Go Back  FlyerTalk Forums > Miles&Points > Airlines and Mileage Programs > United Airlines | MileagePlus
Reload this Page >

UA initiates Account Security Update (Security Q&A authentication added 2016)

UA initiates Account Security Update (Security Q&A authentication added 2016)

Old Aug 22, 16, 8:37 pm
  #481  
 
Join Date: Sep 1999
Location: SF Bay Area
Programs: UA 1K MM, Accor Plat, Htz PC, Natl ExEm, other random status
Posts: 2,875
Originally Posted by ssh View Post
Why not just jump on the Google authenticator bandwagon and be done with it?
Totally agree - UA management would never make a strategically incompetent decision just to save some money on license fees...cough...SHARES...cough...
greg99 is offline  
Old Aug 22, 16, 8:52 pm
  #482  
 
Join Date: Jun 2007
Location: YVR SFO EOF
Programs: UA 1K, VX S
Posts: 4,864
Originally Posted by WineCountryUA View Post
Does it work in China?

How are remote locations in the world handled?
Yes. Google Authenticator is totally offline with no Internet or cellular connection needed. Since it's implementing an open standard (TOTP), there exist clients even for countries that don't have access to the Google Play or Apple iTunes store.

Originally Posted by greg99 View Post
Totally agree - UA management would never make a strategically incompetent decision just to save some money on license fees...cough...SHARES...cough...
It's a free and open standard. There's no license cost to use, implement, or maintain. UA chose not to do it.
unavaca is offline  
Old Aug 22, 16, 8:55 pm
  #483  
ssh
 
Join Date: Jun 2007
Location: Boulder, Colorado
Programs: UA 1K (MM), MR Plat Prem, Hertz Pres
Posts: 1,164
Originally Posted by unavaca View Post
It's a free and open standard. There's no license cost to use, implement, or maintain. UA chose not to do it.
Or, perhaps more likely, didn't know about it or didn't pursue the option. Using it with 1password makes my life infinitely easier for many parts of the Internet, but, unfortunately, United followed the path of many weak financial authentication approaches and didn't go with 2 factors. Frankly, it's ridiculous. If consultants did this, demand the fees back. If internal staff, get more knowledgeable security staff.
ssh is offline  
Old Aug 23, 16, 6:12 pm
  #484  
 
Join Date: Jun 2009
Location: LAX
Programs: UA 1K/MM, Marriott Gold
Posts: 132
I just need to vent about the stupidity of these United "security" questions. For some reason my phone logged me out and then when asked what flavor ice cream I like I chose Peanut Butter Chocolate. Who knows what I chose 6 months ago?? This is the only website that I can think of that thinks this method of security questions is effective. Then it took me 3 tries to get a reset email as the first expired, the second was all wonky and then 3rd time's the charm. Ask me what street I grew up on not a question that is going to change depending on my mood or the time of year.
elynchking is offline  
Old Aug 24, 16, 11:01 am
  #485  
 
Join Date: Aug 2013
Programs: UA 1K
Posts: 47
Brian Krebs, an IT security reporter and expert, with a piece on this here:

http://krebsonsecurity.com/2016/08/u...r-on-security/

Critical, especially on keylogger defense, because form-grabbers are bundled as part of those malware kits too. But concedes the alternatives create other problems. Nevertheless, a bit more understanding than I would've thought.
PanAmOneTwo is offline  
Old Aug 24, 16, 12:37 pm
  #486  
 
Join Date: May 2012
Location: ORF, RIC
Programs: UA LT 1K, 3 MM; Marriott Titanium; IHG Platinum
Posts: 6,119
Originally Posted by elynchking View Post
I just need to vent about the stupidity of these United "security" questions. For some reason my phone logged me out and then when asked what flavor ice cream I like I chose Peanut Butter Chocolate. Who knows what I chose 6 months ago?? This is the only website that I can think of that thinks this method of security questions is effective. Then it took me 3 tries to get a reset email as the first expired, the second was all wonky and then 3rd time's the charm. Ask me what street I grew up on not a question that is going to change depending on my mood or the time of year.
This is much better than interacting with an agent on phone. I could not give a chosen answer to a question that this agent read to me. The agent just did not want to help me, for example, by choosing another question. I just hanged up and went to website to complete the RPU request myself.

