UC WiFi login at IAD creates Google password alert from Chicago?
#1
Original Poster
Join Date: Dec 1999
Location: NorCal - 1K 2MM
Posts: 2,089
UC WiFi login at IAD creates Google password alert from Chicago?
This question for an FT IT guru who also frequents the UC's. I know the verification protocols have been unstable of late, but today was a new one for me. Logged in to WiFi at IAD UC using M+ number (I'm also a member), and immediately got a Google warning "Someone has your password", telling me a login was blocked from an unrecognized device located in Chicago. The time coincidence of the UC login and the warning makes me reasonably certain that the login was me (although it was with a device I use commonly, so not sure why this was triggered other than unfamiliar IP address), but I'm perplexed by the Chicago location, other than, obviously, it's WHQ. Is it possible that UC logins elsewhere are somehow routed via Chicago at times?
#2
Join Date: May 2013
Location: New York
Programs: UA Silver, Marriott LTPP, Hertz Five Star
Posts: 1,079
This question for an FT IT guru who also frequents the UC's. I know the verification protocols have been unstable of late, but today was a new one for me. Logged in to WiFi at IAD UC using M+ number (I'm also a member), and immediately got a Google warning "Someone has your password", telling me a login was blocked from an unrecognized device located in Chicago. The time coincidence of the UC login and the warning makes me reasonably certain that the login was me (although it was with a device I use commonly, so not sure why this was triggered other than unfamiliar IP address), but I'm perplexed by the Chicago location, other than, obviously, it's WHQ. Is it possible that UC logins elsewhere are somehow routed via Chicago at times?
For my home internet (from a cable company in NY), sometimes I show as a somewhat nearby town, sometimes it shows up as being in Connecticut, etc... this changes about once every one to two years when they change the IP blocks around. For my employer, in the office I'm in right now, the IP addresses are registered to the exact address of the building... so it's absolutely accurate. But I've seen other people on DSL or cable internet where the IP that shows up isn't even from the same state.
If you're curious, the next time you're in a club and logged into wifi, google "what is my IP address", then paste the resulting IP address into ws.arin.net and you can see where the IP block is registered to (physical address).
#5
Join Date: Jun 2015
Location: LIM
Programs: United Premier 1K, Hilton Diamond, Bonvoy Gold, AmEx Plat
Posts: 559
It's very very possible that their connection is being routed through Chicago, because WHQ (where I assume they have their IT stuff hosted as well). You can also do a 'traceroute' and find out where your packets are going through to reach a certain website.
#6
Join Date: Aug 2012
Location: Charlottesville
Programs: UA Gold, VX Gold, AA PLT, DL Gold, MR Gold, HH Diamond, Hertz 5* Gold
Posts: 469
It's likely that running traceroute will fail since competent network admins will have blocked ICMP at the firewall.
I could continue about 802.11 security and Cisco wireless (I'm not sure which wireless products UA is using in the UCs) but I need another glass of wine first.
#7
Join Date: Aug 2012
Location: Charlottesville
Programs: UA Gold, VX Gold, AA PLT, DL Gold, MR Gold, HH Diamond, Hertz 5* Gold
Posts: 469
I found that out the hard way a few years back when I was still a newbie. I got dinged by security at the company I worked for, since international travel was a no-no without prior authorization.
#8
Join Date: Jul 2007
Location: San Francisco/Sydney
Programs: UA 1K/MM, Hilton Diamond, Marriott Something, IHG Gold, Hertz PC, Avis PC
Posts: 8,157
The responses above are correct regarding the location being a bit of a half-guess based on where the IP address is registered to - but in this case it's a little bit more complex then just that.
As has been discussed at length in other threads on FT, web traffic from the United Club wifi is run through Zscaler's proxy servers in order to block "unwanted" content. Zscaler have nodes in a number of locations, and whilst they do have some near IAD, it's very likely that this traffic was actually being run through their node in Chicago. Thus as far as Google is concerned, the traffic IS actually originating in Chicago - how it gets there is something they can't tell.
As was said above, the Lufthansa lounges have a similar setup, with traffic being tunneled back to Germany. This not only causes your location to be misrepresented, but can also cause things like Google Search to default to returning results in German...
As has been discussed at length in other threads on FT, web traffic from the United Club wifi is run through Zscaler's proxy servers in order to block "unwanted" content. Zscaler have nodes in a number of locations, and whilst they do have some near IAD, it's very likely that this traffic was actually being run through their node in Chicago. Thus as far as Google is concerned, the traffic IS actually originating in Chicago - how it gets there is something they can't tell.
