Yet another post-it for the underside of the keyboard.
United Airlines has renovated the security on its frequent flyer scheme "MileagePlus" by requiring users to answer one of five security questions and enter a password when they log on. The airline sent emails to customers requesting they update their security from weak, short PINs to complex passwords. The new codes require …
Thursday 21st April 2016 11:12 GMT theblackhand
Thursday 21st April 2016 14:15 GMT Version 1.0
It turns out that all those questions are just for the password reset mechanism. I just logged in, answered a couple of the questions and reset my password in less than a minute. I know it looks bad on the face of it but if you have to do it then it's quite simple.
Of course, I had to look up the answers - they were written down.
Thursday 21st April 2016 07:25 GMT Linker3000
That long eh!?
So...longer than an 8 hour wait at SFO before your flight to LHR is finally cancelled and you have to fly to Dulles and eventually arrive back home over one day late...and no you can't use our lounge while we dick around trying to work out how to get you home?
I refuse to fly United now .. all subsequent business flights have been with Virgin Atlantic.
Thursday 21st April 2016 07:38 GMT chivo243
Re: That long eh!?
I jettisoned United out the airlock back when the lost my frequent flier miles during the merger with Continental. They claimed they sent a email telling me at the time of the merger to check if my miles were intact. No such message arrived...
There is nothing like a 36 hour dicking around tour of the states, been there done that, late for work by a day...
Thursday 21st April 2016 07:48 GMT Dan 55
Thursday 21st April 2016 08:25 GMT Anonymous Coward
Re: Kill all the security questions now
Yes, these should have never been created. Whoever the ignorant person was who first suggested them should be shot.
I just treat them as alternate passwords, and create nonsense answers for them that I keep in an encrypted file organized by site. It is so easy to find out someone's mother's maiden name, the school they went to etc. that it is criminal to treat that as adding security. In most cases by allowing password resets if you know one such answer you reduce security.
If the hacker has control of your email its game over, if they don't they might be able to use social engineering on the company ("it said it sent the password to me but I never got it, I know my ISP has really aggressive spam filters that have blocked other emails I didn't want blocked, but I can't do anything about that, can you help me?")
Thursday 21st April 2016 08:33 GMT Anonymous Coward
Re: Kill all the security questions now
10000% agree with you on the 'using wrong answers' to stupid questions like mothers Maiden name.
I use my grandma's firstname and deliberately spelt wrong. I can remember that easily enough.
As for my school, I use one that never existed ( and no it is not Hogwarts)
I really don't want to remember my school days.I am probably not alone there. not a happy time if you were not in the 'In Crowd'.
Thursday 21st April 2016 08:48 GMT The Alphabet
Thursday 21st April 2016 09:18 GMT Anonymous Coward
Thursday 21st April 2016 11:31 GMT FrogsAndChips
Airlines miles do have a value on the black market (300,000 airline points for $90 USD, according to Dell's SecureWorks), so some people must have found creative ways to make the transactions not so traceable - guess they don't care about reversibility once they've cashed in the miles.
Thursday 21st April 2016 09:22 GMT Version 1.0
So of course ...
Everyone has to write down the answers to all these questions on a piece of paper in their wallet or keep a list their phone. My bet is that they will change this soon as their customer service/support department will be swamped with reset requests from customers who've lost their password and cant remember all the answers to these stupid questions.
All they need is a strong password. I think they are probably just trying to may it difficult to log in and collect the bug bounties.
Thursday 21st April 2016 11:58 GMT FrogsAndChips
it's worse than I thought
I did the exercise of setting my security questions/answers.
I already thought that providing a pre-determined list of answers is a bad idea (even if it protects you from typos), because all crackers need to do is enumerate.
But then I tried the ‘Forgot my password’ experiment. What they ask in the first place is card number or username, then first and last name, so don’t lose your card and don’t choose an obvious username.
Then you are presented with 2 (!) questions with a list of 10 (!) possible answers (when setting the answers the list was much longer but they’ve reduced it for the security checks). And voila, password changed!
So statistically you only need 100 tries, even less with a little bit of guessing (all kids hate Brussels sprouts), to reset a password and take possession of an account.
Nicely done, guys!
Friday 22nd April 2016 01:12 GMT Nate Amsden
Haven't logged in yet
United sent me notes they were putting this in place but I thought it was put in place a month ago. Haven't had to login again yet.
The one that was most scary to me was state farm. Asking me questions like what steet did i live on 30 years ago (i was a young kid, 25 years before I became a customer). The answers were multiple choice. These were records from their databases, they never asked me to setup questions they just asked based on what they knew about me already. Quite startling to me anyway.
I realize insurance companies have a lot of data but did not expect to extend that far back long before I had any accounts under my own name.
Saturday 23rd April 2016 16:14 GMT Anonymous Coward
Already filled it in with rubbish!
Only flown United once, and that was enough. Never again...
Why provide all the pointless lifestyle food options on a flight such as halal kosher etc, but no longer provide medical need options such as diabetic?
United are without doubt the worst airline, and I. Included Ryanair in that comparison.
Sunday 24th April 2016 15:04 GMT Michael Wojcik
Haven't done it yet myself...
... and I really can't decide if my United FF miles are worth the hassle.
I used to like United, actually. Despite their consistently terrible showing in user-satisfaction surveys, I'd had better luck with them than with the other US airlines. But really all the airlines (and everything else about air travel) are so terrible that any distinction is almost insignificant, and only on a couple of occasions have I been able to use my miles for travel (and that's the only thing they've been worth using on).