A long, long time ago, while I was still living in Canada, I signed up for a credit card that gave me Aeroplan points. Those are kind of like air miles except that you have to redeem your points for miles, rather than accruing miles directly. You don’t just need to use your points for travel, though. You can get stuff like iPods and printers and routers (oh, my!). The drawback is that it takes thousands and thousands of points to go anywhere. To go from Seattle to Winnipeg, it takes 25,000 points. Since a flight there (in US dollars) is currently $550 in October, this works out to 1 point = $45. For a normal air miles card it is usually 1 air mile for every $20 spent. This means that my Aeroplan card is approximately twice as expensive as my dad’s air miles card. It’s kind of a ripoff. Yet at the time, it was all I had.
The reason I still have it is that I accrued a lot of miles while I was living in Canada. Yet I don’t use it anymore now that I am living in the United States because it doesn’t make good financial sense to always have to do the exchange rate conversion of US dollars into Canadian dollars (Visa will not switch it to a US dollars account). So, I had a card I didn’t really use but had many thousands of aero-points on, almost enough for a trip to New Zealand (but not back). But the plan was to use them at a strategic time.
Well, this past year American Express offered me a gold card that also offered points for every purchase, 1 point for every $1 purchase. I never really understood why the Amex gold card was such a great deal. They explained all of the benefits – anti-fraud protection, an annual fee of $35, a high interest rate, 24/7 emergency assistance, and rewards. In other words, it’s like just about every other card out there. It’s really not that great a card at all from what I can see, other than the ability to earn points. I wouldn’t have considered it except for two things:
- As a Canadian living in the United States, I did not exist at all to all American credit bureaus (credit card companies, banks, car insurance) before September 2007. This makes it difficult for me to get a credit card, and therefore, build credit. When I saw that I was pre-approved, I decided it was worthwhile going for it.
- The rewards program made it possible to link my purchases to my existing Aeroplan on my other credit card. This meant that I could make purchases in US funds and have the air travel points applied to my existing account so I wouldn’t have to start from scratch. I was pre-approved and so the glide path to card acquisition was smooth.
Because of these two offers, I decided to acquire the card. If I am going to be paying for stuff, I may as well get air travel points. Some people prefer cash back, I prefer air travel points because I like to travel.
The whole problem starts when I start looking to redeem my Aeroplan points. I don’t fault Amex at all, they are doing a fine job (other than the fact that their card is not better than most other cards out there). Aeroplan is proving exceedingly frustrating to use. It’s virtually impossible to travel with them. For one thing, I can only travel on Air Canada. This was not a problem while I was living in Canada (in fact, it was a requirement), but now that I live in the US, it’s kind of inconvenient. I could drive up from Seattle to Vancouver and fly out of there… or I could just fly out of Seattle.
The real problem, though, is all of the fricking black out dates. I can’t travel around Christmas, Thanksgiving (Canadian or American), Labour Day (yeah, that’s right, I spelled it with a ‘u’), or even Sundays! In other words, they make it as inconvenient as humanly possible when handing out their “reward” flights. I’d like to fly over a weekend since I only have limited time off. I want to fly back on a Sunday. Not with Aeroplan!
But if that weren’t enough, I may have been able to handle that. The last straw was their password policy. I regularly forget my password to sites I infrequently log in to (insurance, credit card, etc). Aeroplan is no different. I don’t log in to that because I never travel anywhere. And if you think about it, once I used up all of my points, it takes forever to rebuild them and so there is no point (pardon the pun) in logging in frequently. It’s like watching paint dry. I can’t buy anything anyhow so why bother logging in frequently. Heck, does anyone log in to their site frequently?
Because I don’t log in regularly, I forget my password all the time. I also don’t save it in my browser. So almost every time I visit the site, I have to reset my password. This is annoying, but it’s my own fault. But what isn’t my fault is aeroplan.com’s lame password policy. I tried to make a decently secure password, but couldn’t. I was not permitted to use non-standard characters like !, @, #, $, % or &. What the heck? I like tossing in those characters in order to make my password secure! Obviously, the reason they do that is to prevent SQL injection attacks that make use of those special characters. They’ve decided to compromise customer security for the tradeoff of not doing input sanitation to prevent those types of attacks.
But not only that, not only can those special characters not be used, passwords are restricted to 12 characters or less. I tried to enter in a 15 character password, one I could easily remember (seriously). But instead, Aeroplan kept saying that there was some sort of error. They couldn’t be bothered to tell me what error, only that there was some error. I tried to re-enter my password again and again but they wouldn’t hear of it. I then thought to myself that if their password policy is weak, then maybe they are restricting on the character size. I entered in an 11 character password, and what do you know? It worked! I wasn’t happy that it worked, I did the smiley face where I was experiencing mixed emotions:
Quite frankly, if you allow a web login you should permit users to enter in passwords of any length they wish (or maybe restrict at 32 instead of 12 or whatever they were doing) and allow special characters to be used. They should validate the input to ensure that SQL injections or cross-site scripting cannot occur but when it comes to passwords, an attacker can guess it if all you do is allow lower case. Perhaps most users do use all lower case, but you shouldn’t be requiring it. Sheesh.
So as you can see, I am not happy with Aeroplan. A poor customer experience, tossed in with poor security practices, does not a happy security guy make. If you want an example of a good customer experience, check out Mint. That one is very good, kind of the opposite of Aeroplan.