United Airlines has taken flak for lax security on access to customer accounts. A year ago it was the target of a significant attack on MileagePlus member accounts and since then there were a number of changes in place, like blocking logins with a password or username; customers were required to use their account number and PIN instead. It seems like the company is finally ready to better secure authentication to the accounts. Almost.
Logging in today will earn you a prompt to update your profile, adding a password and security questions and eventually disabling PIN-based access for the website. That’s all well and good if it were working properly. But it is not. Multiple customers have reported completing the tasks and then being locked out of their accounts as the “reset password” part of the process isn’t actually happening. Oopsie.
UPDATE: I’ve heard from United and this is by design:
[W]e’re only going to prompt members to create new passwords if their existing ones don’t meet the new requirements of being a minimum of eight characters, including at least one letter and one number.
Of course, if you’re like me and have no idea what your password is that’s not very helpful. I guess the lesson here is to reset your password before going through the security question process which disables PIN access to the account.
I also wonder about the questions being used to secure the accounts (There are others, apparently, but these are the ones I saw):
- What was the make of your first car?
- What color was the home you grew up in?
- What was your most favorite fruit or vegetable as a child?
- What is your favorite type of reading?
- What is your favorite flavor of ice cream?
- What is your favorite type of music?
- What was your favorite subject in school?
- What is your favorite pizza topping?
- When you were young, what did you want to be when you grew up?
- What is your favorite sport?
- What is your favorite type of movie?
- What was your least favorite fruit or vegetable as a child?
- Who is your favorite artist?
- What is your favorite musical instrument?
- What is your favorite sea animal?
- What is your favorite breed of dog?
- What is your favorite warm-weather activity?
- What is your favorite type of vacation?
Answers must come from a pick-list provided by the company rather than free response. One of the options for the “sea animal” answer is simply “fish” while it also includes a few birds. The ice cream pick list includes both Vanilla and Vanilla bean; apparently there is a difference.
I get the reasoning behind this type of question: They are generally not things which can be deduced from public information databases making it harder for a hacker to figure out what the answers would be. But they’re also things which I suspect many people will have trouble remembering their choices for. Did I pick Klimt or Rembrandt as my favorite artist? Dolphin or Porpoise (and do I know the difference)? Was algebra my favorite subject in school or just plain old math? Or maybe it was trigonometry or geometry? That was 20 years ago and I’ve not thought about it much in the intervening time.
There are a variety of two-factor authentication options out there which would likely be more secure and easier to implement. With the added bonus of not requiring every member to rebuild their account to log in, creating opportunities to forget the settings and ultimately reducing the security on the accounts. I know I’m going to end up writing my answers down somewhere so I don’t lose them. And that’s generally bad for security.
But the more important part is how the site is not actually working properly for configuring the settings, specifically around the password. That’s just bad news all around. Hopefully that gets fixed soon. In the mean time, however, I’m going to be riding out the 30 day grace period at least a little longer. No rush on my part to get into a worse state.
Oh, and you still need a PIN to perform transactions over the phone, so that’s not going away entirely.
Never miss another post: Sign up for email alerts and get only the content you want direct to your inbox.
I completed it yesterday on the mobile website – not app –and have been able to get in just fine since then on the website, the mobile website, and the app. So it must’ve worked for me. What I worry about is when you call the service desk they ask for your PIN, and I remember reading sometime ago that if you had a password rather than a PIN, the agents couldn’t get in to help you. I’m not going to invent some reason to call for help and see if that happens, but next time I need agent help, I hope the password works for them and they don’t need a PIN which I know longer have.
As for the questions, yes, frustrating. When I was little I wanted to be an architect when I grew up, but the closest available alternative on their mandatory drop-down list was archaeologist!
note the questions and answers you gave in your password manager for easy retrieval in the future. problem solved.
Please keep us posted if you hear about a fix. Traveling United next week and don’t want to get locked out.
Answered the questions earlier today. Now I am locked out.
I dislike those questions. They should be facts that don’t change, not opinions that will shift. And with forced choices, I’m even less likely to recall what I put, since it’s probably not my real choice. The idea shouldn’t make it to be the equivalent of an extra password that you need to note, track and keep accessible to you, but to be a fact that you know from memory but someone who is not you won’t know.
Totally agree with Dave. I am sick to dear of all the “favorite” questions everywhere. Recently, I had to choose 3 questions for an account and all but TWO were “favorites!” My favorites change daily, and I have no clue what they were as a child. Is that really so uncommon? Are most people so inflexible that their favorites are constant over years? Maybe that refusal to change is what’s wrong with our country (or half of it, anyway ). Whew, I feel much better. Thanks for letting me get that off my chest. Yours is my favorite blog. ; )
Any updates on this? I have put off changing my login, but I know changing is coming.
Yes. Is it safe to go in the water now?
This is not a serious blog about travel. Author is a travel agent just trying to make a few dollars on click ads and credit card references. I guess as are most of them.
Sure thing, boss. You can tell because all the CC links I push in every post. Which is zero.
Thanks for paying attention.
There is not serious and then there is dumb.
Having a travel blog and not pushing credit cards is walking away from money and dumb, serious writer or not.
Tell be about the state of this blog topic: Safe to update? Any idea?
I’m glad you’re so concerned about my cash flow. Turns out my business model is working just fine, thanks.
I wrote a quick update about this situation: http://blog.wandr.me/2016/03/quick-update-uniteds-account-security-changes/.
Short, short version is go ahead and do it but reset your password first, just in case.