Go Back  FlyerTalk Forums > Miles&Points > Airlines and Mileage Programs > United Airlines | MileagePlus
Reload this Page >

UA initiates Account Security Update (Security Q&A authentication added 2016)

UA initiates Account Security Update (Security Q&A authentication added 2016)

Old Feb 12, 16, 8:12 am
  #31  
 
Join Date: Dec 2007
Location: Now:AUS (again); Previous: LGA/EWR (BLKYN, missing JFK), AUS, SAT
Programs: Current: UA-Silver, Former AA Plat, DL Silver
Posts: 593
Originally Posted by uastarflyer View Post
Glad I never set a PIN

I still login using my UA original MP number too, just for my own petulance sake.
Hah! Same.

Also, pre-filling in the security questions defeats the purpose of having a security question, as it literally provides a set of answers hackers can simply troll through until they get the answer right. So congrats to United IT for another hair-brained, poorly implemented idea.
ndhapple is offline  
Old Feb 12, 16, 9:10 am
  #32  
 
Join Date: Oct 2011
Location: DEN
Programs: UA 1K 1MM
Posts: 252
I just tried to login with my MP# and password (I never use the PIN) and it just took me back to the login page to try again. I can't even get to a point where I'm asked security questions.
MCLC is offline  
Old Feb 12, 16, 9:17 am
  #33  
 
Join Date: Apr 2006
Location: LIS/ATL/other
Programs: UA 1K, Avis PC, Hertz PC, Sixt Plat, Marriott Gold, HH Silver
Posts: 1,979
The list of cities available for "first major city that you visited" is precious.

Samples of cities that make the list incude such major metropolises as Santa Fe, Cardiff, or Berne.

And missing from the list are small villages such as Singapore, Tel Aviv, Saigon/Ho Chi Min, or Honolulu. Even the former hub of Cleveland is absent.

How did they come up with this list anyway?
CaptainMiles is offline  
Old Feb 12, 16, 9:20 am
  #34  
 
Join Date: Apr 2006
Location: LIS/ATL/other
Programs: UA 1K, Avis PC, Hertz PC, Sixt Plat, Marriott Gold, HH Silver
Posts: 1,979
Originally Posted by RockinRon View Post
I thought this as well, especially with the "Your Favorite Vacation" question. Don't think they won't be feeding this into a Big Data farm somewhere for future analysis.
Then let's answer that our first car was a Rolls Royce or a Lamborghini, and see what kind of offers we get. Just watch your inbox for special offers from Gulfstream.
CaptainMiles is offline  
Old Feb 12, 16, 9:23 am
  #35  
 
Join Date: Dec 2007
Location: Now:AUS (again); Previous: LGA/EWR (BLKYN, missing JFK), AUS, SAT
Programs: Current: UA-Silver, Former AA Plat, DL Silver
Posts: 593
Originally Posted by CaptainMiles View Post
The list of cities available for "first major city that you visited" is precious.

Samples of cities that make the list incude such major metropolises as Santa Fe, Cardiff, or Berne.

And missing from the list are small villages such as Singapore, Tel Aviv, Saigon/Ho Chi Min, or Honolulu. Even the former hub of Cleveland is absent.

How did they come up with this list anyway?
Also included: Fresno; also missing: New Orleans.

\_(ツ)_/
ndhapple is offline  
Old Feb 12, 16, 9:28 am
  #36  
Original Member
 
Join Date: May 1998
Location: CT/NY
Programs: UA 1K/1MM, AA EXP, Marriott LT Titanium, Hyatt Globalist, IHG Diamond Amb
Posts: 5,526
They didn't include triangle as an option for my favorite musical instrument.

Originally Posted by ndhapple View Post
Hah! Same.

Also, pre-filling in the security questions defeats the purpose of having a security question, as it literally provides a set of answers hackers can simply troll through until they get the answer right. So congrats to United IT for another hair-brained, poorly implemented idea.
Well, the assumption is a 3 or 5 strikes and your account is locked. With 5 different questions and >10 options, the chance a hacker got it right within the limit is slim.

Then again, I prefer self-filled answers so it's not predicable. Like triangle.
PTahCha is offline  
Old Feb 12, 16, 9:42 am
  #37  
 
Join Date: Apr 2004
Posts: 126
Originally Posted by ndhapple View Post
Hah! Same.

Also, pre-filling in the security questions defeats the purpose of having a security question, as it literally provides a set of answers hackers can simply troll through until they get the answer right. So congrats to United IT for another hair-brained, poorly implemented idea.
It seems as if they make you fill in your answers to protect against banking trojans that record keystrokes. I bet there are more improvements coming in the future.
mreplus is offline  
Old Feb 12, 16, 9:56 am
  #38  
A FlyerTalk Posting Legend
 
Join Date: Apr 2013
Location: PHX/SFO
Programs: AA EXP; AS 75K; WN A List; UA 1K 1MM; Hyatt Globalist; Marriott AMB; Hilton Diamond (Aspire)
Posts: 52,182
Originally Posted by mreplus View Post
I bet there are more improvements coming in the future.
*shudder*
Kacee is offline  
Old Feb 12, 16, 10:18 am
  #39  
 
Join Date: Jun 2006
Location: Denver, CO
Posts: 326
I thought this as well, especially with the "Your Favorite Vacation" question. Don't think they won't be feeding this into a Big Data farm somewhere for future analysis.
Another problem with these dumb questions (such as "What was your high school") is that a hacker or social engineer can easily parse through unlocked social media accounts to find the answers. If I recall it happened to a celebrity a few years back, whose dog name and other answers were easily found.

