Dec 29, 2014, 12:05 am
Last edit by: WineCountryUA
This thread to follow reports of MP accounts that actually have been hacked / improperly accessed. If you have missing miles and beleive you have been hacked, contact [email protected]
In Suspended MP Accounts / Third Party Vendor "Security Breach?" - Dec 2014 there is discussion of a security breach of a 3rd party that UA seems to believe may lead to inappropriate access to UA accounts via the username method of logging into united.com. Let's follow the breach and log-in changes in the above thread.
A separate(?) "access denied" issue is covered in Consolidated " Is united.com or parts of it Down?" thread
In Suspended MP Accounts / Third Party Vendor "Security Breach?" - Dec 2014 there is discussion of a security breach of a 3rd party that UA seems to believe may lead to inappropriate access to UA accounts via the username method of logging into united.com. Let's follow the breach and log-in changes in the above thread.
A separate(?) "access denied" issue is covered in Consolidated " Is united.com or parts of it Down?" thread
UA Account Hacked / Reports of Fraudulent Award Travel Redemption
Jul 18, 2014, 8:10 pm
#166
A FlyerTalk Posting Legend
Join Date: Sep 2009
Location: Minneapolis: DL DM charter 2.3MM
Programs: A3*Gold, SPG Plat, HyattDiamond, MarriottPP, LHW exAccess, ICI, Raffles Amb, NW PE MM, TWA Gold MM
Posts: 100,413
Isn't your password the following:
password
It's supposedly a very common choice.
password
It's supposedly a very common choice.
Jul 18, 2014, 9:44 pm
#167
FlyerTalk Evangelist
Join Date: Jun 2003
Location: DEN
Programs: UA MM Plat; AA MM Gold; HHonors Diamond
Posts: 15,866
Jul 19, 2014, 12:22 am
#168
Join Date: Aug 2013
Location: LAS HNL
Programs: DL DM, 5.7 MM, UA 3.1 MM, MARRIOTT PLATINUM, AVIS FIRST, Amex Black Card
Posts: 4,479
What is a hot "spit". I had one of those in MSY. It came out booth ends at the same time.
Did you mean - spot?
And the French Quarter is not a great place to "spit".
I count the #2 (gotta go) bus and trolly a great salvation to hearing Johnny Cash playing "Ring of Fire".
And that is what it was. Damn, New Orleans can make some strong gumbo.
Did you mean - spot?
And the French Quarter is not a great place to "spit".
I count the #2 (gotta go) bus and trolly a great salvation to hearing Johnny Cash playing "Ring of Fire".
And that is what it was. Damn, New Orleans can make some strong gumbo.
Jul 19, 2014, 12:49 am
#169
FlyerTalk Evangelist
Join Date: Oct 2006
Location: SFO/SJC
Programs: UA Silver, Marriott Gold, Hilton Gold
Posts: 14,889
Would you prefer the option where agents don't verify who is calling with your account info? Would you up UAs security grade if anyone could call in with your account # and book award flights, make changes, etc?
Now I certainly would agree with an argument that they should probably use an automated system, like some other companies do, to verify your PIN. That way, you don't have to speak it, where anyone within earshot and the agent themselves know what is. Or would get the argument that one should be able to disable their PIN for use on United.com. But personally, I agree with the idea that an agent in some way verifies a PIN before a transaction where they debit miles from my account. Or even verify basic information on the account.
Now I certainly would agree with an argument that they should probably use an automated system, like some other companies do, to verify your PIN. That way, you don't have to speak it, where anyone within earshot and the agent themselves know what is. Or would get the argument that one should be able to disable their PIN for use on United.com. But personally, I agree with the idea that an agent in some way verifies a PIN before a transaction where they debit miles from my account. Or even verify basic information on the account.
Jul 19, 2014, 1:14 am
#170
Join Date: Aug 2013
Location: LAS HNL
Programs: DL DM, 5.7 MM, UA 3.1 MM, MARRIOTT PLATINUM, AVIS FIRST, Amex Black Card
Posts: 4,479
Just make it a one digit number. That makes it easy on both ends. Why complicate this with a four digit password. Easier would be no password. My fingers hurt already (typing this), forget a password. Everyone is happy!
Jul 19, 2014, 6:35 am
#171
Join Date: Jun 2004
Location: ATL
Programs: Delta PlM, 1M
Posts: 6,363
Secure wifi does not secure your information end-to-end, only over the air. If the data is not secure via https, then it can still be gathered once the data is back on the wire.
