Jason. I routinely do this when I’m abroad, but it must have slipped my mind at the moment.
Hey Bernard,
I used KnowRoaming. It cost me $5.03 for the ~15 minute call.
If you don’t take precautions, it will only be a question of "when" you will be hacked. Get a password protection app. Don’t be cheap. If nothing else it will be peace of mind. But more likely it will keep your bank account, miles and personal data safe from harm. I use 1Password. It is not only good, I feel proud to support this Canadian company. Seriously, if you don’t take steps, they will get you sooner or later. Be proactive.
Great advice, Bruce. I’ve heard that LastPass is good for this purpose as well. Definitely need to get my ducks in a row!
Hey i got hacked too!!! bugger booked a 1 week rental of an escalade! and from my home airport(yyz) too! I am very tempted to post the guys email and number on reddit but afraid he can retaliate back by hacking more of my stuff so…
I wouldn’t be surprised if this happens all the time. Since I published this article, the search traffic from Google has been nonstop, so it seems it’s a widespread issue. Yet somehow Aeroplan still finds it easier to reinstate miles after-the-fact than implement stricter security measures. Boggles the mind.
WOW! Glad to hear this was resolved. Very stressful situation
How rich you are! Ricky! So many miles!
Now if only that were true about my bank account as well 😉
If you have as many cash lying around as your points in this post, the MS opportunities are endless. You can book a first class flight from one end of the world to the other and do it again after a month.
Wow, this is great information as I ( luckily) have never had this happen to me. I will be much more vigilant with all my award plans because if it can happen to the Prince it can happen to anyone. ( just kidding ).