If I'm attempting to find one's "favorite vacation" all I need to do is look at their Facebook and see multiple pictures of Hawaii or whatever.

I use an completely unrelated answer for these. If I need unique answers I format it as such:

SCHOOL XXX XXX XXX
DOGNAME XXX XXX XXX

Plus, I have a lot of favorite foods.
jamesdenver is offline  
Old Feb 12, 16, 10:30 am
  #40  
 
Join Date: Dec 2002
Location: Washington, D.C.
Programs: UA Premier 1K: PlAAtinum; DL SM, MM; Marriott Gold; CO Plat Emeritus; NW Plat Emeritus
Posts: 4,765
Went through the annoying process and now I can't log in. Using the correct password, it just goes back to the sign in screen.

Another A+ job from United IT.

Last edited by goalie; Feb 12, 16 at 2:40 pm Reason: Removed symbols hiding profanity
Alpha Golf is offline  
Old Feb 12, 16, 10:32 am
  #41  
Marriott Contributor Badge
 
Join Date: Feb 2014
Posts: 396
Originally Posted by jamesdenver View Post
Another problem with these dumb questions (such as "What was your high school") is that a hacker or social engineer can easily parse through unlocked social media accounts to find the answers. If I recall it happened to a celebrity a few years back, whose dog name and other answers were easily found.
That was actually Sarah Palin: https://en.wikipedia.org/wiki/Sarah_Palin_email_hack

United has made it even easier though by restricting the answer pool to a very finite number of pre-set answers. Usually, there's a text field where you can type anything, e.g. for "Favorite animal" you could choose to simply enter another password, a bunch of numbers, or at least obscure your dogs name a little (e.g. w_Ald0.)

Here, there's less than two dozen possible answers for each category. This doesn't really add much in terms of security.

Having said that, I'm happy to see the 4 digit PIN go.
itsMoe is offline  
Old Feb 12, 16, 11:00 am
  #42  
FlyerTalk Evangelist
 
Join Date: Apr 2009
Location: Blair and Brown's Broken Britain
Programs: 1K, *G for "life", Global Entry, Hertz PC, and my wallet
Posts: 19,616
Press the "Update Later" button until there are no more "Update Later" buttons left !
Silver Fox is offline  
Old Feb 12, 16, 11:00 am
  #43  
 
Join Date: Dec 2007
Location: Now:AUS (again); Previous: LGA/EWR (BLKYN, missing JFK), AUS, SAT
Programs: Current: UA-Silver, Former AA Plat, DL Silver
Posts: 593
Originally Posted by PTahCha View Post
They didn't include triangle as an option for my favorite musical instrument.



Well, the assumption is a 3 or 5 strikes and your account is locked. With 5 different questions and >10 options, the chance a hacker got it right within the limit is slim.

Then again, I prefer self-filled answers so it's not predicable. Like triangle.
You'd hope. But then again, we're talking about United IT.

The thing that scares me is that you could find the answers to most of those questions they posed simply by trolling someone's Facebook page. And a pull-down menu means that there are no variables in the answers you provide. I wish UA would implement some form of two factor authentication but I'll probably be dead before that ever happens.
ndhapple is offline  
Old Feb 12, 16, 11:24 am
  #44  
 
Join Date: Mar 2012
Programs: Mileage Plus 1K; Marriott Platinum; Hilton Gold
Posts: 6,354
I feel bad for those of you who fell into this latest cluster. I'm lucky in that I just got back from a trip this week and don't have another one until March. But I'd hate to be in Delhi or Melbourne with a flight that goes MX and be locked out of my account because of this.

Could UA Insider please take the time to let us know whether this security upgrade could be turned off for another month or two while it is debugged - kind of like the new web site's rollout?

United may still be a bumbling, stumbling, organization, but if their new leadership team is on the ball they will at least come up with effective remedies and workarounds for such problems.

It seems to me like the best option at this point is to stop the insanity of locking people out of their accounts in the name of security and then return to this initiative after some more programming and debugging work. @:-)
transportprof is offline  
Old Feb 12, 16, 11:29 am
  #45  
 
Join Date: Mar 2008
Location: New York
Programs: UA GS, Hilton Diamond, Marriott Gold
Posts: 2,420
These questions are incredibly dumb. I actually had trouble coming up with 5 of them that I knew were strong enough preferences that I'd remember them 2 years from now when I forget my password.

I also swear they're different in the app vs online, or maybe they've already changed some of them. Last night I distinctly recall one of the questions being "What color was the house you grew up in" and the one mentioned in this thread about the first major city you visited, but when I go to manage profile I see neither of these.
villox is offline  

Thread Tools
Search this Thread