Go Back  FlyerTalk Forums > Miles&Points > Airlines and Mileage Programs > United Airlines | MileagePlus
Reload this Page >

Suspended MP Accounts / Username Access Disabled / 3rd Party Security Breach-Dec 2014

Suspended MP Accounts / Username Access Disabled / 3rd Party Security Breach-Dec 2014

Old Jan 26, 2015, 2:21 pm
  #121  
 
Join Date: Mar 2013
Posts: 363
Why is it now that I can't log on to MP accounts

using user names ?
I help book flights for 7/8 members of my family.
How the hell UA expect me to remember all their acct numbers ?
Has this glitch been there or is it something new ?
Thanks
Keller281 is offline  
Old Jan 26, 2015, 2:24 pm
  #122  
 
Join Date: Dec 2009
Location: New York, NY
Programs: Hyatt GLOB, Marriott Lifetime PLT, UA 1K 1MM.
Posts: 1,728
the UA and AA customer usernames were compromised a few weeks ago. so they turned it off in response.

http://consumerist.com/2015/01/12/th...rips-upgrades/

seemed reasonable to me.
bob_the_d is offline  
Old Jan 26, 2015, 2:43 pm
  #123  
 
Join Date: Mar 2013
Posts: 363
Thanks...I've been going bonkers trying to find their FF acct nbrs...

UA even blanked them out when I go into their saved profiles in my account.
Guess I have to find an easier way to have access to their accts then.
Thanks again.
Keller281 is offline  
Old Feb 18, 2015, 7:46 pm
  #124  
 
Join Date: Apr 2014
Posts: 409
UA website - remove PIN?

I only recently noticed that one can log in to the UA website with the 4 digit PIN I was forced to create. A 4 digit password is pretty absurd. Is it possible to require the 'full' password that I have on my account for logging into the site?
PackingIt is offline  
Old Feb 18, 2015, 7:53 pm
  #125  
FlyerTalk Evangelist
 
Join Date: May 2007
Location: Houston
Programs: UA Plat, Marriott Gold
Posts: 12,651
Nope!

security_friendly
mduell is offline  
Old Feb 18, 2015, 7:53 pm
  #126  
 
Join Date: Jan 2013
Location: BOS
Programs: Hyatt Discoverist, Marriott/SPG/Hilton Gold, PreCheck + Clear
Posts: 2,306
Originally Posted by PackingIt
I only recently noticed that one can log in to the UA website with the 4 digit PIN I was forced to create. A 4 digit password is pretty absurd. Is it possible to require the 'full' password that I have on my account for logging into the site?
No, both password and PIN are always enabled at present.

On the plus side, the website is designed not to allow brute force guessing, so it's not as if someone could run a simple script to log into your account. Still, I'm with you in hoping PINs are removed from the new site when it launches later this year.
RandomBaritone is offline  
Old Feb 18, 2015, 8:48 pm
  #127  
Moderator: United Airlines
 
Join Date: Jun 2007
Location: SFO
Programs: UA Plat 1.99MM, Hyatt Discoverist, Marriott Plat/LT Gold, Hilton Silver, IHG Plat
Posts: 66,581
Originally Posted by Eric Westby
.... Still, I'm with you in hoping PINs are removed from the new site when it launches later this year.
PINs make sense as a proof of identity to an agent but should never be used to access your account via the web.
WineCountryUA is offline  
Old Feb 18, 2015, 9:05 pm
  #128  
 
Join Date: Apr 2014
Posts: 409
In this day and age, you'd think large companies would be a bit more security conscious.

Originally Posted by WineCountryUA
PINs make sense as a proof of identity to an agent but should never be used to access your account via the web.
PackingIt is offline  
Old Feb 19, 2015, 12:17 am
  #129  
 
Join Date: Jan 2006
Posts: 134
Originally Posted by Eric Westby
No, both password and PIN are always enabled at present.

On the plus side, the website is designed not to allow brute force guessing, so it's not as if someone could run a simple script to log into your account. Still, I'm with you in hoping PINs are removed from the new site when it launches later this year.
Compromised accounts come from brute forcing or password lists against an offline copy of the accounts database usually acquired through some other exploit.
So while no one is attacking your account with the live United system (and getting locked out), if anyone gets the password tables (even if hashed and salted) pins are trivial to break.
And most companies like to not disclose unauthorized access to these credentials.
Four digit credentials are terrible. Period.
Kingston is offline  
Old Feb 19, 2015, 7:47 am
  #130  
FlyerTalk Evangelist
 
Join Date: Jun 2003
Location: DEN
Programs: UA MM Plat; AA MM Gold; HHonors Diamond
Posts: 15,866
Originally Posted by Kingston
Compromised accounts come from brute forcing or password lists against an offline copy of the accounts database usually acquired through some other exploit.
So while no one is attacking your account with the live United system (and getting locked out), if anyone gets the password tables (even if hashed and salted) pins are trivial to break.
And most companies like to not disclose unauthorized access to these credentials.
Four digit credentials are terrible. Period.
If someone has a list of passwords and PINs, what's the difference?

