Poor security of your data at American Airlines (AAdvantage) website

Discussion in 'American Airlines | AAdvantage' started by lusich, Mar 6, 2014.  |  Print Topic

  1. lusich

    lusich Member

    Messages:
    6
    Likes Received:
    11
    Status Points:
    45
    I want to share this information with the rest of AAdvantage members in light of all the recent hacked websites and identity theft issues.

    I have recently become aware of terrible security protocols at the AAdvantage website, and realized how easy it would be to hijack my online AAdvantage account, and gain access to all the data stored on the website:

    I am appalled at the protocol to change online password thorugh AA.com website. The system is completely devoid of all basic security protocols.

    ---------------
    I have voluntarily redacted this post, due to all the complaints....but please do go to AA.com, click on the reset password link, and see for yourself where the problem lies.
    ---------------

    Sensitive information further edited by Milepoint.

    This needs to be addressed ASAP!

    Please contact AA to have this fixed!. Maybe if enough people call, they will actually do something about it.
     
    Last edited by a moderator: Mar 9, 2014
  2. gconnery

    gconnery Silver Member

    Messages:
    586
    Likes Received:
    459
    Status Points:
    620
    Well, that's pretty awful. I think you're overstating how easy it is to get somebody's ZIP code but still, its pretty bad.
     
    LETTERBOY likes this.
  3. John777

    John777 Silver Member

    Messages:
    414
    Likes Received:
    463
    Status Points:
    535
    The step-by-step instructions should be removed IMMEDIATELY. Already redacted on Flyertalk.
     
    LETTERBOY, daninstl and Newscience like this.
  4. lusich

    lusich Member

    Messages:
    6
    Likes Received:
    11
    Status Points:
    45
    @John777

    Erasing my post will not make you safer. Nor will it stop any bad guys from actually taking advantage of the security hole. If I could figure this one out (redacted by MP) then it is pretty safe to say that others have already done so, too. Rather than censoring the information that I posted, maybe you should direct your energy at the idiots that are running the AA website. Sticking your head in the sand and pretending everything is alright doesn't make bad things go away.

    BTW: The step-by-step instructions are nothing illegal -- **Redacted by MP**. It's not my fault that they have idiots in charge of their online department. If you think I am lying, go see for yourself.
     
    Last edited by a moderator: Mar 9, 2014
    iolaire and HaveMilesWillTravel like this.
  5. lusich

    lusich Member

    Messages:
    6
    Likes Received:
    11
    Status Points:
    45
    @gconnery

    there are plenty of completely legal services such as 1-800-ussearch or intelius.com, or even google.com that will give you access to a lot of public records of pretty much anyone -- including emails, addresses and phone numbers for free or for very low fee

    The bottom line is -- do not ever leave your boarding pass behind on an airplane or airport
     
    Last edited: Mar 6, 2014
  6. rrgg
    Original Member

    rrgg Silver Member

    Messages:
    83
    Likes Received:
    92
    Status Points:
    305
    Last edited: Mar 6, 2014
    LETTERBOY and daninstl like this.
  7. lusich

    lusich Member

    Messages:
    6
    Likes Received:
    11
    Status Points:
    45
    I have sent the information to AA and they have done precisely zero about it.

    Here is their response dated Feb 15th.

    We appreciate your comments and thank you for taking the time to convey
    your thoughts on our online security protocol.

    Our commitment to data security is to prevent unauthorized access,
    maintain data accurately, and ensure the correct use of information. We
    have put in place appropriate physical, electronic, and managerial
    procedures to safeguard and secure the information we collect online.

    For more information, you may visit: www.aa.com/security

    However, I want to assure you that your comments have been heard and we
    are working hard to make aa.com everything you expect it to be and more.

    Sincerely,


    AA.com Web Services
    American Airlines


    I sent a follow up but had not received a response.

    And again-- people get all upset about some so-called step-by-step instructions. What I wrote in an earlier post is nothing but what the actual "**redacted by MP**!! I just pointed out the flaws. There is no "malicious hacking code," there are no "malicious exploits" just exactly what American makes everyone do. But there is a problem with it, and it needs to be fixed, and they are ignoring it.
     
