RockinRon

I thought this was interesting. I called in this morning to apply GPUs (had to *GG BUYUP first) and the agent asked for my PIN. I was wondering if she was going to ask for my password but PIN was all she needed.

Don't forget your PIN if you call in for GPUs!

cesco.g

Decided to wait with update til the dust settles.
But now I am locked out!
I click "accept & update later" and it takes me right back to the login page.

joseeantonior

I believe that on the email I got it says that the PIN will still be used to identify yourself for phone transactions, so "don't lose track of it juts yet" or something like that.

flyer_south

It seems to be working this morning, after I cleared cache on the browser as has been suggested by others earlier.

goodeats21

Looks like it has affected the MileagePlus shopping portal now.

I keep clicking "Update Later" on United.com, but now I get internal error messages when trying to log into M+ Shopping.

kb1992

Can you still change PIN?

edcho

During the process, it stated that they will still use the PIN for phone based transactions so I don't think it will go away.

Yup!

https://www.united.com/web/en-US/app...pinChange.aspx

UA Insider

Hi everyone,

We’ve been monitoring this thread and taking your feedback into account and have made some quick changes to fix issues you have identified. We also want to use this as an opportunity to answer some of the common questions we have seen on this thread. If you have any other questions, please let us know and we will work with our IT Security team to address them where possible.

"Why can't I type my own answer?"
-At the beginning of our effort we conducted a great deal of research into the security issues our customers face. We found that the vast majority of security issues that customers have with their accounts can be traced to computer viruses that record your typing.
-We purposely chose to use preregistered answers as our first form of enhanced authentication to protect against this keystroke logging. We need to ensure that all of our customers have a high degree of security and our research also indicated that some customers had self-entered security answers that would be very easy to guess.
-Not all customers are asked the same questions, and not all customers receive the same potential answers to each question. This randomization is on purpose and designed for your safety and security.

"Why aren't you applying Two Factor Authentication (TFA)?"
-We plan to. Two Factor Authentication will be coming this year.

"What about SMS authentication, or Touch ID, or Google Authenticator?"
-We began with security questions first as not all customers can receive SMS messages, use Touch ID, or have an Authenticator app. You should expect some of these options to appear in the coming year.

“Can't these questions be guessed from Facebook?”
-We hope not! We designed the questions to be difficult to answer through your social media accounts, which is why they may seem peculiar. If you're not sure, try to answer two of your own questions selected at random about a Facebook friend of yours selected at random. We played this game quite a bit during the development program and found it very difficult.
-Some of the questions we ask have some obvious answers omitted. This is on purpose and designed for your safety and security.

"Are you using my answers to these questions for Marketing purposes?"
-No. Your answers are stored encrypted and are not accessible for any purpose other than authenticating you.
-Additionally, your password is encrypted in transit and at the point of storage and is not stored in plain text on United's systems under any circumstances.

"Why wasn't I asked to update my password when someone else was?"
-As part of the account security upgrade launched last week, our system would evaluate your encrypted password and not bother you to update your password if it met our criteria. We have taken into account your feedback provided over the last week and the account security upgrade process now asks all customers to update their password. This should assist those customers who cannot immediately recall their password.
-If you forget your password, the forgot password link on United.com should permit you to reset after answering two of your five security questions.

"I am having trouble logging in after going through the account upgrade process. Any ideas?"
-We are actively working on fixes for a very small number of customers who have login difficulty and for another small number of customers who have difficulty setting questions. We should make the necessary improvements soon, but in the mean-time if you clear your browser cookies for United.com we believe you will have better success.

“How can I view the questions I set up?”
-In order to protect the security of your account, we do not display the questions and answers you set during the security upgrade process. You can always update your questions by visiting the “Change Security Questions” page on the Profile Management screen on United.com.

Thank you,

-UA Insider

stimpy

Thanks for listening UA Insider and I look forward to the improvements. For now though I'll stick with the iOS apps. It will be great when those apps have feature parity with the web interface. I hope that is a near term target for UA.

bmwe92fan

+1 - thanks for taking the time to address what are admittedly serious issues - in the future I'd request that you collect a bunch of FT users as a beta test group before you implement something like this globally.... This was a real mess for your frequent travellers....

notquiteaff

Do you actually store the password in an encrypted format that easily allows you to reverse the encryption? Or do you store a hash of the password?

This makes me think that you did (do?) store the password in such a way that you can easily see the clear text password by decrypting it (I assume you didn't try to crack all xx million passwords and only forced a new one for those that you could crack.

Hmmm.

helvetic

That doesn't actually indicate that at all. (I'm an engineer and have designed password storage schemes, so I can speak to this.)

When you log in, you send the cleartext of the password (over SSL) to united. That's also when you're prompted to update the security questions and update your password. Since they have the cleartext during the login procedure, they can test for whether it meets the basic security criteria at that time on the fly.

If UA follows well known security best practices, they'd be storing the password as the result of a cryptographically-secure one-way key-derivation function. (Ideally, pbkdf2, bcrypt, or scrypt.)

goodeats21

I know next to nothing about password web stuff, but I think the point was United was able to look at an EXISTING (stored) password and know if it met the "strong" criteria. If so, they were not forcing the user to enter a new password.

It was not referencing anything about transmitting the new password.

Ocn Vw 1K

With one minor glitch, was able to do the security update, including signing back in with the new PW, after logging out. First cleared all UA cookies, then went through the guided process. Before the security Qs. came up, I did get an error failure message to call web support, but hit the "back" button and was able to continue without further error message.

However, was unable to complete an online renewal of my United Club subscription using funds from my united.com/club bank account. Don't know if this is related to the security update process or is an independent problem. After waiting >15 mins. to talk to an agent at the UC Svc. Ctr., decided to just try to renew next week while at a Club.

[Update: referring to my ApplePay acct., shows that the Club renewal using united.com/club $$$ bank DID go through - x3: once for each attempt the website said failed to go through! Now will have to see if this is reconciled by UA and/or the CC issuer.]

WineCountryUA

My thanks to all the beta-testers

I waited until today to do the password change and all when well.
Logged back in afterwards and was able to construct and fare lock an itin.