AwardWallet and American Airlines – Each side comments

Kangaroo Boxing

I haven’t followed the AwardWallet controversy too closely, mostly because I’ve never used it.  I think it’s a cool service, but I just don’t need another login or account to keep track of, so I’ve never bothered to sign up.

You probably know this already, but back in December of last year, American banned AwardWallet from storing AA.com customer account information and using that info to access AAdvantage account data on behalf of AwardWallet customers.  Southwest also did something similar when they barred AwardWallet from storing Rapid Rewards account information.

Over the years, working for a software firm that was an outside vendor to some big companies, I’ve worked on projects that required hosting a client’s customer data, and it was always a process that required multiple security audits, review by attorneys, and liability insurance policies and agreements.

So when I first read about American banning AwardWallet, I wasn’t surprised that it happened.   It seemed almost inevitable that Award Wallet was going to run into problems for storing AAdvantage account information for perhaps millions of American’s customers, if they were doing it without some kind of formal agreement with American.

I’ve read a few comments on blogs and in the forums suggesting that American banned AwardWallet because they were afraid that they would siphon off traffic from AA.com.  

I guess it could be possible, but the idea that folks at AA.com are loosing sleep because of AwardWallet just doesn’t seem that credible.   Kayak?  Sure.   Google purchasing ITA Software?  Definitely.   Losing traffic to AwardWallet?  Probably not.

I think it really is just an issue of security and liability.

I couldn’t imagine a bank allowing an outside company, with whom they have no liability or security agreements, to store millions of customers’ online bank account usernames and password, and I could’t imagine American, Southwest, or any airline not taking a similar stance.

After American banned AwardWallet from hosting AA.com customer data, AwardWallet implemented a work around by introducing a browser plug-in that stored AAdvantage account login info on a user’s hard drive.  Thus, it was no longer being stored on AwardWallet’s servers, so I guess they figured that it would make American happy.  It didn’t, and last month American forced AwardWallet to discontinue that tactic as well.

I’m not sure how the plug-in worked, but it’s not the way Points.com, Sabre, and other third party companies communicate with American’s systems, so that the plug-in was banned, wasn’t much of a surprise.

The other day, I was reading about the how challenging it was for Microsoft and American to integrate AA.com user data with the new American Airlines App for Windows Mobile, and to host copies of that data on Microsoft’s servers and still keep user info secure and safe as it moved between the two services.   It took teams of people (engineers, security experts, and management) on both sides to make it work, and that seems to be the right way of doing it.  A browser plug-in just seems like a hack.

I’m sure that at this point, the solution is for AwardWallet to use some kind of secure, sanctioned, API.  That’s how American has chosen to share data with other outside partners, so any other approach is probably not going to work.

I really didn’t intend for this post to be a defense of American, even though it’s kind of turned out that way. You’ve probably read so many other opinions on the subject, that reading yet another won’t impact your view anyway.

The reason I was writing though (really) was to point your attention to a post on the topic by Michael at Michael W Travels.   He was actually able to solicit some comments from representatives at AwardWallet and American Airlines, so rather than try to convince you of how right I am, I figured if you’re interested, you could read the back and forth and decide for yourself.

You’ll find Michael’s original post here.  And a more recent follow up here (which was basically, no more comment from either party).

Photo: Kangaroo Boxing
Credit: Scott Calleja on Flickr

Comments

    • @ Lonetree – It might appear the same to a user, but Mint uses a secure API (which is really just an agreed upon server to server communication tool) to work with your bank.

      In order for Mint to work with a financial institution, both have to work together to make it happen. That’s why Mint doesn’t work with every bank.

      When you set up your account with Mint, it “talks” to your bank’s sever, passes your ID info to the bank in order to authenticate your identity, and your bank passes account data back to mint. Your bank account login info never actually leaves your bank’s servers and it’s not stored on Mint.com.

      I think that’s the approach that AwardWallet should take.

      Thanks for commenting!

