In the section on questions for Randy Petersen in the August issue of Inside Flyer (subscription required), there’s a shout out to my award booking service. I’m flattered, and therefore should be gracious enough to simply say thank you.
Instead, I read on and found the next question for Randy troublesome. A reader asked about why websites like TripIt are no longer allowed to access American AAdvantage account information.
Randy replies,
Of course they care, which is why they have begun to enforce a policy that has long been in their rules and conditions. Let’s back up a bit. American AAdvantage was not the first airline to put a stop to this sort of access–that distinction belongs to the Southwest Rapid Rewards program. And while it might seem that those Texas-based airlines are sticking together (maybe we are lucky that Continental moved their headquarters to Chicago!), the reasoning behind the decision is actually something they see as best for their customers.
These services, which TripIt and others provide, all require you to release your loyalty account numbers and PINs. Over the past 10 years, dozens of these services have popped up … and later went out of business. What happens to your account and PIN? Of those that currently offer these services, are you aware of the level of security they use to protect your data? What do they do with the data they collect? It’s these types of concerns that led Southwest, and later American, to block further access to your account.
While not making headlines, there has been an increase in the number of awards that have been fraudulently redeemed from members’ accounts, and the action taken by these two programs is an attempt to step back and take a look at how they can implement some sort of system to better protect all members from outside access, not just those using these services.
(Emphasis mine.)
This got my juices flowing enough that I’ve sent off the following Letter to the Editor:
Dear Randy,
In the August issue of Inside Flyer, you tell reader John Mitchell that American’s decision to forbid mileage tracking websites from accessing AAdvantage account information is reasonable because (1) it’s in their terms and conditions, (2) Southwest did it first, and (3) it’s to protect member data.
You’ve frequently been critical of frequent flyer programs sticking to their terms and conditions to the detriment of their members, and contrary to their own long-term interests. Just because they can do something, doesn’t mean they should. I hope you’ll recognize this as one of those instances.
When members have to take extra steps to check their frequent flyer balances, they become less engaged in the program. The programs that are easiest to watch miles grow in — that don’t require manually logging in (and remembering to log in!) to another website are the programs whose shopping portals members will most use, the programs they’ll accumulate car rentals with, and other partner activity as well.
While you suggested to this reader that there’s a security risk in releasing account passwords or PINs to a website, mileage tracking site Award Wallet didn’t need member account information at all, and stopped storing that information on its website. It created a browser plugin so that all account numbers, passwords, and mileage balances were stored on the member’s computers only. American’s lawyers still shut them down.
The notion that this is all in the best interests of the member doesn’t wash. Making it harder for members to watch their balances regularly and closely REDUCES security. In contrast, members checking changes in their balances regularly on mileage aggregator sites allows them to realize more quickly when there’s a problem and sound the alarm.
Meanwhile American won’t permit access to websites that the banks are happy to allow to access and store financial account information. If a site can meet Fidelity or Chase security standards, surely a security rationale on American’s part is wrong-headed, even if it were genuine?
But it isn’t about security at all, it’s about commercial agreements. In response to a question from a member in the American AAdvantage chat on Milepoint, American President Suzanne Rubin acknowledged the reason for shutting off these sites’ access is “Our preference is to enter into commercial agreements with these sites that recognize American’s rights and control the unauthorized dissemination of American’s customer data. ”
I certainly hope these websites can find a way to come to terms, but it’s unclear how an internet venture that doesn’t charge members can afford to pay American or other frequent flyer programs a fee for something that increases those members very engagement in the program.
Perhaps with enough persistence I can change your mind and you’ll join the call to let members manage their data in the most convenient manner possible, within clear and transparent security guidelines.
Sincerely,
Gary Leff
We’ll see if I make it into the magazine! (And, Randy, thank you 🙂 )
Great post, Gary. I like when you do stuff like this and the restaurant reviews.
I like it; the MP leads having a quality debate.
Agree 100% that it’s about American getting commercial agreements from these sites (i.e. money), not about real security. I haven’t looked at my AAdvantage account in months and don’t ever even think about that program or that airline. If I could check it on AwardWallet, I would be, as you put it, much more engaged with the program.
Kudos, Gary! Since AAdvantage is no longer visible on my AwardWallet page, I notice that, subconsciously, I’m considering them less as I make future travel plans. It’s kind of an “out of sight, out of mind” phenomenon.
