Here’s How a Man Stole Millions of American AAdvantage Miles — and How You Can Protect Yourself

An Iranian student in South Florida named Milad Avazdavani has been charged for “hacking into the AAdvantage accounts of high-mileage customers and siphoning off enough points to charge trips and cars worth more than $260,000.”

The value of the miles he’s alleged to have stolen is almost certainly inflated, especially now that American sells miles at 1.8 cents apiece. A 1.8 cent a mile valuation would imply he had stolen 14.5 million miles. That seems unlikely.

On two occasions he allegedly booked himself into the five-star Jumeirah Emirates Towers Hotel in Dubai, and stayed at the four-star Marriott Pompano Beach Resort and Spa in Fort Lauderdale.

…Avadzavani also rented five vehicles including a $50,000 BMW Z4 sports car, a $47,000 Chevrolet Tahoe and a $26,000 Chevrolet Camaro…

In each case the AAdvantage accountholder’s email address was changed and transactions were made from a computer at the same IP address. Changing email address is a flag for potential fraudulent activity made soon thereafter when redemptions are being made in the name of someone other than the accountholder. When a single IP address is linked to name changes and third party redemptions across a number of accounts that’s a pretty good giveaway.

In fact, some of his bookings were cancelled as fraudulent.

Avazdavani could not always redeem the hotel bookings — twice, stays at the luxury Jumeirah Emirates Towers in Dubai were canceled by American because of suspected fraud. But he did get the cars, five of them in all, according to police, and there is video surveillance of him renting one in Tampa. He crashed one Camaro in Manatee County, according to police reports.

He was ultimately caught when the police tracked a BMW Z4 he had rented.

Despite having a stack of credit cards in others’ names when he was arrested, the man says “he is not stupid enough to use stolen miles to book trips in his own name.” Of course he isn’t charged with booking trips in his own name, but rather under an alias (“Milad Avaz”). And selling awards booked with stolen miles to others. And if nothing else he deserves to be busted for wasting the miles on car and hotel awards.

Still, he claims the Shaggy Defense. Wasn’t me.

Yes, he took some trips and rented some cars, Avazdavani said, speaking publicly for the first time in an interview in jail last week. But he swore he was only guilty of “bargain shopping” for travel deals on the internet. He refused to pinpoint who is to blame, cryptically adding “you become a victim when you socialize with the wrong crowd.”

“It was a third party, that’s all I can say,” Avazdavani said, cuffed and seated in a wheelchair because of a bad back. “There are other names, other suspects.”

I think he’s admitting, then, to hiring other people to book travel with stolen miles for him. Because that’s better.

American AAdvantage has been hacked before. So has British Airways Executive Club. And Starwood. And every other program, too. Miles in large quantities are for sale on the Darknet.

Here’s how to protect your accounts from hackers. And don’t set your password to 1-2-3-4-5.

  • Use a strong password for your laptop or other computing device. Then use a password manager, so that you only need to remember one strong password and let the machine remember it for various websites. You can enable two factor authentication for extra security.

  • Vary your strong password slightly by program. If you’re not using a password manager consider something like “%&%aSBQS” over and over so you won’t ever forget, followed by ‘spg’ for starwood and ‘hilton’ for hhonors, etc. Now this won’t be hard to guess if someone were looking at your password and trying to modify it, but if they’re just running a list of email addresses and passwords in bulk against a given website it won’t work because your ‘strong password’ is different. On the other hand, that’s probably no better or different than just using the program name itself as your password (although guessable by an algorithm that’s testing common passwords).

Your laptop or other device should be encrypted. Password protection isn’t enough because a hacker can bypass or replace the operating system.

You should use a service like AwardWallet to track your accounts. You’re giving your passwords to a third party (although they offer the option of leaving your passwords resident on your computer rather than their servers). They’ve always seemed reasonably secure to me, here are details, and I like that they participate in a bounty program for hackers to identify flaws and also their encryption methods.

You won’t check all of your account balances every day without a service like this and the best thing you can to do protect yourself (for your own benefit rather than the program’s) is to be aware of any fraudulent draining of your account quickly.

About Gary Leff

Gary Leff is one of the foremost experts in the field of miles, points, and frequent business travel - a topic he has covered since 2002. Co-founder of frequent flyer community InsideFlyer.com, emcee of the Freddie Awards, and named one of the "World's Top Travel Experts" by Conde' Nast Traveler (2010-Present) Gary has been a guest on most major news media, profiled in several top print publications, and published broadly on the topic of consumer loyalty. More About Gary »

More articles by Gary Leff »

Comments

  1. So he got access to the victims’ computers?

    Or he guessed passwords from their account numbers?

    The airlines should be using 2-factor authentication but who are we kidding? Their tech is so poor they can’t even show the award calendar accurately.

  2. We had a hacker get into my husbands AAdvantage account in March. He booked two round trips from Acca, Ghana to JFK for travel that day returning in August. I have alerts set up on my charge cards so that we were notified for the immediate spend. I alerted AA and credit cards. I so would have liked to see the face of the person who wanted to use the tickets.

  3. You recommend using password manager, which is a great suggestion, but then recommend using slight variations of one password, which is totally unnecessary if you are using a password manager. Use the password manager’s password generator to make every password to important sites unique and as long as the site allows.

  4. I’d like to know how he booked the Jumeirah Emirates Towers, since there is no hotel available in AUH according to the AA site.

  5. My starwood account was hacked. I got an email from the W Hollywood two years ago, stating that I had just made a reservation. I immediately called them. Someone had just called them and even requested flowers to be delivered to the room. I told them that I live in Beverly Hills and why would I book a room in Hollywood?
    I called the management and they were not much of help. However the agent had warned him while he was checking in that I had called. He had left the premises.
    Then the next night he did it again, this time he had booked a room at the le meridien. Since he had changed the number to his own number in my profile., I got the number from the agent and I called him and pretended that I was the management and since I was platinum, I asked him what he wanted and I addressed him with my own last name and he
    Then I called Santa Monica police. I called the hotel reception and told them to let him check in.
    They informed that an African American man had shown up pretended to be me. I have a Greek last name.
    However, because the agent had gone to the back and acted funny, he had gotten cold feet and had left. I showed up, and the Santa Monica police came. However they said that points have no value and no crime was committed.
    He did it again, the next night at the four points by Sheraton by Santa Monica.
    I have to say that I did not get much support from Starwood or the management. All I have to say that you have to change passwords all the time.
    Shame on Starwood for not helping me with this situation! Changing account numbers and passwords took forever…

  6. Alan,
    Thanks for sharing. The way SPG, and the police, handled the situation is disgraceful.

  7. @Linda, but did he at least book those trips using QR to avoid the BA fuel surcharges?

Comments are closed.