  1. I stored my AA login in plain text Notepad, I guess AA will ask Microsoft to remove Notepad from Windows soon.

    • @ MichaelIP – That’s funny! I guess if you hear a knock at your door, it could their some lawyers. 😀

      But in all seriousness, my guess is that it wasn’t that user info was being stored on the hard drive, but that AwardWallet wasn’t using the same kind of process and secure API that Points.com, oneworld airlines, and all American’s other partners are required to use.

      Thanks for your comment!

  2. “I couldn’t imagine a bank allowing an outside company, with whom they have no liability or security agreements, to store millions of customers’ online bank account usernames and password, and I could’t imagine American, Southwest, or any airline not taking a similar stance.”

    Um, no. Yodlee is also banned. Per wikipedia, Yodlee has over 30 million users, and over 150 financial institutions and portals (including 5 of the top 10 U.S. banks) offer services powered by Yodlee.

    Banks not only allow Yodlee to access and store that information, but 5 of the top 10 banks actually parnter with Yodlee to offer the service to their users. I am one of those 30 million users. Every reward program, financial institution, etc. I do business with allows Yodlee to access, store, and display my information except for two. Guess which ones? Yep, Southwest and AA.

    My two cents, Yodlee probably has more of a clue in regards to keeping data secure than AA or Southwest ever will.

    • @ HikerT – I’m a fan of Yodlee and think your comment supports the point I was trying to make.

      Yodlee obviously went though some vetting process in order for 5 of the 10 largest banks to feel comfortable sharing data with them. And when the banks did agree to share that data, Yodlee went about it in such as way as to integrate with each bank’s secure API and to respect each institutions security and privacy policy.

      When Yodlee wasn’t able to secure an agreement with the other big 5 banks, they didn’t develop some plug-in hack to work around the banks’ security system or user data policies.

      As for why American and Southwest don’t support Yodlee…..that’s probably a good post for another day.

      Thanks for your comment!

    • @ Michael W – Do me a favor please. Next time, write something about religion or politics, and I’ll link to that instead!

      Just kidding. That AwardWallet has such passionate users, reflects the fact that they have a great service and cool interface. Maybe they’ll find a way to work within AA at some point in the future. Obviously,that would make a lot of people happy.

      I enjoy your blog!

  3. “When Yodlee wasn’t able to secure the agreement of the other 5 banks, they didn’t develop some plug-in hack to work around the banks’ security system or user data policies.”

    No, you mis-interpreted. Read that again. 150 financial institutions and portals (including 5 of the top 10 U.S. banks) partner with yodlee. In other words, they are so impressed with the service they cobrand it and offer the service to their customers, not just allow yodlee to access their servers. The rest still allow yodlee to access their servers. Arrogant Airlines and Southwest are among the vast minority.

  4. Thanks for the kind words AA! I hope that AA & AW come up with a solution but the vibe I was getting is that AA plans to allow other third party sites to show it’s info, not so sure AW will be part of that group…

  5. @ HikerT – I got that, I was just using the 5 out of 10 number for the example. Just like you, I’m a big fan Yodlee and not surprised that so many banks and portals have partnered with them.

    My point was that they’re held in such high esteem precisely because they would never use a browser plug-in approach to bypass some other company’s user data policies and agreements.

    As for whey they aren’t compatible with AA or WN, I’ve never heard Yodlee, or the airlines, comment on the topic.

    Thanks again for reading and commenting!

  6. Whether Awardwallet meets high security standard or takes good care of user data, it’s solely my decision whether to store my user name and password there. If AA really cares my security and privacy, they could focus on making their own system more secure, stop sharing and selling my private information to its partners, and creating and providing better and securer interfaces/APIs for portals like AW to use. Making their own mobile app more secure is their responsibility, how AW handles my information is between AW and me and none of AA’s business. Throwing lawyers on AW and taking away our right to choose tools to handle our own information, and somehow they make an intelligent person like you believe they are doing it for us customers? You are funny.