You are completely right Gary. American Airlines are just a bunch of retards. Like you say, awardwallet has access to my Chase checking account & credit cards and my AmEx credit and charge cards… and there have been no security issues at all.
AA is broken!!!! They are begging for any penny they can get. I wish one day we will be able to fly Emirates from LGA to MIA, Singapore Airlines from MSP to LAX, Qatar Airways from ORD to MCO, etc… Enough with this crappy system we have in the US where we have to pay a fortune to have a terrible service in old and smelly airplanes with grumpy and unhappy flight attendants. If you live in Asia, it is a pleasure to fly. If you live in the US, it is a pain and we wish you could drive to your destination.
Both are related:
1) Go ask AwardWallet.com what security is in place for your accounts?
2) How are each accounts encrypted?
3) What kind of backup strategy do they have in place?
Guess what reply are you going to get?
They are not obligated to divulge this information to any one, their excuse: It’s a security issue – So it’s a catch 22.
Now, if you have Agreements in place you have to abide and make full disclosure.
If I was AA i would demand the same. Guess what happens if AW gets hacked and passwords compromised? Who will you look for answers from? AW or AA in this case? Who’s time will be wasted?
Talk is cheap as always.
If AA made it easier to log in to their own site by using a username of your choosing (instead of having to remember your letter/number combination account number), the Award Wallet restriction wouldn’t be so difficult to take. I mean, every time I go to log in to my AA account, I have to go back to an 11-year old email to copy & paste the account number!
Gary, I think there is an additional factor with AA. When you go to their site, you see their ads for their sales, promos, partner offers, air/hotel packages, etc. They want you to have to go to their site to see their ads. If AW tells you what’s going on in your AA account, you don’t need to log into AA, and their ads just sit there unread.
Just wanted to note the link to your booking service is currently broken, it’s missing an ‘r’.
@Matt Campbell — hahahaha – fixed! 🙂
Gary, I support you and wish AA and Randy Petersen
would reverse their position.
@Joe Power
Can you get us responses to all the same questions from American? Thanks.
AA.com is a security nightmare.
I really wish AA would reconsider as well… I definitely pay less attention to this program because of the lack of AwardWallet access. The Southwest lack of access doesn’t bother me as much, because Southwest is off the main grid in a lot of other ways (i.e., not available for searching on Hipmunk or Orbitz). So I’m used to going to the Southwest site a lot, which keeps me engaged in their program.
Great piece. It really bothers me that BOTH AA and Southwest are not visible on awardwallet. I almost forgot I had miles in those accounts!!!
Really frustrating. WE need to send a massive email to both these airlines and tell them to quite playing ‘privacy’ games.
@Glen : if you are having problems remembering passwords (as I do often), I suggest you use lastpass.com (which I do). It saves a lot of agro, and can be used both on desktops and smartphones
Great job Gary. That needed to be said, and well put at that.
The security claim is bogus because AA will not even allow AW users to enter their AA miles balance manually. It’s ridiculous.
I feel the need to speak up and support AA again, even though I find award wallet useful.
Award Wallet say your information is secure. How do you know? How do AA know? You don’t. AA don’t. I am willing to bet with some conviction that Award Wallet themselves don’t even know, how secure is their site? Have they been hacked? How much money do they spend on security?
I think the arguments that AwardWallet is secure are unfounded, unknown and unknowable.
Frankly I am appalled that other airlines do allow access.
I know this is not the popular voice on here, but I think that people believing that they “know” that this site is secure have not really thought this through.
@srptraveller
So, how do you know AA site is safe?
Fear mongering is hardly a way to support AA’s stance.
@Confused
I don’t know the AA site is safe. You’re missing my point.
AA are responsible for the security of information inside AA.com. They cannot reasonably provide for that security if unaffiliated third parties such as AW have access to login information that is supposed to be kept private and secure.
If we really wanted to argue this perhaps we would stop discussing how AW is “safe” when none of us really have a clue.
A different line of argument might be to push AA to have us sign an indemnity “if we lose all our miles and have our credit card information stolen and flights cancelled because AW was hacked, you AA are not responsible and will not fix it or compensate us”.
I don’t know that it would be more successful with AA, but at least it would involve us as individuals assuming the risk rather than blindly and conveniently pretending there isn’t any.
It would be great to see AA and Southwest on AW!