Even relaying through a VPN does not protect you. It will be decrypted at the other end of the VPN, and is then pubic.
All one does via secure wifi or VPN is move the "eavesdrop" point.
HTTPS is secure. Yes, the HeartBleed bug in openssl did exist, but that was very brief and I do not know of real world attacks via it.
Assuming UA has a valid https login, then the breaches could come through many sources:
. Human engineering (A caller claiming to be UA asking for your PIN)
. Infected computers
. Use of 3rd party computers (NEVER do this for confidential data)
. Internal security breaches.
. brute forces guessing pins.
All of these are vastly more likely than recording wifi data over the air and cracking the https security. UA's reply to JB was sad.
except a 4 number pin is F-.
Jul 19, 2014, 7:08 am
#172
FlyerTalk Evangelist
Join Date: Aug 2005
Location: BOS/EAP
Programs: UA 1K, MR LTT, HH Dia, Amex Plat
Posts: 32,053
There are many ways this can be made more secure ... ever called a bank or credit card company?
Jul 19, 2014, 11:51 am
#173
FlyerTalk Evangelist
Join Date: Jul 2003
Location: Florida
Posts: 29,762
Club Carlson just made me to change my existing password to the above format.
Jul 19, 2014, 11:56 am
#174
Moderator: United Airlines
Join Date: Jun 2007
Location: SFO
Programs: UA Plat 1.995MM, Hyatt Discoverist, Marriott Plat/LT Gold, Hilton Silver, IHG Plat
Posts: 66,854
Jul 19, 2014, 7:49 pm
#175
FlyerTalk Evangelist
Join Date: Jul 2003
Location: Florida
Posts: 29,762
I think DL has done the same.
Jul 19, 2014, 8:14 pm
#176
Join Date: Mar 2008
Programs: DL BA Amex
Posts: 916
Assuming UA has a valid https login, then the breaches could come through many sources:
. Human engineering (A caller claiming to be UA asking for your PIN)
. Infected computers
. Use of 3rd party computers (NEVER do this for confidential data)
. Internal security breaches.
. brute forces guessing pins.
All of these are vastly more likely than recording wifi data over the air and cracking the https security. UA's reply to JB was sad.
1+
. Human engineering (A caller claiming to be UA asking for your PIN)
. Infected computers
. Use of 3rd party computers (NEVER do this for confidential data)
. Internal security breaches.
. brute forces guessing pins.
All of these are vastly more likely than recording wifi data over the air and cracking the https security. UA's reply to JB was sad.
1+
Jul 19, 2014, 10:58 pm
#177
A FlyerTalk Posting Legend
Join Date: Apr 2004
Location: GVA (Greater Vancouver Area)
Programs: DREAD Gold; UA 1.035MM; Bonvoy Au-197; PCC Elite+; CCC Elite+; MSC C-12; CWC Au-197; WoH Dis
Posts: 52,140
Binary!
I don't believe this forum should be a lesson on breaking security. Suffice it to say that it can be done more readily than your phone company would like you to believe. Digital security is an illusion.
Last edited by goalie; Jul 20, 2014 at 1:45 pm Reason: Attacking the member is not permitted
Jul 20, 2014, 2:47 am
#178
Join Date: Jun 2004
Location: ATL
Programs: Delta PlM, 1M
Posts: 6,363
I spoke to a very nice woman at United security. They were able to deactivate the gift cards before the person could use the miles. The person changed my e-mail address to be one letter different (on yahoo) and have have the gift cards e-mailed to that address. Yesterday when I changed the pin it was sent to the bad guy's e-mail address. ...
People should realize that the email account they use in conjunction with "valuable" accounts needs to be treated as a high security account.
Jul 20, 2014, 2:56 am
#179
Join Date: Jun 2004
Location: ATL
Programs: Delta PlM, 1M
Posts: 6,363
Jul 20, 2014, 7:21 am
#180
FlyerTalk Evangelist
Join Date: Nov 2006
Location: Bangkok or San Francisco
Programs: United 1k, Marriott Lifetime PE, Former DL Gold, Former SQ Solitaire, HH Gold
Posts: 11,886
I'm curious about something. I added someone as a traveller on my MP account so I could give them a reward ticket. I got an automated e-mail from United telling me my account had been changed. Didn't the OP get an e-mail when the hacker changed the info in his account?