UA initiates Account Security Update (Security Q&A authentication added 2016)
Feb 13, 16, 9:19 pm
#136
Join Date: Aug 2012
Location: SLC
Programs: DL FO, KM, & 1.7MM; UA nothing; HH♦; National EE
Posts: 6,344
Not everyone visits the website every day. I happened to have some flights on UA this week so I visited the website, but was too busy to deal with it then. I'm guessing many people have just pushed it off until later.
Feb 13, 16, 9:21 pm
#137
Join Date: Mar 2012
Programs: Mileage Plus 1K; Marriott Platinum; Hilton Gold
Posts: 6,354
Or, the alert not to fall for the security enhancement set off by the early victims in this thread has left a lot of folks out there like me rejecting the requests to update my security profile and hoping that there can be a fix or a postponement before the 30 day mandatory migration to the new password and security.
Feb 13, 16, 9:24 pm
#138
A FlyerTalk Posting Legend
Join Date: Apr 2004
Location: GVA (Greater Vancouver Area)
Programs: DREAD Gold; UA 1.034MM; Bonvoy Au-197; PCC Elite+; CCC Elite+; MSC C-12; CWC Au-197; WoH Dis
Posts: 51,469
This statement proves that United's systems are inherently insecure, as the only way to know that is to have the passwords stored in plaintext somewhere.
Feb 13, 16, 9:31 pm
#139
Join Date: Jan 2008
Location: EAU
Programs: UA 1K, CO Plat, NW Plat, Marriott Premiere Plat, SPG Plat, Priority Gold, Hilton Gold
Posts: 4,700
There isn't a bigger blowback on it because your average user has no idea how bad the design is anymore than they understood that being able to log in with a 4-digit PIN is bad.
If a nefarious party gets a list of FF#'s and names, they could cause a LOT of problems for United.
Feb 13, 16, 9:51 pm
#140
Suspended
Join Date: Sep 2014
Posts: 3,072
It's unfortunate that some people are having problems, but it seems highly unlikely that United is seeing anything other than a minor percentage of customers being locked out of their accounts. If the transition was going that poorly, they would have shut off the new system already so the problems could be fixed.
Feb 13, 16, 10:08 pm
#142
In memoriam
Join Date: Mar 2000
Location: IAD, BOS, PVD
Programs: UA, US, AS, Marriott, Radisson, Hilton
Posts: 7,203
answer only one or two with the choices offered, so I had to make
up responses, and I'm likely to forget what I said. So pooh pooh
to you, and that's what I shall say!
My password didn't qualify according to the new rules, so reset
was required.
Feb 13, 16, 10:13 pm
#143
Join Date: Mar 2010
Location: DAY
Programs: UA 1K 1MM; Marriott LT Titanium; Amex MR; Chase UR; Hertz PC; Global Entry
Posts: 9,400
After checking what happens when you put in a wrong answer to the security questions, I got an email saying my account was locked from any logins at all until I call 1-800-421-4655.
So those of you who can't get into your account might try calling that number.
Has to be between 7 AM and Midnight central.
So those of you who can't get into your account might try calling that number.
Has to be between 7 AM and Midnight central.
When I saw that it was optional for the next 30 days, you bet I am staying away from this for awhile. Sorry for those dealing with it, but thanks for taking the fall for us late adopters.
Feb 14, 16, 4:16 am
#145
Join Date: Nov 2008
Location: Washington, DC
Programs: United Premier 1K 1MM; AA Plat Pro; Hyatt Globalist; Marriott Platinum; Avis President's Club
Posts: 2,479
I don't mind these changes but I wish UA would alert all users of the change so they are more aware. Their IT systems still leave a lot to be desired...
Feb 14, 16, 9:35 am
#146
FlyerTalk Evangelist
Join Date: Feb 1999
Location: Seat 1A, Juice pretty much everywhere, Mucci des Coins Exotiques
Posts: 34,338
Wow, I guess this idiotic security question thing is becoming a trend. First Starwood, now United. Two websites that I am no longer able to use. 