@srptraveller
I am not missing your point at all, you are just conveniently side stepping an obvious fact: if AW security is a concern, so should AA’s be.
Quote from AA site: “You accept financial responsibility for all use of the Site under your name or account”.
Boom.
I’ve long since given up on Randy. When there is a real issue he finds a way to either ignore it or spout the corporate line. I don’t say this lightly but from real personal experience.
Unfortunately this is becoming the norm in this industry. It starts innocently enough but pretty soon the special treatment kicks in, then the free trips or whatever and the next thing you know when there is real reporting to be done it gets ignored. What you are seeing here is the final stage when the affected actively defend the behavior while still maintaining their charade of consumer advocacy.
I don’t blame the companies involved. They are only doing their jobs. But for all the bloggers out there, a warnings. The PR machines are very well honed machines. It takes the fortitude of a New York Times or Consumers Reports if you want to stay honest.
Few succeed.
Frankly, I think the bigger problem here is Randy Petersen. He’s interested in making money, which is fine, of course. But that has led him to defend the indefensible when it comes to airlines. And all he seems to care about is the EARNINGS side of the ledger. You can’t find a single word from him in recent years about the devaluation on the AWARD CLAIMING side.
So Randy doesn’t want to offend American, so he defends the indefensible here. And he won’t say boo when airlines continue to devalue their points.
He long ago stopped being a REAL advocate for frequent flyers. His interest is profit and he sees that making nice to airlines is in his financial interest.
“It takes the fortitude of a New York Times” You really cracked me up with that one. The NYT hasn’t been engaged in real journalism for ages. At least since Walter Duranty got his Noble Prize for extended reporting in the NYT that Stalin wasn’t really starving Ukrainian peasants to force them to join collective farms. Thanks to Duranty’s false reporting in the Times, the West looked the other way while literally Millions of peasants starved to death. Duranty profited by being a stooge for Stalin, and the NYT continues this fine tradition by doing the same kind of reporting on Obama and the state of the American economy today. Compared to the NYT Randy Petersen is a paragon of journalistic excellence…..
@Confused
You and I may choose to be concerned with or ignore the safety of either website.
AA are only concerned with the safety of AA.com – they are removing any concern they might have with the safety of AW by preventing access.
The boom was funny!
Joe Power and srptraveller I wanted to respond to your comments about security of AwardWallet. Obviously, if I tell you “AwardWallet is secure” it means nothing to you. Of course I will say that. But specifically for AA we developed a browser extension which does *all* the checking locally. Your password, account number, balance, and any other data related to AA is never stored or transfered through AwardWallet servers. So AwardWallet server security is completely irrelevant. For that you don’t have to trust me, you could look at your network traffic and you would see that the balance checking and storing all the data is done locally on your computer. So you don’t need to trust me, you could actually check that yourself. So the security question comes down to: how secure is your favorite browser and how secure is aa.com. AwardWallet servers are not in the picture when it comes to checking AA. Unfortunately many miss that point.
Always a day or two late….but I think the whole AA thing with AW is ridiculous and only punishes some of their most loyal customers. I wholeheartedly agree with the others that say, “out of sight, out of mind.” AA no longer factors into my thought process when booking, even a paid ticket. My time is too precious to me to be chasing down information from companies that don’t allow us to be efficient with our time. C’mon AA. Don’t be a pain. AW is one of the best sites going for frequent fliers. Recognize that and get back on the bandwagon.
As someone who has worked in corporate settings, I recognize that AA and SWA’s plans aren’t really to provide benefits to their customers. It’s all marketing, devised to drum up business for the company. However, they don’t really want you fully engaged in these programs. Point aggregating/mashup sites like Tripit Pro and Award Wallet are consumer-first interest products, which HURTS the bottom line of these companies.
Someone on another blog commented about how they basically wish these blogs didn’t exist, because it took the hard work out of miles/card running – basically saying the more people do this, and the bigger the impact to the bottom line for these companies, the faster they’ll pull the plug on these programs. Basically saying, don’t share good secrets, because they won’t be secrets anymore.
AA left Orbitz and other mashup booking sites over money as well. SWA has never been there, and has done alright without them. The point being, that the argument that customers will be more engaged in their rewards program might be true, but it’s really not what the airlines want. They don’t want you in a polygamist relationship, they want you only with them. Cue creepy girlfriend music.