Yesterday a man pleaded guilty to an American Airlines gift card scam that was used between 2016 and 2018. I’m writing about this because it’s interesting to hear about an American Airlines gift card vulnerability that seemed to exist for quite a while.
How did this American Airlines gift card scam work?
This incident involves a 27 year old from Ladue, Missouri, who seems to be pretty involved in the frequent flyer world. The lawsuit alleges that he “represented to friends and associates that he was affiliated with a travel agency, and was going to build his own travel business.”
The suit also says that on a website he boasted of his “elite status and hotel statuses, which include Executive Platinum status with American Airlines and its worldwide partners — logging about 200,000 flight miles a year.” He said that his “background allows [him] to optimize airline and hotel customer experience programs to build exceptional travel value for you.”
Between January 2016 and October 2018, he bought around $160K worth of gift cards, which he partly used to book tickets for others. So far this sounds legit, so where’s the issue? Well, there was a glitch in American Airlines’ refund process when it comes to gift cards:
- He would purchase gift cards directly from American Airlines, in amounts ranging from $50 to $150, with his credit card; for example, in 2018 alone, he purchased 690 virtual gift cards
- He’d then use the gift cards to purchase tickets for himself and others
- He would then log into the American Airlines refund portal, and applied for a refund for the tickets he had just purchased
- He would enter the gift card MSR into the refund portal, rather than the actual ticket number that was requested
- This is where the vulnerability came in — entering the gift card MSR would cause the entire ticket amount to be refunded to the credit card that was used to purchase the gift card
- The ticket wasn’t actually canceled, while the gift card amount was refunded
- He received a total of over $160K in refunds for gift cards, and received over $20K in compensation from others
The defendant yesterday pleaded guilty in the US District Court in St. Louis to one felony count of wire fraud. As part of a plea agreement, prosecutors will recommend probation when he’s sentenced later this year. He’ll also have to repay over $180K.
Bottom line
A man has pleaded guilty to an American Airlines gift card scam. Over the course of nearly three years, the man purchased over $160K in American Airlines gift cards.
He would book tickets with the gift cards, and then due to a glitch in American’s system, the cost of the gift card purchase would be refunded to his credit card, while tickets purchased with the gift cards would remain valid.
He’s now facing probation over a felony count of wire fraud, and also has to repay around $180K.
Ben-
The big question is:
Did AA shut down his AAdvantage account and make him forfeit all his miles? I mean he wasn’t abusing the AAdvantage program, he was stealing money, not miles.
He should charge AA for doing unit testing for them.
Of course AA won't do any testing. It's all outsourced and I can guarantee those knuckleheads won't do thorough testing. Testing requires you to think in broad terms and do things like this guy. Outsourced testers can only test the exact steps you write on a piece of paper for them and absolutely nothing more than that.
I remember someone gaming the system by purchasing airline tickets on busy holiday weekends, then canceling last minute to get a bump voucher. This happened 10 or so years ago. Talk about a racket.
Daryl, I have to agree with this statement "AA = incompetent idiots".
I’m with @Chris - how many of these breeches are there? I’m starting to worry that my personal information AA has along with my AAdvantage account can be easily compromised.
Doesn't American Airlines have a bounty program like UA? I remember people getting millions of miles for bugs.
@Ben L.: He presumably could still be charged under state statutes as well. Not sure if that's in the cards or not, though directionally agree with your point.
@Joey: Always possible he got inside information, but more than likely he did it by accident once (or heard of it happening by accident), and then exploited it repeatedly.
Shame for AA for not testing their refund systems. Two years? Really? AA = incompetent idiots
Whoa! I wonder how he knew about that glitch!
Who about you just dont steal regardless Ben L?
In Missouri, if you steal $500 worth of merchandise from a retail store you'll be charged with a Class C felony and sentenced to 1-7 years in state prison.
But if you instead steal over 3,000 times that amount in interstate commerce, you catch a wire fraud charge and the prosecutors merely recommend probation.
Welcome to the United States of America, where poor people are destroyed for their desperation and the well-to-do get a slap...
In Missouri, if you steal $500 worth of merchandise from a retail store you'll be charged with a Class C felony and sentenced to 1-7 years in state prison.
But if you instead steal over 3,000 times that amount in interstate commerce, you catch a wire fraud charge and the prosecutors merely recommend probation.
Welcome to the United States of America, where poor people are destroyed for their desperation and the well-to-do get a slap on the wrist for taking "the hobby" a little too far.
Does American even test their applications before they roll them out?
They seem to have a lot of very preventable business logic exploits..
nvm...I saw that he used travel for himself as well...can't delete my comment.
Seems like a lot of work for $20k.