Pay Attention to United’s New MileagePlus Account Security By Thursday

United suffered a significant data hack at the end of 2014. Miles are regularly for sale on the Darknet. So IT security is something that many programs are doing more than paying lip service to. Hilton even gave out points for changing your password.

I’ve seen this header at the top of my United MileagePlus account for awhile and pretty much ignored it. Perhaps you’ve logged into yours, gotten a notice about a password or security questions and ignored it too. I talked to United about it — they gulped a bit that I’ve been ignoring it, like millions of other MileagePlus members. And it’s time not to ignore.

United is Implementing New Account Security Procedures This Week

United has new account security processes coming this Thursday overnight. So if you haven’t set up security questions after that you won’t be able to log in without doing so come Friday.

I spoke with Arlan McMillan, United’s Chief Information Security Officer and Ben Vaughn, the airline’s Director of IT Security Intelligence about the changes to account access.

Some of the challenges they identified:

  • The biggest account access issue they’ve identified is keystroke logging malware. Whatever you type a hacker gets access to, whether it’s account numbers or passwords or written answers to security questions. This is apparently more common than you’d expect.

  • Two-factor authentication, logging in with more than just your password credentials, is important security. But a global airline can’t send you a text message, you may be trying to access your account while inflight. (Texts are also no longer considered a best practice for two-factor authentication.)

  • Customers interact with the airline in myriad languages.

One of my checking accounts sends me a passcode via text when I log in for the first time from a new computer. Another checking account makes me type in the answer to a challenge question. I hate that because I have to remember the answer exactly – including capitalization. Neither of those methods work for United.

All things equal I think they have some reasonably clever solutions to providing good account authentication while minimizing inconvenience to customers. Of course we’ll see whether it plays out that way once customers start having to use these questions to access their accounts on Friday.

Security Verification Questions — the Easy Dropdown Box Way

Back in February United started asking customers to create strong passwords for their accounts, and answer a set of 5 questions from a drop down list of answers. Starting Friday 4-digit PINs will no longer be used at all, and customers will have to log in answering their challenge questions for the first time. If you haven’t set up challenge questions, you’ll have to do that before proceeding. When you answer challenge questions, if you check for United.com to remember you then you won’t have to do it again for quite some time until you try to log in using a different computer or browser.

Offering questions and answers in the form of a drop down seems like a good solution. There’s no issues with remembering exact answers or capitalization. Typing free form answers to questions is terrible.

But some of the questions United is using are really hard to answer.

Here’s the problem I faced:

  • I don’t really have a favorite musical instrument. Which instrument I play is also an option, but there’s no answer “I do not play an instrument.”

  • And what was the first major city I visited? I was born outside Miami, but I soon moved to a suburb of New York. Do those count, since I lived just outside the city and would have entered each city first — or is it my first ‘trip’ that counts? There’s not a ‘right’ answer, so I have to just remember which answer I picked.

  • I can’t really say that my favorite type of reading is blogs (cough) because that’s too easy for a reader looking to drain all my miles to guess.


Not what I selected.

Different people get asked different questions. I’d have an easier time with my favorite pizza topping (they think they’re funny, they list mashed potatoes as a topping) and favorite dog breed (but again I shouldn’t use that since I’ve written about my dog here).

I asked how United come up with specific questions, like your favorite sea animal? Does anyone have a favorite sea animal, other than may to eat?

Vaughn shared that they selected security questions they felt would be memorable or speak to deep preferences, things “rooted in time like the color of your house as a child.”

You pick your correct answer but don’t need to remember it exactly, since you don’t need to type it in. You’ll be presented with the answer you’ve chosen along with 9 false answers. You pick from those 10, and really just need to remember which are most right of the 10, or put another which which you wouldn’t have chosen.

You’ll “get used to seeing your answer in the field of 10” so it will be easier and easier to log into your account.

They think the combination of account numbers, passwords, and challenge questions provides the best match of security and customer experience. If someone hacks another site, your username and password there won’t help someone get into your MileagePlus account. And even hacking another site’s security questions won’t be a match for United’s.

If you forget the answers anyway, you can reset them. United uses two factors of authentication, and will accept any two to let you into your account: Password, presence of encrypted cookie (after answering security questions and telling the site to remember you), answers to security questions, and access to your email account on file. United will be able to send you an email with a link to reset your questions.

Questions and answers are encrypted, can’t be searched, and won’t be used for marketing so United thinks they’ll be stored securely — and they continue to be proud of their bug bounty program that has put hackers to work solving United’s security challenges.

Account Security is a Minor Pain, But It’s Worth It

Overnight on Thursday the 11th, all customer-facing and employee-facing applications will transition to this new requirement. Each will be updated sometime between 11pm and around 6am. At that time 4-digit PINs will be removed from system.