    The AW browser plug-in is simply an enhancement to browser that I choose to install to help me read and reorganize the information obtained from standard AA.com webpage. If that’s a concern for AA, maybe they should send COD to HP and ask them to stop making printers that could be used to print that AA.com page to a very unsecured paper.

    • @ bmguan – Thanks for sharing your thoughts.

      Since we’re discussing AwardWallet and security, I think that I should mention that I don’t want to suggest that AwardWallet doesn’t observe best practices when it comes to storing or sharing user data. They would have been out of business a long time ago if they didn’t take the subject seriously, so obviously it’s important to them.

      Anyway, back to your point. I absolutely agree that you have the right to store your password on your computer using whatever software you choose. And if this whole discussion was about that as an issue, then it would be absurd for American to take the position that they have against AwardWallet (and others apparently).

      But the way I see it, that really isn’t the issue here, and I don’t think that American’s position is unreasonable.

      Do I think that American also wants to guard their data for marketing purposes? Yes. Without a doubt. But at best, I think it’s a distant consideration to the security and liability issues.

      Maybe I’m wrong, but I don’t see how American can knowingly allow any unauthorized third-party plug-ins to access their website.

      Even their partners are limited in the amount of information that they can retrieve from American’s databases. Using an API and doing it the way it’s supposed to be done, American is able to control how much and what kind of data they allow outside of their system. Points.com might be able to access your account balance, but they don’t have access to your passport, reservations, credit card info.

      That’s the way companies share user data. Facebook works this way. Banks work this way. Google works this way. Medical providers work this way. The government works this way.

      I can admire that AwardWallet cares enough about keeping their customers happy that they’d go through the expense and effort to try the plug-in strategy, but a browser plug-in is not the way to do it.

      It’s not difficult to imagine some kind of scenario, where despite all kinds of precautions, some evil gang crafts some kind of malware and disguises it as a legitimate third-party plug-in and causes some kind of mischief. Maybe the odds are 1 in 100 million that it will happen, but there are plenty of people employed in Fortune 500 companies that are tasked with worrying about those 1 in 100 million chance security breaches, and they’re not paid to take risks.

      There are too many States Attorneys General, plaintiffs’ lawyers, and grand juries ready to hold American and any other company accountable for the way user data is secured and accessed, and the stakes are just too high for any organization to allow others to use that data without going through an internal review process.

      To stand in front of a jury and claim that folks at AwardWallet seemed like a great bunch of people, or “we couldn’t help it….it was none of our business…it wasn’t our responsibility…..there was nothing we could do about it….that’s what our users wanted” isn’t going to be much a defense. To allow one exception, is to allow them all.

      For all the understandable sense of outrage that many loyal AwardWallet users may have, it’s nothing in comparison to the sense of outrage that a good class action attorney can display in front of a jury.

      I’m probably not going to be able to change your mind, and I’m not sure that you could make me change mine either, but I appreciate you sharing your thoughts on the topic. Thanks for adding to the discussion.

  7. I think we need to clarify how the technology works to understand how ridiculous AA’s action is. I agree with you totally that AA needs to safe-guard the information we saved in our AA account and make sure every access attempt to that information, either through AA.com or any interface AA published, is fully authenticated and authorized and information is transmitted securely.

    AW or yodlee are not AA’s partners. They don’t have a backdoor to AA or any special treatment from AA to access AA’s system in any special way that we can’t already do ourselves. Unlike you seem to believe, AA is not giving some ‘API’ for AW to use, otherwise they could just block AW from using those APIs instead of getting lawyer involved. AW/Yodlee/Mint or any other account aggregation services depend on ‘screen-scraping’ to pass our user name and password to the standard AA.com website, then parse the information returned from AA.com and display it on their portal. From AA side, those are just regular HTTP requests to AA.com. AA is not responsible as long as AA.com meets common security standards. Hackers may steal the information from these aggregation services or steal our username and password from our local computers or steal my printouts or notes from trash — AA is not at fault as long as AA.com itself is not breached i.e. all the accesses to it are still authenticated with proper username and password.

