UA initiates Account Security Update (Security Q&A authentication added 2016)
Sep 7, 16, 2:26 pm
#526
FlyerTalk Evangelist
Join Date: Apr 2009
Location: Blair and Brown's Broken Britain
Programs: Lifetime Gold, Global Entry, Hertz PC, and my wallet
Posts: 19,853
Sep 7, 16, 4:41 pm
#527
Join Date: Dec 2011
Programs: UA 1K, Marriott Plat, Avis First, Hertz PC
Posts: 575
The more pieces of information required, and the more secret they are (it is debatable if security questions are secret as they can be socially engineered), the smaller the chance of getting hacked.
However one disturbing trend in IT is to use the security questions as a method for changing/resetting a password. In this way an account becomes far LESS secure than a username/PW account since the questions are easy to guess or brute force with a dictionary. If a hacker has already taken over an email account (sometimes via guessing such weak questions), it opens the door to accessing many more accounts.
Personally I steer all my clients toward anomaly/outlier detection systems. It takes highly paid experts to setup and train, but in the end is much more effective that 2FA, esp with minimizing the maximum losses from fraud. Personally I think questions like "What city did you attend high school?" is a 2000s anachronism, but some companies, like airlines, are still living in the 1990s.
However one disturbing trend in IT is to use the security questions as a method for changing/resetting a password. In this way an account becomes far LESS secure than a username/PW account since the questions are easy to guess or brute force with a dictionary. If a hacker has already taken over an email account (sometimes via guessing such weak questions), it opens the door to accessing many more accounts.
Personally I steer all my clients toward anomaly/outlier detection systems. It takes highly paid experts to setup and train, but in the end is much more effective that 2FA, esp with minimizing the maximum losses from fraud. Personally I think questions like "What city did you attend high school?" is a 2000s anachronism, but some companies, like airlines, are still living in the 1990s.
Sep 7, 16, 7:59 pm
#528
FlyerTalk Evangelist
Join Date: May 2001
Posts: 10,776
It is a little ridiculous an airline, out of all people, can't understand people might travel out of the country
Sep 12, 16, 9:59 am
#529
Join Date: Jan 2010
Location: EWR, NJ
Programs: UA 2 MM, UA 1K
Posts: 662
Have been reading and following this thread and just had my first problem. Just got asked questions today when using the desktop that I use all the time to access their site. About 2 months ago I redid my questions. I took a snapshot just in case. One of the questions I was asked today was not on the list (and interestingly it was one I was asked on the phone and I wasn't sure what to answer so I gave her the answer to one of the others and she accepted that). I don't think it was one of the questions on my original list, but maybe... So they asked me another question (ice cream). I was given a list of choices that did not include the selection I made from when I reset the questions and took the screen shot. Maybe it was the choice I made the first time. I had been asked about ice cream when I first used my iPad and the same thing happened (my choice was not listed) so I picked that alternate flavor and it took it. What a system...
Had to call in and talk to agent about something and mentioned this problem. If you use "remember me" it apparently doesn't reset the questions and answers. It is my original questions and answers that it sees, not the ones I reset a month ago. I cleared cookies yesterday and that is why I had to re-ID myself on my desktop. Agent had me go in to reset my questions and I had a mostly different list of questions, majority of which I could never have an answer to (musical instrument I play). So the questions change from person to person, and the list of answers they see to check your answer against is a small subset of the full list. She read them to me for the pizza question for me to guess what I had chosen...
Had to call in and talk to agent about something and mentioned this problem. If you use "remember me" it apparently doesn't reset the questions and answers. It is my original questions and answers that it sees, not the ones I reset a month ago. I cleared cookies yesterday and that is why I had to re-ID myself on my desktop. Agent had me go in to reset my questions and I had a mostly different list of questions, majority of which I could never have an answer to (musical instrument I play). So the questions change from person to person, and the list of answers they see to check your answer against is a small subset of the full list. She read them to me for the pizza question for me to guess what I had chosen...
Last edited by dogloverjb; Sep 12, 16 at 10:36 am Reason: new info added
Sep 17, 16, 10:22 am
#530
Join Date: Mar 2012
Programs: Mileage Plus 1K; Marriott Platinum; Hilton Gold
Posts: 6,354
Had a new experience using the 2 factor authentication today. Because of my computer security settings, I have to answer questions every time I log in, as there are never cookies for UA to remember my machine by. I've gotten used to answering the two questions, but today, I went to a third screen that asked me to answer one more question for additional security.
Anyone else encounter multiple pages of security questions recently?
Anyone else encounter multiple pages of security questions recently?
Sep 17, 16, 12:32 pm
#531
Moderator: United Airlines; FlyerTalk Evangelist
Join Date: Jun 2007
Location: SFO
Programs: UA Plat 1.9MM, Hyatt Discoverist, Marriott Plat/LT Gold, Hilton Silver, IHG Plat
Posts: 63,091
Had a new experience using the 2 factor authentication today. Because of my computer security settings, I have to answer questions every time I log in, as there are never cookies for UA to remember my machine by. I've gotten used to answering the two questions, but today, I went to a third screen that asked me to answer one more question for additional security.
Anyone else encounter multiple pages of security questions recently?
Anyone else encounter multiple pages of security questions recently?