Why are the people who made these decisions so narrow-minded? Why can't they conduct a survey to see that perhaps, just maybe, the whole world doesn't think the same way they do? You know what websites will never engage in this stupid behavior? Bank websites. And they have vastly better security than these travel companies.
Why are the people who made these decisions so narrow-minded? Why can't they conduct a survey to see that perhaps, just maybe, the whole world doesn't think the same way they do? You know what websites will never engage in this stupid behavior? Bank websites. And they have vastly better security than these travel companies.
Feb 14, 16, 9:38 am
#147
Join Date: Jul 2003
Location: BOS, PVG
Programs: United Global Services and 1MM, Marriott Ambassador
Posts: 9,825
I didn't want to mess with my account, so I created a new one to see how this worked.
My god, I didn't realize how bad this is!
United majorly screwed the pooch on this.
Right now, we have 4-digit PINs, which we all know are insecure, because there are only 10,000 possible combinations of 4 digits.
The NEW system:
- Click Forgot Password, enter Mileage Plus number and Name.
- Answer two security questions, each with 10 possible answers displayed.
- Pick a new password.
DOES NOT EVEN EMAIL YOU A LINK TO CLICK ON!
For those who are really bad at math, two questions with 10 answers is 100 possible answers.
So to "improve" the security of a system with only 10,000 possible answers, we replaced it with a system with 100 possible answers. 99% less secure.
Some people at United IT really, really, really need to be fired over this.
My god, I didn't realize how bad this is!
United majorly screwed the pooch on this.
Right now, we have 4-digit PINs, which we all know are insecure, because there are only 10,000 possible combinations of 4 digits.
The NEW system:
- Click Forgot Password, enter Mileage Plus number and Name.
- Answer two security questions, each with 10 possible answers displayed.
- Pick a new password.
DOES NOT EVEN EMAIL YOU A LINK TO CLICK ON!
For those who are really bad at math, two questions with 10 answers is 100 possible answers.
So to "improve" the security of a system with only 10,000 possible answers, we replaced it with a system with 100 possible answers. 99% less secure.
Some people at United IT really, really, really need to be fired over this.
Can we complain to UA CEO Oscar?
He needs to fire this idiotic and incompetent UA IT team.
The new ual.com is bad enough.
Now this stupid "security update" makes things even worse.
Feb 14, 16, 9:48 am
#148
FlyerTalk Evangelist
Join Date: Feb 1999
Location: Seat 1A, Juice pretty much everywhere, Mucci des Coins Exotiques
Posts: 34,338
Then again, maybe these moves by United and Starwood are attempts to wean people off the web. Both of their iOS apps work just fine and don't require these stupid questions. It would be nice to remove all their web development costs and focus just on mobile apps. Or am I attributing too much intelligence to these outfits?
Feb 14, 16, 10:21 am
#149
Join Date: Dec 2007
Location: Now:AUS (again); Previous: LGA/EWR (BLKYN, missing JFK), AUS, SAT
Programs: Current: UA-Silver, Former AA Plat, DL Silver
Posts: 593
It appears that if you know the MP number and the first and last name, it's even easier. When trying to reset your password, they've reduced the number of options to 10 per question, so with two questions, there are only 100 possibilities.
But, my answer is always listed twice for the first question, so if that's consistent, it could be as little as 1 in 10 to get into someone's account -- and reduced with multiple attempts.
This is such a major fail -- there must be a complete lack of common sense as well as proficiency in the IT group.
But, my answer is always listed twice for the first question, so if that's consistent, it could be as little as 1 in 10 to get into someone's account -- and reduced with multiple attempts.
This is such a major fail -- there must be a complete lack of common sense as well as proficiency in the IT group.
Feb 14, 16, 11:25 am
#150
Join Date: Apr 2015
Programs: United Global Services, Amtrak Select Executive
Posts: 3,794
https://www.united.com/web/en-US/app...t/account.aspx
That worked for me when I coulnd't log in from the main page tile.
