Go Back  FlyerTalk Forums > Miles&Points > Airlines and Mileage Programs > United Airlines | MileagePlus
Reload this Page >

UA initiates Account Security Update (Security Q&A authentication added 2016)

UA initiates Account Security Update (Security Q&A authentication added 2016)

Old Sep 7, 16, 2:26 pm
  #526  
FlyerTalk Evangelist
 
Join Date: Apr 2009
Location: Blair and Brown's Broken Britain
Programs: Lifetime Gold, Global Entry, