back to article Logging on to United's frequent flyer site might take longer than a flight

United Airlines has renovated the security on its frequent flyer scheme "MileagePlus" by requiring users to answer one of five security questions and enter a password when they log on. The airline sent emails to customers requesting they update their security from weak, short PINs to complex passwords. The new codes require …

  1. peterkin

    Yet another post-it for the underside of the keyboard.

    1. theblackhand

      Re: Post-Its

      If only they asked more security questions than could easily kit under a standard size keyboard...

      United, are your security people listening?

      1. Anonymous Coward
        Anonymous Coward

        Re: Post-Its

        Also known as "The desk" after filling in all these questions for all these websites.

      2. Linker3000

        Re: Post-Its

        > United, are your security people listening?

        Nah, they are all stuck in a departures lounge somewhere on their way back from a conference because their flight was delayed/cancelled.

        1. Fatman
          Joke

          Re: Post-Its

          <quote>...because their flight was delayed/cancelled.</quote>

          Especially if the were flying Allegiant

    2. Version 1.0 Silver badge

      It turns out that all those questions are just for the password reset mechanism. I just logged in, answered a couple of the questions and reset my password in less than a minute. I know it looks bad on the face of it but if you have to do it then it's quite simple.

      Of course, I had to look up the answers - they were written down.

    3. Chemical Bob
      Facepalm

      "the underside of the keyboard"

      THATS what I'm doing wrong!

  2. Linker3000

    That long eh!?

    So...longer than an 8 hour wait at SFO before your flight to LHR is finally cancelled and you have to fly to Dulles and eventually arrive back home over one day late...and no you can't use our lounge while we dick around trying to work out how to get you home?

    I refuse to fly United now .. all subsequent business flights have been with Virgin Atlantic.

    /bitter? Much!

    1. chivo243 Silver badge
      FAIL

      Re: That long eh!?

      @Linker3000

      I jettisoned United out the airlock back when the lost my frequent flier miles during the merger with Continental. They claimed they sent a email telling me at the time of the merger to check if my miles were intact. No such message arrived...

      There is nothing like a 36 hour dicking around tour of the states, been there done that, late for work by a day...

  3. Dan 55 Silver badge
    Mushroom

    Kill all the security questions now

    I'm not going to put my mother's maiden name in, I can't remember my first pet's name, my favourite colour is a primary or secondary colour like everyone else's. All they do is make a passwords easier to crack.

    1. Anonymous Coward
      Anonymous Coward

      Re: Kill all the security questions now

      Yes, these should have never been created. Whoever the ignorant person was who first suggested them should be shot.

      I just treat them as alternate passwords, and create nonsense answers for them that I keep in an encrypted file organized by site. It is so easy to find out someone's mother's maiden name, the school they went to etc. that it is criminal to treat that as adding security. In most cases by allowing password resets if you know one such answer you reduce security.

      If the hacker has control of your email its game over, if they don't they might be able to use social engineering on the company ("it said it sent the password to me but I never got it, I know my ISP has really aggressive spam filters that have blocked other emails I didn't want blocked, but I can't do anything about that, can you help me?")

      1. Anonymous Coward
        Anonymous Coward

        Re: Kill all the security questions now

        10000% agree with you on the 'using wrong answers' to stupid questions like mothers Maiden name.

        I use my grandma's firstname and deliberately spelt wrong. I can remember that easily enough.

        As for my school, I use one that never existed ( and no it is not Hogwarts)

        I really don't want to remember my school days.I am probably not alone there. not a happy time if you were not in the 'In Crowd'.

        1. Jimbo 6
          Windows

          Re: Kill all the security questions now

          WHAT...is your name ?

          WHAT...is your quest ?

          WHAT...is your favourite colour ?

          >> 'Old man from scene 23' icon, natch

          1. FrogsAndChips Silver badge

            Re: WHAT...is your quest ?

            What is the airspeed velocity of an unladen swallow?

            1. BebopWeBop

              Re: WHAT...is your quest ?

              Do they give you an option as to the type of swallow?

        2. Colin Wilson 2

          Re: Kill all the security questions now

          > As for my school, I use one that never existed ( and no it is not Hogwarts)

          St. Custards?

        3. cd

          Re: Kill all the security questions now

          Just use "fuck this" for all of them. Or "united sucks". Easy to remember that way.

    2. brotherelf
      Facepalm

      Re: Kill all the security questions now

      This one's even worse: looking at the screenshot, they've made the answers multiple choice instead of free input? WTF? That's going to get a lot of feature requests along the lines of "please add puce".

  4. The Alphabet

    "Millions of miles have been handed out to researchers in exchange for bugs."

    So they are not actually paying in exchange for bugs, just handing out funbucks because to use those miles requires earning more miles (with them or others) to redeem those miles on United.

    1. Ol'Peculier

      So your reward for finding a bug are flight miles on an airline that most people would pay to avoid.

      Riiiiiight...

      (I'd bundle American into the list of no-go's - the IFE coming back from Chicago last year was a screen in the isle. Took me back to family holidays in the '80s)

  5. Anonymous Coward
    Anonymous Coward

    Really?

    People want to hack into United's site? Why? What value could you derive? Steal my miles? Those are a fiat currency whose value only exists in United's ecosystem, and every transaction is tracable and reversible.

    1. FrogsAndChips Silver badge

      Re: Really?

      Airlines miles do have a value on the black market (300,000 airline points for $90 USD, according to Dell's SecureWorks), so some people must have found creative ways to make the transactions not so traceable - guess they don't care about reversibility once they've cashed in the miles.

  6. Version 1.0 Silver badge

    So of course ...

    Everyone has to write down the answers to all these questions on a piece of paper in their wallet or keep a list their phone. My bet is that they will change this soon as their customer service/support department will be swamped with reset requests from customers who've lost their password and cant remember all the answers to these stupid questions.

    All they need is a strong password. I think they are probably just trying to may it difficult to log in and collect the bug bounties.

  7. John McCallum
    Coat

    When I saw the word United I automatically thought it was about Manchester United

  8. FrogsAndChips Silver badge
    FAIL

    it's worse than I thought

    I did the exercise of setting my security questions/answers.

    I already thought that providing a pre-determined list of answers is a bad idea (even if it protects you from typos), because all crackers need to do is enumerate.

    But then I tried the ‘Forgot my password’ experiment. What they ask in the first place is card number or username, then first and last name, so don’t lose your card and don’t choose an obvious username.

    Then you are presented with 2 (!) questions with a list of 10 (!) possible answers (when setting the answers the list was much longer but they’ve reduced it for the security checks). And voila, password changed!

    So statistically you only need 100 tries, even less with a little bit of guessing (all kids hate Brussels sprouts), to reset a password and take possession of an account.

    Nicely done, guys!

    1. A K Stiles
      Joke

      Re: it's worse than I thought

      HA ha! So my account is secure as I've always loved sprouts!

  9. Nate Amsden

    Haven't logged in yet

    United sent me notes they were putting this in place but I thought it was put in place a month ago. Haven't had to login again yet.

    The one that was most scary to me was state farm. Asking me questions like what steet did i live on 30 years ago (i was a young kid, 25 years before I became a customer). The answers were multiple choice. These were records from their databases, they never asked me to setup questions they just asked based on what they knew about me already. Quite startling to me anyway.

    I realize insurance companies have a lot of data but did not expect to extend that far back long before I had any accounts under my own name.

  10. Anonymous Coward
    Anonymous Coward

    Already filled it in with rubbish!

    Only flown United once, and that was enough. Never again...

    Why provide all the pointless lifestyle food options on a flight such as halal kosher etc, but no longer provide medical need options such as diabetic?

    United are without doubt the worst airline, and I. Included Ryanair in that comparison.

  11. Michael Wojcik Silver badge

    Haven't done it yet myself...

    ... and I really can't decide if my United FF miles are worth the hassle.

    I used to like United, actually. Despite their consistently terrible showing in user-satisfaction surveys, I'd had better luck with them than with the other US airlines. But really all the airlines (and everything else about air travel) are so terrible that any distinction is almost insignificant, and only on a couple of occasions have I been able to use my miles for travel (and that's the only thing they've been worth using on).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like