Security issue? App saves AA# + last name; browser saves last name + PW, need all 3
 

does anyone else besides me find it could kind of be a security issue the way AA.com and the AA app remember different pieces of the 3 log in items you need to get right?

AA.com saves last name and password
AA app saves AA number and last name

if someone lost or was away from phone and laptop, I would think they'd easily have their account hacked by opening up AA.com and the AA app. get the aa number, put it into AA.com, and you're in.

I'm no IT developer, but shouldn't they have the two methods of accessing our accounts not provide the answers for each other? It just has always struck me as odd ever since they added the 3rd field to log into AA.com

mods: seems like this could go in the premerger AA forum now locked, in thread "New AA.com account interface" but since it's locked, i started a new thread in combined airline, move if appropriate.

aa.com saves last name and AA number. So does the app. What do you mean?

my aa.com doesn't save my AA number, only my LAST NAME and PASSWORD, the AA number field is always blank

on my app, it saves my AA number and LAST NAME, but not my password.

maybe it's a browser thing? Using chrome. it's 2 out of 3 things, but 2 different things saved between the two ways of logging in.

does that make sense the way I'm explaining it? sorry if it sounds confusing

It's a browser thing. I use Safari and it saves all 3 (because i told it too). i don't consider it a security issue because my computer is locked and so is my phone.

aha, browser, than.

i hadn't told it to save all 3 items on either the app or on AA.com, so found it weird that 2 out of 3 were being saved, but different groupings, allowing someone to know all 3 if they ever got into both phone and computer.

thanks for the input. Even though I lock phone and computers, the behavior still seems sketchy to me.

...And last name was not added as a security feature anyway -- it's just there to de-dupe between the legacy AAdavntage numbers and the Sabre-generation Dividend Miles numbers since the site is responsive to both credentials.

Definitely a browser/ end user issue. You could always turn off the remember me function and be safe. Or as mentioned password protect the device. But I can't imagine anyone who steals my phone or laptop really wants into my AAdvantage account that bad.

Seriously. It's company funny-money, not the launch codes :)

I use Chrome and aa.com only saves my AA number and Last Name. So it's not a Chrome thing.

AA.com "remember me" should save everythign but the password. Your browser should optionally remember your password.

Because I regularly use my browser to log in to 4 different AA accounts I don't use any of the above.

AAirlines website vulnerability
 

A cypher is an algorithm for performing encryption or decryption. I'm no genious. But I know a little bit about security protocols and I use a browser that will not allow me to access a web page if a website has a specific flaw.

When clicking the link to the LOGIN page, American Airlines is currently allowing an outdated cypher that is said to be prone to security breaches. They are still using "RC4" more specifically, RSA-RC4-SHA. Many large companies have deprioritized the RC4 encryption method because it is widely thought to be vulnerable to attack. When will American Airlines do the same?

I have to specifically "allow" RSA-RC4-SHA in order to log in. I have been doing this now for over a year. I should not have to do this. The other airlines do not have this problem. When American, when will this be fixed???

If you have a browser which can screen out RC4, this is what will show up when one attempts to log in:

Secure Connection Failed
An error occurred during a connection to www.aa.com.
Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)

This error message is correct, and describes the problem exactly. Then when I go into my browser and allow RC4, I am able to log in. Since most people are probably not aware of this vulnerability, here are a couple of web pages to read:

http://blogs.technet.com/b/srd/archi...sable-rc4.aspx

http://windowsitpro.com/windows/disabling-rc4-cipher

I am very shocked at American and I thought they were better than this. So there - I've informed you (meaning the airline) about the problem. Please have IT department make the website safe for us to use!

:mad:

This is a forum for the discussion of airlines and their mileage programs, with no official connection to AA or any other airline. If you wish to submit a complaint or concern to AA, I suggest you visit their website at http://www.aa.com.

I beg to differ. The way mostly everyone accesses the airline and their mileage program is by logging in, via the website. People need to know. The information is here for them if they need it. It is also here to alert American to the problem. My repeated attempts to warn them have fallen upon deaf ears.

You don't care if your info gets hacked?

Nope.