As was said above, the Lufthansa lounges have a similar setup, with traffic being tunneled back to Germany. This not only causes your location to be misrepresented, but can also cause things like Google Search to default to returning results in German...
#10
Join Date: Feb 2014
Programs: Amex Plat, Hilton Diamond, SPG Gold, Carlson Gold, CM Presidential / *A Gold, Hertz 5*
Posts: 1,648
www.whatismyipaddress.com to confirm where the IP is located today
#11
Join Date: Apr 2007
Location: USA
Programs: 1K 1MM; Bonvoy Ambassador; Nat'l EE; Hertz PC; Hyatt Globalist
Posts: 2,465
I believe the United club wifi hands out what are called "private" or non globally routable IP's all behind a firewall if theirs and then via an MPLS type connection actually routes all traffic within their Chicago POP and out to the Internet. It's the same idea as when when you do a speed test on inflight wifi and it chooses the "closest" server and is 3000 miles away from you. Just the way company does these types of things. Why did you recover the google warning? One hour you were "in" DC or wherever you last connected, the next hour you were "in" Chicago.
#12
Join Date: Jan 2010
Posts: 191
It could be as others have suggested--United backhauling (which seems expensive for internet traffic) to Chicago or it could be a proxy. United sometimes uses zScaler, a cloud based proxy which tunnels traffic through it's cloud nodes located around the country/world in various data centers. The proxy happens transparently and a traceroute wouldn't normally indicate it as the traceroute might go directly out the connection whereas HTTP and HTTPS will be transparently routed via ipsec/gre to zScaler.
You can confirm by visiting: http://ip.zscaler.com and it will let you know if it's proxying you and both your proxy and real ip address.
You can confirm by visiting: http://ip.zscaler.com and it will let you know if it's proxying you and both your proxy and real ip address.
#13
Join Date: Oct 2013
Location: SF Bay Area
Programs: UA Platinum
Posts: 502
Same issue, but I was boarding in PHX and got the alert that I was logging in from Dallas (or Houston, can't remember specifically now), it was the same time as my login to United wifi. I still changed the PW as a precaution.
#14
A FlyerTalk Posting Legend
Join Date: Apr 2004
Location: GVA (Greater Vancouver Area)
Programs: DREAD Gold; UA 1.035MM; Bonvoy Au-197; PCC Elite+; CCC Elite+; MSC C-12; CWC Au-197; WoH Dis
Posts: 52,140
I always use my PNR to log into the United Club network. It's a short-term ID with no personal link.
#15
Join Date: Jul 2012
Posts: 1,115
Either all traffic is routed through Chicago (my bet, since Google keeps its IP-geo correlations pretty up to date) or it's not routed through Chicago but United or their contractor allocated an IP address that Google still believes is in Chicago. IP-geo correlations change all the time, the databases that try to track this are always lagging behind. But Google also knows to not believe everything ARIN says, Google has their own parallel database which contains "augmentations" to ARIN data.
In any case, it's nothing to worry about and isn't a reason to change your password per se (if the date/time in the google alert matches with the moment you first connected). As to why you didn't get the warning from Google earlier: Google looks at lots of factors to determine if a connection is suspicious. Preset cookies, time of day, time since last connection, your previous locations, browser etc all come into play. Only Google knows what triggered the warning this time, but rest assured there is a logic behind it. I receive these kinds of warnings from Apple all the time, while I receive them from Google only sometimes.
Tunneling isn't that expensive anymore nowadays if you can negotiate good rates for the data volume which isn't that hard due to the competitive market.
Not sure if you were being sarcastic, but blocking ICMP breaks internet functionality and hence isn't competent behavior. Try determining acceptable MTU for a tunnel interface if the other party has decided that it doesn't want your ICMP. ICMP is not evil. Yes, I know many "competent" network admins block it because they read some random consumer website which said that it needs to be blocked in your random consumer-grade TP-Link router, and it creates enormous headaches for the real competent network admins when they do that. But I disgress, more at Enterprise Networking 101.
In any case, it's nothing to worry about and isn't a reason to change your password per se (if the date/time in the google alert matches with the moment you first connected). As to why you didn't get the warning from Google earlier: Google looks at lots of factors to determine if a connection is suspicious. Preset cookies, time of day, time since last connection, your previous locations, browser etc all come into play. Only Google knows what triggered the warning this time, but rest assured there is a logic behind it. I receive these kinds of warnings from Apple all the time, while I receive them from Google only sometimes.
Last edited by mozilla; Jan 6, 2016 at 3:39 am