Sep 25, 16, 11:43 am
#532
Moderator: United Airlines; FlyerTalk Evangelist
Join Date: Jun 2007
Location: SFO
Programs: UA Plat 1.9MM, Hyatt Discoverist, Marriott Plat/LT Gold, Hilton Silver, IHG Plat
Posts: 63,091
Protect Your Frequent-Flier Miles From Theft (WSJ article -- behind their paywall, but an internet search may give you access)
....
Thieves stole miles from thousands of accounts last year, including those belonging to United and American customers, after obtaining passwords from a chat-room site and using the same passwords to get into mileage accounts.
...."It’s always going to be a cat-and-mouse game,” says Arlan McMillan, United’s chief information security officer.
...."It’s always going to be a cat-and-mouse game,” says Arlan McMillan, United’s chief information security officer.
Bloggers complained United labeled its new security as two-factor authentication when the new requirements don’t have a second-device backstop check. Mr. McMillan says United’s protocol doesn't satisfy a strict definition of two-factor authentication, but the airline used the term as shorthand for added login requirements. He says United is looking at implementing something closer to what’s more widely regarded as two-factor verification.
Sep 25, 16, 4:18 pm
#534
FlyerTalk Evangelist
Join Date: May 2001
Posts: 10,776
It seems while I was overseas, the default country on top of the screen changes to where I was, not where I am based. Then that might have triggered the prompting of the security question.
It caused me psychological damage when it kept asking me what my least favorite class was in high school
It caused me psychological damage when it kept asking me what my least favorite class was in high school
Sep 25, 16, 4:19 pm
#535
A FlyerTalk Posting Legend
Join Date: Apr 2004
Location: GVA (Greater Vancouver Area)
Programs: DREAD Gold; UA 1.034MM; Bonvoy Au-197; PCC Elite+; CCC Elite+; MSC C-12; CWC Au-197; WoH Dis
Posts: 51,454
Sep 26, 16, 6:39 pm
#537
Join Date: Jan 2010
Posts: 5
Hi everyone,
We’ve been monitoring this thread and taking your feedback into account and have made some quick changes to fix issues you have identified. We also want to use this as an opportunity to answer some of the common questions we have seen on this thread. If you have any other questions, please let us know and we will work with our IT Security team to address them where possible.
"Why can't I type my own answer?"
-At the beginning of our effort we conducted a great deal of research into the security issues our customers face. We found that the vast majority of security issues that customers have with their accounts can be traced to computer viruses that record your typing.
-We purposely chose to use preregistered answers as our first form of enhanced authentication to protect against this keystroke logging. We need to ensure that all of our customers have a high degree of security and our research also indicated that some customers had self-entered security answers that would be very easy to guess.
-Not all customers are asked the same questions, and not all customers receive the same potential answers to each question. This randomization is on purpose and designed for your safety and security.
<<snips>>
Thank you,
-UA Insider
We’ve been monitoring this thread and taking your feedback into account and have made some quick changes to fix issues you have identified. We also want to use this as an opportunity to answer some of the common questions we have seen on this thread. If you have any other questions, please let us know and we will work with our IT Security team to address them where possible.
"Why can't I type my own answer?"
-At the beginning of our effort we conducted a great deal of research into the security issues our customers face. We found that the vast majority of security issues that customers have with their accounts can be traced to computer viruses that record your typing.
-We purposely chose to use preregistered answers as our first form of enhanced authentication to protect against this keystroke logging. We need to ensure that all of our customers have a high degree of security and our research also indicated that some customers had self-entered security answers that would be very easy to guess.
-Not all customers are asked the same questions, and not all customers receive the same potential answers to each question. This randomization is on purpose and designed for your safety and security.
<<snips>>
Thank you,
-UA Insider
The current system of security questions border on the highly unfriendly (most do not have choices that can be remembered) to highly unsecure (users likely to forget when they are forced to select answers that are not true but had to choose one to proceed). Please scrap this immediately!
Thanks
Sep 26, 16, 9:03 pm
#538
Join Date: Oct 2013
Posts: 87
Keep dreaming! 
They've spent money in this ill-conceived design, - even if done with the best intentions, (someone probably got a promotion out of that). And now, nobody is willing to admit the problem.
PS. And I was surprised to find that someone from UA has even responded to this thread. (It suggests that they are not that evil... maybe just incompetent.) But evidently, nothing has changed since February.
They've spent money in this ill-conceived design, - even if done with the best intentions, (someone probably got a promotion out of that). And now, nobody is willing to admit the problem.PS. And I was surprised to find that someone from UA has even responded to this thread. (It suggests that they are not that evil... maybe just incompetent.) But evidently, nothing has changed since February.
Sep 27, 16, 12:59 am
#539
FlyerTalk Evangelist
Join Date: Apr 2009
Location: Blair and Brown's Broken Britain
Programs: Lifetime Gold, Global Entry, Hertz PC, and my wallet
Posts: 19,853
I just had to have my laptop re-imaged and it has just dawned on me that I have not been prompted for the security questions. That seems odd to me given that updates to the browser in the past have caused it. Anyway, I am not complaining.
Oct 30, 16, 7:00 am
#540
Join Date: Jan 2016
Location: CLE (mostly)
Programs: UA Plat, Hyatt Explorist, Mlife Gold, Starbucks Gold
Posts: 822
The pre-populated answers are annoying...
"During what month did you first meet your spouse or significant other?"
When answering the question, the months are not in chronological (or even alphabetical!) order, and February and July aren't a listed option!
"During what month did you first meet your spouse or significant other?"
When answering the question, the months are not in chronological (or even alphabetical!) order, and February and July aren't a listed option!
