United suffered a significant data hack at the end of 2014. Miles are regularly for sale on the Darknet. So IT security is something that many programs are doing more than paying lip service to. Hilton even gave out points for changing your password.
I’ve seen this header at the top of my United MileagePlus account for awhile and pretty much ignored it. Perhaps you’ve logged into yours, gotten a notice about a password or security questions and ignored it too. I talked to United about it — they gulped a bit that I’ve been ignoring it, like millions of other MileagePlus members. And it’s time not to ignore.
United is Implementing New Account Security Procedures This Week
United has new account security processes coming this Thursday overnight. So if you haven’t set up security questions after that you won’t be able to log in without doing so come Friday.
I spoke with Arlan McMillan, United’s Chief Information Security Officer and Ben Vaughn, the airline’s Director of IT Security Intelligence about the changes to account access.
Some of the challenges they identified:
- The biggest account access issue they’ve identified is keystroke logging malware. Whatever you type a hacker gets access to, whether it’s account numbers or passwords or written answers to security questions. This is apparently more common than you’d expect.
- Two-factor authentication, logging in with more than just your password credentials, is important security. But a global airline can’t send you a text message, you may be trying to access your account while inflight. (Texts are also no longer considered a best practice for two-factor authentication.)
- Customers interact with the airline in myriad languages.
One of my checking accounts sends me a passcode via text when I log in for the first time from a new computer. Another checking account makes me type in the answer to a challenge question. I hate that because I have to remember the answer exactly – including capitalization. Neither of those methods work for United.
All things equal I think they have some reasonably clever solutions to providing good account authentication while minimizing inconvenience to customers. Of course we’ll see whether it plays out that way once customers start having to use these questions to access their accounts on Friday.
Security Verification Questions — the Easy Dropdown Box Way
Back in February United started asking customers to create strong passwords for their accounts, and answer a set of 5 questions from a drop down list of answers. Starting Friday 4-digit PINs will no longer be used at all, and customers will have to log in answering their challenge questions for the first time. If you haven’t set up challenge questions, you’ll have to do that before proceeding. When you answer challenge questions, if you check for United.com to remember you then you won’t have to do it again for quite some time until you try to log in using a different computer or browser.
Offering questions and answers in the form of a drop down seems like a good solution. There’s no issues with remembering exact answers or capitalization. Typing free form answers to questions is terrible.
But some of the questions United is using are really hard to answer.
Here’s the problem I faced:
- I don’t really have a favorite musical instrument. Which instrument I play is also an option, but there’s no answer “I do not play an instrument.”
- And what was the first major city I visited? I was born outside Miami, but I soon moved to a suburb of New York. Do those count, since I lived just outside the city and would have entered each city first — or is it my first ‘trip’ that counts? There’s not a ‘right’ answer, so I have to just remember which answer I picked.
- I can’t really say that my favorite type of reading is blogs (cough) because that’s too easy for a reader looking to drain all my miles to guess.
Not what I selected.
Different people get asked different questions. I’d have an easier time with my favorite pizza topping (they think they’re funny, they list mashed potatoes as a topping) and favorite dog breed (but again I shouldn’t use that since I’ve written about my dog here).
I asked how United come up with specific questions, like your favorite sea animal? Does anyone have a favorite sea animal, other than may to eat?
Vaughn shared that they selected security questions they felt would be memorable or speak to deep preferences, things “rooted in time like the color of your house as a child.”
You pick your correct answer but don’t need to remember it exactly, since you don’t need to type it in. You’ll be presented with the answer you’ve chosen along with 9 false answers. You pick from those 10, and really just need to remember which are most right of the 10, or put another which which you wouldn’t have chosen.
You’ll “get used to seeing your answer in the field of 10” so it will be easier and easier to log into your account.
They think the combination of account numbers, passwords, and challenge questions provides the best match of security and customer experience. If someone hacks another site, your username and password there won’t help someone get into your MileagePlus account. And even hacking another site’s security questions won’t be a match for United’s.
If you forget the answers anyway, you can reset them. United uses two factors of authentication, and will accept any two to let you into your account: Password, presence of encrypted cookie (after answering security questions and telling the site to remember you), answers to security questions, and access to your email account on file. United will be able to send you an email with a link to reset your questions.
Questions and answers are encrypted, can’t be searched, and won’t be used for marketing so United thinks they’ll be stored securely — and they continue to be proud of their bug bounty program that has put hackers to work solving United’s security challenges.
Account Security is a Minor Pain, But It’s Worth It
Overnight on Thursday the 11th, all customer-facing and employee-facing applications will transition to this new requirement. Each will be updated sometime between 11pm and around 6am. At that time 4-digit PINs will be removed from system.
To do anything with your account you’ll be asked challenge questions — whether at the airport or over the phone. You won’t give any agent your password. When you deal with United’s automated phone system you’ll be asked to speak the first 5 characters only of your password.
One thing this allows is that any reservation with your MileagePlus number in it will get higher security. When a customer contacts United to make a transaction, an agent hits an authenticate button.
I have to worry about sharing too much on my blog about the specifics of future trips I’m taking, there are readers who would wreak havoc on my reservations for fun. That happened to Lucky. But lots of people worry about keeping their travel private, think a divorcing spouse with a protective order.
What I Wish United Would Do to Improve Security
I believe the best account security comes from something United doesn’t currently allow – mileage tracking sites like Award Wallet updating a member’s account balances.
One click, you see any change in your balances across all of your programs. So you know right away whenever points have been drained, rather than waiting weeks or a month to log in when an illegitimately-redeemed trip may have already been flown. And seeing new miles post right away reinforces engagement with the program as well.
I asked about this and United said they weren’t comfortable with customers having to share authentication information with third party sites. I pointed out that AwardWallet has an option where the information is stored locally on the member’s computer, never touching their own servers. Their rejoinder was that this information could then be recovered by malware.
When I pointed out that they allowed UsingMiles to continue tracking balances they then suggested that sites with “a commercial partnership” or that access United accounts in “an unobtrusive fashion” might be allowed.
What You Need to Do Now
If you haven’t set your account security questions yet, set them the next time you log into your MileagePlus account.
Everyone will start having to answering 2 of their 5 security questions the first time they log in at the end of the week.
If accessing on United.com from a device you own, check the box to remember your device and you’ll have to use only your MileagePlus number and password going forward because there will be a secure cookie set with lengthy expiration.