Chase Will Ban Third Party Apps That Use Your Password To Screen Scrape Their Site

If you use Award Wallet to check your frequent flyer account balances, you give them the username and password for your accounts and with a single click they check your accounts for you (and you can log in with a single click as well).

Award Wallet and other services are going to have to change the way they interact with Chase, and the information they’re able to get may be limited. J.P. Morgan Chase says they are going to ban third party platforms from accessing accounts using customer passwords. In its place they will offer a ‘token-based system’ so that websites and apps can access customer Chase accounts with permissions and see “a narrow range of data in a secure form.”


Copyright: jetcityimage / 123RF Stock Photo

The good news is that Chase isn’t taking the Delta Air Lines and Southwest Airlines approach, simply trying to shut down third party sites that provide useful services to their customers. Instead Chase’s Head of Digital Bill Wallace suggests that the move to tokens “should neither deter customers from trying new platforms, nor prevent apps from providing services to them.”

In other words they see a security risk in the current approach and want to improve security, not eliminate innovation or make it harder for customers to get the services they want if they bank with Chase. Yodlee, apparently, is already using a tokenized system with Chase.

About Gary Leff

Gary Leff is one of the foremost experts in the field of miles, points, and frequent business travel - a topic he has covered since 2002. Co-founder of frequent flyer community InsideFlyer.com, emcee of the Freddie Awards, and named one of the "World's Top Travel Experts" by Conde' Nast Traveler (2010-Present) Gary has been a guest on most major news media, profiled in several top print publications, and published broadly on the topic of consumer loyalty. More About Gary »

More articles by Gary Leff »

Pingbacks

Comments

  1. I stopped giving Award Wallet updated passwords for my airline and hotel accounts in 2018. While they offer a very convenient/useful service, in the event Award Wallet ever gets hacked, ALL of your airline/hotel passwords and point balances could (theoretically) be compromised at the same time. Not worth the risk to put all my eggs in one basket IMO, although I’m sure most others are fine with it.

  2. Chase, Citi, and BoA all switched to token-based with Mint last year. Still waiting for Amex to do it…

  3. I hope they keep access to AW…I LOVE it to be able to see all my balances at a glance, it seems like we’re at risk of EVERYTHING being hacked. If they can hack our damned voting machines, military personnel and SPY personnel records for crying out loud, they can hack anything so I may as well use the conveniences available to me. From what I can see there are people who have more points or miles in one account than I have in all my little accounts combined so I’m sure they can find bigger fish to fry than me. I also like the feature that shows me where I can get the most points earning. I wish it had a feature like cashback monitor built into it so you can figure out best ways to double or triple dip when earning points. Award Wallet is AWESOME!

  4. I don’t need award wallet to check my banks. Just airlines, hotels and rental car accounts. Chase doesn’t own those.

  5. I understand the convenience of it but I don’t think it is worth the risk. Similar to some financial apps that gather all your financial information. The gain vs. potential loss is too great for me. If I loss one account it is a pain but losing and dealing with a bunch of accounts would be a nightmare.

  6. Hi, senior information security architect here. AwardWallet supports multi-factor authentication and I recommend that people use this. Combined with a strong password, it’s as safe as any other password management tool.

  7. This is how they connect to AA (which means the update is much faster) so hoping they can work with Chase, too.

Leave a Reply

Your email address will not be published. Required fields are marked *