An Iranian student in South Florida named Milad Avazdavani has been charged for “hacking into the AAdvantage accounts of high-mileage customers and siphoning off enough points to charge trips and cars worth more than $260,000.”
The value of the miles he’s alleged to have stolen is almost certainly inflated, especially now that American sells miles at 1.8 cents apiece. A 1.8 cent a mile valuation would imply he had stolen 14.5 million miles. That seems unlikely.
On two occasions he allegedly booked himself into the five-star Jumeirah Emirates Towers Hotel in Dubai, and stayed at the four-star Marriott Pompano Beach Resort and Spa in Fort Lauderdale.
…Avadzavani also rented five vehicles including a $50,000 BMW Z4 sports car, a $47,000 Chevrolet Tahoe and a $26,000 Chevrolet Camaro…
In each case the AAdvantage accountholder’s email address was changed and transactions were made from a computer at the same IP address. Changing email address is a flag for potential fraudulent activity made soon thereafter when redemptions are being made in the name of someone other than the accountholder. When a single IP address is linked to name changes and third party redemptions across a number of accounts that’s a pretty good giveaway.
In fact, some of his bookings were cancelled as fraudulent.
Avazdavani could not always redeem the hotel bookings — twice, stays at the luxury Jumeirah Emirates Towers in Dubai were canceled by American because of suspected fraud. But he did get the cars, five of them in all, according to police, and there is video surveillance of him renting one in Tampa. He crashed one Camaro in Manatee County, according to police reports.
He was ultimately caught when the police tracked a BMW Z4 he had rented.
Despite having a stack of credit cards in others’ names when he was arrested, the man says “he is not stupid enough to use stolen miles to book trips in his own name.” Of course he isn’t charged with booking trips in his own name, but rather under an alias (“Milad Avaz”). And selling awards booked with stolen miles to others. And if nothing else he deserves to be busted for wasting the miles on car and hotel awards.
Still, he claims the Shaggy Defense. Wasn’t me.
Yes, he took some trips and rented some cars, Avazdavani said, speaking publicly for the first time in an interview in jail last week. But he swore he was only guilty of “bargain shopping” for travel deals on the internet. He refused to pinpoint who is to blame, cryptically adding “you become a victim when you socialize with the wrong crowd.”
“It was a third party, that’s all I can say,” Avazdavani said, cuffed and seated in a wheelchair because of a bad back. “There are other names, other suspects.”
I think he’s admitting, then, to hiring other people to book travel with stolen miles for him. Because that’s better.
- Use a strong password for your laptop or other computing device. Then use a password manager, so that you only need to remember one strong password and let the machine remember it for various websites. You can enable two factor authentication for extra security.
- Vary your strong password slightly by program. If you’re not using a password manager consider something like “%&%aSBQS” over and over so you won’t ever forget, followed by ‘spg’ for starwood and ‘hilton’ for hhonors, etc. Now this won’t be hard to guess if someone were looking at your password and trying to modify it, but if they’re just running a list of email addresses and passwords in bulk against a given website it won’t work because your ‘strong password’ is different. On the other hand, that’s probably no better or different than just using the program name itself as your password (although guessable by an algorithm that’s testing common passwords).
Your laptop or other device should be encrypted. Password protection isn’t enough because a hacker can bypass or replace the operating system.
You should use a service like AwardWallet to track your accounts. You’re giving your passwords to a third party (although they offer the option of leaving your passwords resident on your computer rather than their servers). They’ve always seemed reasonably secure to me, here are details, and I like that they participate in a bounty program for hackers to identify flaws and also their encryption methods.
You won’t check all of your account balances every day without a service like this and the best thing you can to do protect yourself (for your own benefit rather than the program’s) is to be aware of any fraudulent draining of your account quickly.