For those of you who didn’t know, my American Airlines AAdvantage account was hacked a few weeks ago, the thieves made 138,500 miles worth of bookings before we could put a stop to it. I gave a pretty thorough explanation of exactly what happened in my previous post here.
An update and conclusion to the story
This morning I was finally able to get a printout of the police report I filed with the Dallas Police Department. I forwarded the police report over to my contact at American Corporate Security. An hour or so later, I received a reply, reading as follows (name of the American employee removed):
I checked my AAdvantage account and…my miles are back! That’s the long and the short of it. I had to go down to Dallas Police Department HQ a few times, since they were having some issues with their records system, but ultimately I did exactly what American Airlines asked of me, Dallas PD gave me the exact data needed in the report, and everything is relatively back to normal now!
Before I talk about what (I think) should be changed, a brief thank you to American Airlines
I’m grateful to the American Airlines employees who assisted me through this stressful situation. From the first agent who gasped when she saw miles being drained from my account to the corporate security representative who assisted me in getting my miles back, American treated this issue seriously and were super quick to get everything squared away once they had everything they needed.
My most sincere thanks to American Airlines for helping me.
Now, what should be different?
Ok, American has it tough here. There’s always a balance between convenience and security and it’s a fine line to walk, I get that. All things considered, the main problem here is it was way too easy to change my account email address once the account was compromised.
There are certain fields in an AAdvantage account that should be locked down. Birthdate, for instance, should never change. Address? That could change all the time. What about email address? I’d argue that email address changes are pretty rare (I’m reaching out to American to see if they can shed light on this).
When it comes to security there are what I call “challenge points”, where users should be forced to re-authenticate themselves in order to make certain changes. Changing an AAdvantage account’s email address should be a challenge point. The current procedure, emailing the old email address and the new email address, is retroactive and does not prevent theft from taking place.
Whether the challenge is two-factor authentication (which would be a nightmare to roll out) or answering security questions, changing an AAdvantage account email address should be hard and should take time. Right now it’s no different than changing a physical address and that’s too easy.
Making the email address harder to change would not have prevented the hacker from making false award bookings using my miles. What it would have done, though, is prevented the award redemption email from going to the new email address they attempted to change it to (I changed it back almost as soon as it happened because I happened to check my email shortly after the account was compromised).
Ultimately there’s little that can be done to fully protect people from a determined hacker. The balance between security and convenience is just too delicate. American also has the problem of their users logging into their accounts from all over the world, making IP-based security algorithms incredibly hard. It’s unfortunate that things like this have to be dealt with reactively instead of proactively, but it’s just the time we live in. I think tightening up security around email address changes is a reasonable and easy-to-implement change to ensure users are always receiving the notifications they need in order to realize something is wrong.