Since about three failed login attempts locks the account, the hysteria regarding PINs seems a tad overblown.
Bonehead is offline  
Old Feb 19, 2015, 8:53 am
  #131  
FlyerTalk Evangelist
 
Join Date: Oct 2006
Location: SFO/SJC
Programs: UA Silver, Marriott Gold, Hilton Gold
Posts: 14,855
Originally Posted by Bonehead
If someone has a list of passwords and PINs, what's the difference?

Since about three failed login attempts locks the account, the hysteria regarding PINs seems a tad overblown.
This. Add to that the attack that happened to UA (& AA), from everything I've read, was a result of not one but two items tied together. First was the hacking of a third party party site and second, user stupidity for using the exact same username/password combo, which were tried in the UA/AA site with some success. UAs use of PINs had nothing to do with this, and a lack of them wouldn't have helped either.

Security experts for years have been telling people not to use the same passwords on multiple sites, but many don't listen because they want something that makes it as easy as possible for the. But this also leads to insecure accounts. I use a simple password manager. It's both an easy and cheap solution that I argue everybody should be using if they value the security of their accounts.
emcampbe is offline  
Old Feb 19, 2015, 9:55 am
  #132  
 
Join Date: Jan 2006
Posts: 134
Originally Posted by Bonehead
If someone has a list of passwords and PINs, what's the difference?

Since about three failed login attempts locks the account, the hysteria regarding PINs seems a tad overblown.
They don't have a list of passwords and pins. That would assume that passwords and pins are stored in plain text in database tables which is not the standard.
They get access to the customer database through an exploit. That database has hashed (not plain text) versions of the passwords and/or pins. That's how most companies store credentials. A username associated with a hashed credential.
They can try billions of combinations (quite easily and quite quickly) offline until they match the hash. Then they can go online and get access.
They're not sitting on united.com guessing PINs. When they go to united.com they already have your pin because they did their guessing offline.


It's like someone wants to make a copy of your house key.
If they walk up to your front door and start trying different keys, they'll get caught quickly.
Instead they get a copy of what your lock is like. They can then try every combo of key until one opens the lock.
Then when they come up to the front door they don't attract attention or get locked out.
That's basic password cracking (multiply this out by millions of users). The length and complexity of that password determines how difficult it is to brute force it.
A four digit numeric password (the pin) can be bruteforced in seconds.
Kingston is offline  
Old Feb 19, 2015, 10:27 am
  #133  
FlyerTalk Evangelist
 
Join Date: Jun 2003
Location: DEN
Programs: UA MM Plat; AA MM Gold; HHonors Diamond
Posts: 15,866
Originally Posted by Kingston
...They get access to the customer database through an exploit. That database has hashed (not plain text) versions of the passwords and/or pins. That's how most companies store credentials. A username associated with a hashed credential.
They can try billions of combinations (quite easily and quite quickly) offline until they match the hash. Then they can go online and get access.
They're not sitting on united.com guessing PINs. When they go to united.com they already have your pin because they did their guessing offline....
Ok, but as it has been pointed out, users don't use their MP# on any other sites. The trouble likely stems from folks having a username/password to access their UA accounts that is the same as the combination that they use on numerous other sites. The MP#/PIN is therefore potentially much safer from hacks on other sites that would yield troves of usernames and passwords.
Bonehead is offline  
Old Feb 19, 2015, 12:52 pm
  #134  
 
Join Date: Jan 2006
Posts: 134
Originally Posted by Bonehead
Ok, but as it has been pointed out, users don't use their MP# on any other sites. The trouble likely stems from folks having a username/password to access their UA accounts that is the same as the combination that they use on numerous other sites. The MP#/PIN is therefore potentially much safer from hacks on other sites that would yield troves of usernames and passwords.
There are two issues here:
Users using the same user/password for multiple sites: doesn't impact me, I don't do that.

United using a 4 digit number to allow access to an account: I care, because that directly impacts me. This is my problem with their security.

When (not if) United gets their customer database taken, everybody's accounts will be accessible.
If they used real security (like requiring a real password and disallowing PINs), only people who chose poor passwords would get compromised.
Those that chose properly random string passwords would be unaffected.

There's a reason no online bank lets you login with just your ATM PIN.
Kingston is offline  
Old Feb 19, 2015, 2:52 pm
  #135  
 
Join Date: Jan 2013
Location: BOS
Programs: Hyatt Discoverist, Marriott/SPG/Hilton Gold, PreCheck + Clear
Posts: 2,306
Originally Posted by Kingston
If they used real security (like requiring a real password and disallowing PINs), only people who chose poor passwords would get compromised.
Those that chose properly random string passwords would be unaffected.

There's a reason no online bank lets you login with just your ATM PIN.
Well said. PINs have no business as password proxies.
RandomBaritone is offline  

Thread Tools
Search this Thread

Contact Us - Manage Preferences - Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service -

This site is owned, operated, and maintained by MH Sub I, LLC dba Internet Brands. Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Designated trademarks are the property of their respective owners.