Rate this bonehead
Mar 25, 2008 | 8:12 am
#16
Join Date: Feb 2006
Location: 99654
Programs: Many
Posts: 6,450
on it. In this situation, I think CO should have done better job.
But for OP's situation, we do not know who was at fault. But its a good thing
that he managed to get the miles back.
Mar 25, 2008 | 8:35 am
#17
Original Poster
FlyerTalk Evangelist
Join Date: Jul 2007
Location: DFW
Programs: UA Pleb, HH Gold, PWP General Secretary
Posts: 23,199
I just wanted to add that I was not targeting Mr. Bonehead. Any resemblance to those living or dead is purely coincidental.
The post was not supposed to be a serious indictment of CO.com password protection. I am not thrilled that it is limited to 10,000 combinations but that is the way it is. I meant this post to be indictment of the bonehead that used his own credit card to steal airline tickets.
I am in agreement with the person who suggested that they meet them at the airport, have them arrested at the gate, and then have my parents board the flight to Paris.
This was supposed to be funny, not serious.
P.S. Mad props to the OPSC who quickly and cleanly cleaned this potential mess up.
The post was not supposed to be a serious indictment of CO.com password protection. I am not thrilled that it is limited to 10,000 combinations but that is the way it is. I meant this post to be indictment of the bonehead that used his own credit card to steal airline tickets.
I am in agreement with the person who suggested that they meet them at the airport, have them arrested at the gate, and then have my parents board the flight to Paris.
This was supposed to be funny, not serious.
P.S. Mad props to the OPSC who quickly and cleanly cleaned this potential mess up.
Mar 25, 2008 | 10:32 am
#18
Join Date: Sep 2002
Location: ATL
Posts: 3,219
CO requires the use of a 4 digit PIN. This is literally childsplay to get through. CO also requires that you verbally communicate this PIN to their CSR's in easily overheard phone conversations as the primary method of "securely" identifying you as the OP Account holder.
Mar 25, 2008 | 2:32 pm
#19
Join Date: Jan 2005
Location: San Antonio, TX
Programs: OP, SPG, Amex MR
Posts: 372
I could write a program (not bragging, because even a caveman developer can do it) to crack an OP account in an hour or so. Multiple threads, can crack any account under a few minutes, unless CO has lockout policies.. Do they?? If they don't, THAT is really criminal.
Good lockout policy coupled with forced changes to PIN numbers every set interval should secure this vault somewhat.
Good lockout policy coupled with forced changes to PIN numbers every set interval should secure this vault somewhat.
Mar 25, 2008 | 2:52 pm
#20
Join Date: Dec 2007
Location: Austin, TX
Programs: UA S; Marriott LG; IHG P; Hertz PC; AA, WN, Pan Am!
Posts: 820
Mar 25, 2008 | 2:55 pm
#21
Join Date: Jan 2008
Location: NYC, NJ, Long Island
Programs: DL DM, 1.6MM, UA Silver, NEXUS, SkyClub & AdmiralsClub Lifetime, Bonvoy Titanium
Posts: 6,652
I could write a program (not bragging, because even a caveman developer can do it) to crack an OP account in an hour or so. Multiple threads, can crack any account under a few minutes, unless CO has lockout policies.. Do they?? If they don't, THAT is really criminal.
Good lockout policy coupled with forced changes to PIN numbers every set interval should secure this vault somewhat.
Good lockout policy coupled with forced changes to PIN numbers every set interval should secure this vault somewhat.
Mar 25, 2008 | 3:04 pm
#22
Join Date: Dec 2007
Location: Austin, TX
Programs: UA S; Marriott LG; IHG P; Hertz PC; AA, WN, Pan Am!
Posts: 820
Mar 25, 2008 | 3:08 pm
#23
Join Date: Jan 2005
Location: San Antonio, TX
Programs: OP, SPG, Amex MR
Posts: 372
Mar 25, 2008 | 3:09 pm
#24
FlyerTalk Evangelist
Join Date: Feb 2007
Location: PDX
Programs: AS Titanium, Marriott Lifetime Plat, UA Gold
Posts: 11,596
Personally, I think CO should consider ridding itself of the PIN system altogether and going with passwords alone. Only allow strong passwords (6+ characters that are not in the English dictionary) and you already have a much better system.
Mar 25, 2008 | 3:16 pm
#25
FlyerTalk Evangelist
Join Date: Jun 2003
Location: DEN
Programs: UA MM Plat; AA MM Gold; HHonors Diamond
Posts: 15,892
แดนใกล้
I've never seen such a site requirement. Who has those?
Mar 25, 2008 | 3:20 pm
#26
Join Date: May 2005
Location: various cities in the USofA: NYC, BWI, IAH, ORD, CVG, NYC
Programs: Former UA 1K, National Exec. Elite
Posts: 5,487
It would also result in a significant increase in calls/emails to the OPSC.
PIN number: personal identification number number?
Mar 25, 2008 | 3:23 pm
#27
Join Date: Oct 2007
Location: EWR
Programs: Il Postino della PWP, CO, TrueBlue, Priority Club
Posts: 5,190
English word passwords, so no passwords like "password" or "boeing", but something that can't be guessed like "pq12-@w" or so. Similarly it should try to warn against "words" that use numeric substitution like "c0nt1n3nt4l" (1 is i, 3 is e, 0 is o, etc).
Mar 25, 2008 | 3:26 pm
#28
FlyerTalk Evangelist
Join Date: Feb 2007
Location: PDX
Programs: AS Titanium, Marriott Lifetime Plat, UA Gold
Posts: 11,596
Mar 25, 2008 | 3:33 pm
#29
Join Date: Jan 2005
Location: San Antonio, TX
Programs: OP, SPG, Amex MR
Posts: 372
Regular forced PIN/password changes is contrary to good security, as it results in people writing down the PIN. I see this with passwords; the moment IT implements such policies people start writing down passwords on post-its next to their screen.
It would also result in a significant increase in calls/emails to the OPSC.
PIN number: personal identification number number?
It would also result in a significant increase in calls/emails to the OPSC.
PIN number: personal identification number number?
Mar 25, 2008 | 3:44 pm
#30
FlyerTalk Evangelist
Join Date: Jun 2003
Location: DEN
Programs: UA MM Plat; AA MM Gold; HHonors Diamond
Posts: 15,892
That's different from "characters" that are not in an English dictionary. The poster clearly meant "character strings".