    AW plug-in basically runs the same screen-scraping scripts on our browser instead of on AW’s server. It is no different than allowing your browser to remember your password — maybe not secure but totally your decision to make.

    AA will be hold responsible if their system is breached, but never cares if some hackers steal our information from our local computers. AA didn’t go after the hackers when viruses were found on our computer, nor did they send letters to Microsoft when IE’s security flaws were discovered, because they know they will not be responsible for that. Now they go after AW just because they think AW and its plug in make our computer and information less secure? yeah right.

    • @ bmguan – Maybe I didn’t do a very job good of explaining my view, but I know that AwardWallet isn’t using an American Airlines API, and I understand that they’re screen scraping.

      And that was my point, AwardWallet should be using an API and they should not be be using screen scraping.

      I can appreciate that you are able to fully understand the risks (if any) of letting a third party plug-in access your info, and that you’re perfectly willing to hold AA harmless in that regard. But in a country of 311 million potential litigants, not everyone is as rationale or honorable as you are.

      I don’t think it’s unreasonable for American to, in effect, say to AwardWallet, “Hey guys, if you want to come in, you have to ring the doorbell and come in through the front door like everyone else”.

      Anyway, I do appreciate you explaining your thoughts on the topic.

  8. I’m not sure the general analysis here is correct or rather is a foregone conclusion. At the end of the day we don’t know AA’s real reason for cutting off award management vendors. For it’s not just AwardWallet, AA doesn’t work with Yodlee as well. It may be that neither AwardWallet or Yodlee have proper integration and security and therefore AA doesn’t want their customer data compromised. I’m sure that’s true to some extent. However, I wonder if the real motivator isn’t $4 billion in revenue and 2 trillion unused miles (http://www.bing.com/travel/content/search?q=Can%20Frequent-flier%20Programs%20Work%20for%20You%3F).

    Much of the economics of airline miles relies on breakage. That’s where a consumer is entitled and able to redeem rewards but for various reasons doesn’t get around to it. I hear stories from colleagues all of the time about how they lost 10,000 miles here or 20,000 miles there do to expiration.

    Call me cynical but services like Yodlee, AwardWallet, MyRewards Tree, and others enable users to be alerted when their miles have hit milestones or even if they are about to expire. That leads to higher miles redemption rates which cuts into the profits of airlines and exposes billions in miles liability.

    Again no one but AA knows the real reason, but this article slants the reason for cutting off award management as AA acting in the best interests of its customers when in fact it may be just the opposite.

    • @ Edward – Thanks for taking the time share your thoughts. I don’t disagree with your point about the airlines and frequent flyer programs in general, and in my post I mention that’s it’s possible that American’s decision wasn’t based entirely on security considerations, but I stand by my view that the IT security implications of having AAdvantage account info and passwords in a database outside of American’s control, is a valid reason for them to object to a third party storing that information.

      I think that American keeping that data protected and under their control is in the interest of their customers.

      I don’t doubt that the American marketing team probably didn’t like the idea of Award Wallet, but the AA risk management, loss prevention, and security departments were probably way more upset.

      I know that some may think that I’m being an AApologist (and again, for the record I like Award Wallet), I just think it’s unfair for people to claim that American (and Southwest) don’t have valid security reasons for blocking unauthorized access to their customer data.

      I do appreciate you taking the time to share your thoughts at length (thanks for reading too).

  9. Your understanding of mint.com is incorrect. They store the username and password, same as AwardWallet. Before the acquisition, they used Yodlee (using Intuit’s own now), which scrapes from a login to the website. You may notice with mint.com that if there is a website redesign, it breaks the connection. Well that’s because the are not using (for the most part) this super secret API you describe, they’re scraping the markup. There is 0 difference.

Leave a Reply

Your email address will not be published. Required fields are marked *