Good job, United.
Kmxu is offline  
Old Aug 28, 16, 4:19 pm
  #487  
ssh
 
Join Date: Jun 2007
Location: Boulder, Colorado
Programs: UA 1K (MM), MR Plat Prem, Hertz Pres
Posts: 1,164
Is the website ever going to remember that I have "updated my security" and don't need to see the blasted banner or calls to update? ARGH!
ssh is offline  
Old Aug 28, 16, 4:53 pm
  #488  
FlyerTalk Evangelist
 
Join Date: Apr 2009
Location: Blair and Brown's Broken Britain
Programs: Lifetime Gold, Global Entry, Hertz PC, and my wallet
Posts: 19,751
No. Can we have a harder question next time please?
Silver Fox is offline  
Old Aug 28, 16, 5:00 pm
  #489  
FlyerTalk Evangelist
 
Join Date: Mar 2014
Location: 4me
Posts: 10,858
Originally Posted by Silver Fox View Post
No. Can we have a harder question next time please?
How much security is really needed for a FFP account?
TomMM is online now  
Old Aug 28, 16, 5:24 pm
  #490  
FlyerTalk Evangelist
 
Join Date: Jun 2003
Location: DEN
Programs: UA MM Plat; AA MM Gold; HHonors Diamond
Posts: 15,813
Originally Posted by PanAmOneTwo View Post
Brian Krebs, an IT security reporter and expert, with a piece on this here...
Something for the naysayers to at least consider...

At the scale that United faces, we felt this approach was really optimal to fix this problem for our customers, Vaughn said. We have to start with something that is universally available to our customers. We cant sent a text message to you when youre on an airplane or out of the country, we cant rely on all of our customers to have a smart phone, and we didnt feel it would be a great use of our customers time to send them in the mail 93 million secure ID tokens. We felt a powerful onus to do something, and the something we implemented we feel improves security greatly, especially for non-technical savvy customers.

Arlan McMillan, Uniteds chief information security officer, said the basic system that the company has just rolled out is built to accommodate additional security features going forward. McMillan said United has discussed rolling out some type of app-based time-based one-time password (TOTP) systems (Google Authenticator is one popular TOTP example).

It is our intent to provide additional capabilities to our customers, and to even bring in additional security controls if [customers] choose to, McMillan said. We set the minimum bar here, and we think thats a higher bar than youre going to find at most of our competitors. And were going to do more, but we had to get this far first.
Bonehead is offline  
Old Aug 28, 16, 6:20 pm
  #491  
ssh
 
Join Date: Jun 2007
Location: Boulder, Colorado
Programs: UA 1K (MM), MR Plat Prem, Hertz Pres
Posts: 1,164
Originally Posted by Silver Fox View Post
No. Can we have a harder question next time please?
Ok, ok. I'll try harder next time!
ssh is offline  
Old Aug 28, 16, 7:21 pm
  #492  
 
Join Date: Mar 2010
Location: DAY
Programs: UA 1K 1MM; Marriott LT Plat Premier (+AMB); Amex MR; Chase UR; Hertz PC; Global Entry
Posts: 9,234
Interesting that I just saw some info from the Social Security Administration that they are temporarily rolling back the requirement to use OTP to access account. It was only sent via SMS.

Quote from an email:
However, multifactor authentication inconvenienced or restricted access to some of our account holders. Were listening to your concerns and are responding by temporarily rolling back this mandate
I think I already mentioned up-thread, but when my credit union went to OTP, it caused big problems for me as they only had SMS option. With multiple phone numbers and SIM cards, it wasn't acceptable to me. After much escalation, I finally got them to activate the option to have the OTP sent via email.

Balance between convenience and security.
goodeats21 is offline  
Old Aug 28, 16, 7:27 pm
  #493  
 
Join Date: Sep 2009
Location: iad/dca
Programs: UA Million Mile Gold, Club, AA, Delta, Marriott, Hertz G, A/Club
Posts: 1,106
AA has adopted a similar security regime.

Tried log onto AA today and got hit with the same security question regime.
iquitos is offline  
Old Aug 28, 16, 10:16 pm
  #494  
ssh
 
Join Date: Jun 2007
Location: Boulder, Colorado
Programs: UA 1K (MM), MR Plat Prem, Hertz Pres
Posts: 1,164
NIST has said that SMS isn't a secure method to deliver OTP. For anyone who carries a moderately current smart device, OTP software is readily available. This should be the primary method for people who carry such a device. Heck, United could even do it through the United app!
ssh is offline  
Old Aug 29, 16, 2:37 am
  #495  
 
Join Date: May 2010
Location: AVP & PEK
Programs: UA 1K 1.7MM, AVIS PC
Posts: 4,976
Originally Posted by Kmxu View Post
This is much better than interacting with an agent on phone. I could not give a chosen answer to a question that this agent read to me.(
Wait. The phone agents ask these questions also? Well, do they at least offer the choices?
narvik is online now  

Thread Tools
Search this Thread