    Last edited by a moderator: Mar 9, 2014
    HaveMilesWillTravel likes this.
  8. ballardFlyer

    ballardFlyer Gold Member

    Messages:
    1,297
    Likes Received:
    1,528
    Status Points:
    1,120
    Why not tell Maya Lieberman?
     
    LETTERBOY likes this.
  9. lusich

    lusich Member

    Messages:
    6
    Likes Received:
    11
    Status Points:
    45
    I sincerely apologize if I offended anyone by posting about this issue. It was not my intention to start any sort of brawl on the forum.

    I was not aware that this was already reported before on FlyerTalk. However, this does show that other people already know about it and it is not some sort of a secret. It also shows that American has known about this for a while and has not fixed it.

    Yes, I admit that I only registered to post about this issue. I thought it was sufficiently important to do so. I also admit without any shame that my aim was to generate an e-mail petition by AAdvantage members. I don't see what is wrong with that goal, especially if it makes everyone's data more secure.

    It is true that one can get a lot of personal information from other sources, but the fact remains that frequent flyer accounts are very rich in personal information, all in one spot. This is why they should be held up to a high security standard. As for the fact that a notice gets sent to the old email -- that's already too late, since your personal data has already been exposed.

    **Redacted by MP**. What I initially posted was not some secret, illegal information or some malicious code, or some other crazy hacker stuff. It was plain and simple, the actual instructions by the American website on how to reset one's password. Since this information is public, well known, and is by no means a secret I didn't think there would be a problem with me pointing out where the flaw is. I guess I should have phrased the issue in a different way so as not to upset as many people.
     
    Last edited by a moderator: Mar 9, 2014
    Tenmoc and Counsellor like this.
  10. viguera
    Original Member

    viguera Gold Member

    Messages:
    4,737
    Likes Received:
    6,913
    Status Points:
    4,745
    Security issues released out in public are generally frowned upon, but it's often the case that companies won't actually act upon something until the problem is made public.

    I hate that it's out there, but it's also bad that nothing has been done, since this has been going on for a while.
     
    Tenmoc and LETTERBOY like this.
  11. HaveMilesWillTravel
    Original Member

    HaveMilesWillTravel Gold Member

    Messages:
    12,507
    Likes Received:
    20,199
    Status Points:
    16,520
    Security researchers typically notify the responsible company/institution to give them the opportunity to fix the issue. But if they are blown off or not taken seriously, I don't think it's unreasonable or uncommon to eventually go public with the information.

    The problem here is probably that the OP got blown off by first level support who doesn't understand the issue. Then again, the folks who implemented this mechanism clearly aren't aware of best practices either. Suspect this was done years ago.

    Reminds me of programs like United's and IHG's that use four digit pins as passwords.
     
  12. viguera
    Original Member

    viguera Gold Member

    Messages:
    4,737
    Likes Received:
    6,913
    Status Points:
    4,745
    Or Delta, which uses email + 4 digit pin, even with the added "security" of asking for your last name.
     
  13. lusich

    lusich Member

    Messages:
    6
    Likes Received:
    11
    Status Points:
    45
    From the kind moderator on FlyerTalk forums:

    The best contact points at this time, when the "new AA" is forging policy for the merger and consolidation days ahead, are likely:

    Sean Bentel
    Director of Customer Relations
    PO Box 619612 Maildrop 2400
    Dallas Fort Worth Airport
    TX 75261-9612

    Doug Parker
    Chief Executive Officer
    4333 Amon Carter Boulevard
    Fort Worth, TX 76155


    Please write to them.
     
  14. Pizzaman
    Original Member

    Pizzaman Co-founder

    Messages:
    4,526
    Likes Received:
    8,765
    Status Points:
    7,270
    We redacted further sensitive information and have restored the thread. Sorry for the delay folks.
     
    LauraPDX and LETTERBOY like this.

Share This Page