United Airlines has taken flak for lax security on access to customer accounts. A year ago it was the target of a significant attack on MileagePlus member accounts and since then there were a number of changes in place, like blocking logins with a password or username; customers were required to use their account number and PIN instead. It seems like the company is finally ready to better secure authentication to the accounts. Almost.
Logging in today will earn you a prompt to update your profile, adding a password and security questions and eventually disabling PIN-based access for the website. That’s all well and good if it were working properly. But it is not. Multiple customers have reported completing the tasks and then being locked out of their accounts as the “reset password” part of the process isn’t actually happening. Oopsie.
UPDATE: I’ve heard from United and this is by design:
[W]e’re only going to prompt members to create new passwords if their existing ones don’t meet the new requirements of being a minimum of eight characters, including at least one letter and one number.
Of course, if you’re like me and have no idea what your password is that’s not very helpful. I guess the lesson here is to reset your password before going through the security question process which disables PIN access to the account.
I also wonder about the questions being used to secure the accounts (There are others, apparently, but these are the ones I saw):
- What was the make of your first car?
- What color was the home you grew up in?
- What was your most favorite fruit or vegetable as a child?
- What is your favorite type of reading?
- What is your favorite flavor of ice cream?
- What is your favorite type of music?
- What was your favorite subject in school?
- What is your favorite pizza topping?
- When you were young, what did you want to be when you grew up?
- What is your favorite sport?
- What is your favorite type of movie?
- What was your least favorite fruit or vegetable as a child?
- Who is your favorite artist?
- What is your favorite musical instrument?
- What is your favorite sea animal?
- What is your favorite breed of dog?
- What is your favorite warm-weather activity?
- What is your favorite type of vacation?
Answers must come from a pick-list provided by the company rather than free response. One of the options for the “sea animal” answer is simply “fish” while it also includes a few birds. The ice cream pick list includes both Vanilla and Vanilla bean; apparently there is a difference.
I get the reasoning behind this type of question: They are generally not things which can be deduced from public information databases making it harder for a hacker to figure out what the answers would be. But they’re also things which I suspect many people will have trouble remembering their choices for. Did I pick Klimt or Rembrandt as my favorite artist? Dolphin or Porpoise (and do I know the difference)? Was algebra my favorite subject in school or just plain old math? Or maybe it was trigonometry or geometry? That was 20 years ago and I’ve not thought about it much in the intervening time.
There are a variety of two-factor authentication options out there which would likely be more secure and easier to implement. With the added bonus of not requiring every member to rebuild their account to log in, creating opportunities to forget the settings and ultimately reducing the security on the accounts. I know I’m going to end up writing my answers down somewhere so I don’t lose them. And that’s generally bad for security.
But the more important part is how the site is not actually working properly for configuring the settings, specifically around the password. That’s just bad news all around. Hopefully that gets fixed soon. In the mean time, however, I’m going to be riding out the 30 day grace period at least a little longer. No rush on my part to get into a worse state.
Oh, and you still need a PIN to perform transactions over the phone, so that’s not going away entirely.
Never miss another post: Sign up for email alerts and get only the content you want direct to your inbox.