Two recent blog posts, and an article about a massive data breach at Wyndham Hotels and Resorts and Cunard Cruises prompted me to post about the topic. View from the Wing & Frequently Flying both posted about American Airlines lack of participation with AwardWallet. It’s frustrating not to be able to track your miles. I know, I love my miles too and I love to track them with one vendor. However, there is an inherient risk any time your provide your personal data over the internet and everyone should be aware of them.
Let’s look at the most recent major security breach to hit the news. On June 26, 2012, the Federal Trade Commission (“FTC”) filed a complaint against Wyndham Worldwide Corporation and 3 of their subsidiaries. The complaint alleged that the company’s failure to adequately safeguard customers’ personal information led to millions of dollars in losses to fraud. The complaint alleges that Wyndham’s privacy policy misrepresented the security measures it used to safeguard personal information. The complaint also charges that Wyndham, after the first breach, failed to fix security vulnerabilities which the FTC claims resulted in two additional data security breach incidents in less than two years.
In the most recent data breach, just announced last week, Cunard Cruise lines was forced to shut down its online booking system after accidentally sending the personal information of more than 1,200 passengers to an undisclosed number of people who are registered users of the Cunard website. Members started posting a spreadsheet they had received from Cunard on chat room discussion boards and it contained the personal data of passengers – including passport numbers, names, dates of birth and other personally identifiable information.
American Airlines has every right to be worried about the transmission of secure data through third-party vendors. Major corporations like Wyndham and Linked In all are becoming victims of sophisticated (and probably some not-so-sophisticated) hackers. Last month, Russian hackers stole 6 million passwords from Linked In. In 2010, American Airlines itself was the victim of a data breach when a hard drive containing private employment records from the years 1960 to 1995 for over 79,000 employees went missing.
Airlines, hotels and most of all, consumers should demand security, not convenience. The question I would be asking isn’t why American doesn’t participate with AwardWallet, but what risks were present with AwardsWallet’s app that prompted American Airlines (and others) not to participate. How can you protect yourself?
- At a minimum, consumers should not use website that are not secure (look for the https in the web address) and when you’re providing your personal information – including passwords – be sure that you’re using a trusted source – I bet no one who checked into Wyndham hotels thought they’d be the victims of credit card fraud.
- If a site’s security certificate is out of date or expired, don’t use that site.
- Check out the vendor to see if they are PCI compliant – PCI is an international credit card standard meant to protect consumers personal credit card data
- Companies who host data (especially if credit cards and secure data is involved) shouldbe SAS-70 or SSAE 16 compliant. SAS-70 and SSAE 16 are auditing standards developed to assesses a service organization’s internal controls.
- Create very secure password – please don’t use Password123 – and be sure to reset your passwords frequently. In addition, don’t use the vendors name in your password – many of the LinkedIn passwords that were exposed contained the word “LinkedIn” or some variation. Hackers are smart enough to go try your password on say, Twitter and just replace “LinkedIn” with “Twitter” and next thing you know, your Twitter account is hacked too
- Don’t give out your password. Last week, when I had such trouble with Points.com, they asked me to provide my password to them via email. Don’t ever provide your password via email.
While I’m still not quite at peace with AA for locking us out of AwardWallet, I recognize that I am not a security expert. Hoping AwardWallet can find a way forward with AA.
@Marshall – says the man whose credit card is being used in the Bahamas 🙂 I hope that they all figure out a way to make our data more secure too!
You have the option to store passwords on your own computer and not AwardWallet’s servers.
The AwardWallet plugin meant that your American Airlines account number, password, and account information never even passed through AwardWallet’s servers. AwardWallet never even had access to your account balance, let alone your login information.
American does allow Points.com to store your account information and check your balance in the same manner that AwardWallet was doing. They may say they like Points.com security processes better, though of course they won’t say why. But AwardWallet is a Points.com technology partner…
(Meanwhile American won’t let services that the banks are happy to store and allow access to information, either.. much more important, valuable, costly to compromise data held to a higher security standard.)
American said, when pulling the plug on AwardWallet’s plug-in, that:
(1) they could not “permit websites that have not satisfied our security requirements the access needed to track AAdvantage balances”
(2) that they were “in the process of qualifying a number of other mileage tracker websites”
Except they had not even told the websites in question at the time what those security requirements WERE, what risks they saw in the specific cases, or what those sites would even need to do in order to have access.
Put a different way, the notion of being ‘in the process of qualifying’ mileage tracker websites must have been in such an earlier process that they hadn’t even told those websites about it yet!
And that their concerns about those sites having met security requirements was an interesting claim, since they wouldn’t even tell those sites what the concerns were.
So we can dig into the particulars of whether it would be legitimate to have security concerns in any given instance.
But the circumstances certainly suggest that security concerns were a smokescreen in this case.
Gary, I am so happy you brought this up. I tried explaining this over an over but most people do not seem to understand what we did with the browser plugin. You are exactly correct in saying:
“The AwardWallet plugin meant that your American Airlines account number, password, and account information never even passed through AwardWallet’s servers. AwardWallet never even had access to your account balance, let alone your login information.”
So the security concern American could have is internet browsers accessing their site. Not AwardWallet servers – but end users’ browsers. So today if you save your password when the browser prompts you, you can actually go and see that password in clear text. Our plugin actually encrypted the password so I could argue that our level of security was higher than that of a regular internet browser. As far as our database goes – it did not have any of AA data after we released the plugin so there would be no AA data to steal from us.
Thanks,
-Alexi from AwardWallet.com
I should add that there will always be tradeoffs between security and usaility, and *even if* the concern were really security (which seems doubtful) I still believe AAdvantage is striking the wrong balance.
@Alexi – minor quibble, at least when I access AA.com via Google Chrome I am not prompted to save my password.
@Alexi – thanks for the comments. It would be really interesting to see what American’s reasoning is (beyond the marketing side of it).