A Wellington computer consultant is concerned about what he feels is poor security in the AA Rewards card scheme.
But AA Rewards says it has had no complaints from its other 7500 members.
The scheme, launched in February, allows AA members to collect and spend drive points at BP petrol stations, Firestone Direct, Budget Rent A Car and the AA, in a similar way to the Fly Buys scheme.
Wellingtonian Jim Towler is concerned about the 0800 number which allows members to use an IVR (interactive voice response) system to check their points. Members key in their membership number (printed on the membership card) and hear their last five transactions and the points earned.
Although Towler is impressed by the scheme, he is concerned there is no PIN security on the IVR system. “My only security is to not use the card, and not get the points, and not get the free goodies.”
If someone knows his card number, they can trace the date he bought something, what business he bought it at, and the amount to the nearest $10.
Towler complained to the AA, but felt it wasn’t concerned.
AA Rewards general manager Sue Strange says AA Rewards has offered Mr Towler the opportunity to have the IVR system disabled in his case, but still allow him to speak to a customer service representative for points information. It will do likewise for anyone with concerns.
Strange says that under the terms and conditions of the rewards programme, it is the member’s responsibility to keep their card and card number secure, just as with credit cards. Towler acknowledges that point. “But with a credit card my maximum liability is $50. I consider my privacy worth more than that.” He concedes it would be hard for anyone to exploit the information.
However, if someone got the card number of a high profile person — like an MP — they could build up a profile of where they had spent their money. He says it will be more concerning if the scheme is extended to more businesses.
Strange questions what use the information would be. “All you hear are details of transactions. You’re not going to be able to do anything with it ... There would be no pecuniary advantage gained.” She questions what sort of person would bother using the card to build up a profile.
Towler says AA Rewards should have PIN security and the IVR information should not be provided unless a member has actively set it up. He says such privacy issues will be more important as smartcard and IVR technology use grows.
Strange says PIN security might discourage people from using the IVR, but could be considered if the system developed to allow members to do something with their points over the telephone. She says the privacy commissioner has raised no concerns about the scheme and that the terms and conditions have been vetted legally and comply with the Privacy Act.
Averill Parkinson, senior solicitor for Clendon Feeney, says that if the AA is willing to disable the service for anyone with concerns, that is consistent with the Privacy Act. “It’s more about being fair and reasonable than strict breaches.”
If the terms and conditions outline what the information will be used for, then that also complies.