To do anything with your account you’ll be asked challenge questions — whether at the airport or over the phone. You won’t give any agent your password. When you deal with United’s automated phone system you’ll be asked to speak the first 5 characters only of your password.

One thing this allows is that any reservation with your MileagePlus number in it will get higher security. When a customer contacts United to make a transaction, an agent hits an authenticate button.

I have to worry about sharing too much on my blog about the specifics of future trips I’m taking, there are readers who would wreak havoc on my reservations for fun. That happened to Lucky. But lots of people worry about keeping their travel private, think a divorcing spouse with a protective order.

What I Wish United Would Do to Improve Security

I believe the best account security comes from something United doesn’t currently allow – mileage tracking sites like Award Wallet updating a member’s account balances.

One click, you see any change in your balances across all of your programs. So you know right away whenever points have been drained, rather than waiting weeks or a month to log in when an illegitimately-redeemed trip may have already been flown. And seeing new miles post right away reinforces engagement with the program as well.

I asked about this and United said they weren’t comfortable with customers having to share authentication information with third party sites. I pointed out that AwardWallet has an option where the information is stored locally on the member’s computer, never touching their own servers. Their rejoinder was that this information could then be recovered by malware.

When I pointed out that they allowed UsingMiles to continue tracking balances they then suggested that sites with “a commercial partnership” or that access United accounts in “an unobtrusive fashion” might be allowed.

What You Need to Do Now

If you haven’t set your account security questions yet, set them the next time you log into your MileagePlus account.

Everyone will start having to answering 2 of their 5 security questions the first time they log in at the end of the week.

If accessing on United.com from a device you own, check the box to remember your device and you’ll have to use only your MileagePlus number and password going forward because there will be a secure cookie set with lengthy expiration.

About Gary Leff

Gary Leff is one of the foremost experts in the field of miles, points, and frequent business travel - a topic he has covered since 2002. Co-founder of frequent flyer community InsideFlyer.com, emcee of the Freddie Awards, and named one of the "World's Top Travel Experts" by Conde' Nast Traveler (2010-Present) Gary has been a guest on most major news media, profiled in several top print publications, and published broadly on the topic of consumer loyalty. More About Gary »

More articles by Gary Leff »

Comments

  1. The drop down questions are extremely insecure. I was able to reset my mother’s password without her intervention (but with her consent to access her account). It didn’t require an e-mail to the registered e-mail with a link, even. I just knew the security question answers (because they are obvious and very limited in number) and I was in. Thus, anyone who knows you somewhat well and knows your MileagePlus number can compromise your account.

    I get the concern about keyloggers but I expect they’ll have more security issues now than before.

  2. One business that I use – which shall remain nameless – has a security question that constantly stumps me when I try to use their site, which I do not use frequently. It is “Who was your worst boss?”. As someone who has been in the workforce for a couple of decades, I struggle to remember 1) which one, and 2) did I answer with their first name, last name, or both?!?!? It usually takes me a couple of tries to get it right.

  3. All of these challenge questions are bad form. Lots of them can be answered for many people simply by googling their name, looking at their Facebook profile, etc.

    When forced to answer these sorts of questions the best practice is to LIE. Make up a random answer. Write it down in something like LastPass (or 1Password or ….). Don’t answer the questions truthfully.

    A better answer would have been to use a two-factor security token like AwardWallet supports. Something like Authy/Google Authenticator or whatever. There are apps for almost any platform. And no they don’t require a text message.

  4. What I wish is that it would just keep me signed in on my computer and then only require verification when I went to purchase a ticket or change something. This is how it previously worked, and allowed me to check my balances or check a fare (in expert mode) without signing in every time I went to United.com

  5. Didn’t anyone tell United that IF the problem is keystroke logging software, then switching from a PIN to a challenge question is no help at all. The keystroke logging software simply logs the answer to the question.

    From a security standpoint, the LAST thing I would want would be to have to answer my challenge questions every time. BofA tried that a few years ago and backed off.

    BTW, not that anyone needed another reason, but this is another reason to use your miles and not to keep “banking” them.

  6. I was finally hit with the 5 question security issue and had a long talk with their rep. Like someone mentioned above, I never tell a true answer, as airline security is lousy to begin with and they have no business anyway to know my true personal data. But with the pull-down answers I can’t easily lie (and remember *their* stupid answers), so I will be quitting using United and cancelling their credit card.

    Idiots deserve to go broke.

    And the argument that two-factor identification is not secure is a plain lie. It is MUCH MORE secure that using email for resetting password. ANYBODY can intercept and fake emails, but it is much harder to intercept a text message to a phone. Organizations much smarter than the idiots at United use it.

Leave a Reply

Your email address will not be published. Required fields are marked *