This sounds nuts. Are people still entrusting bearer tokens to third parties? I haven't seen that done in at least 10 years. Surely it's prohibited by the ToS of the first party providers?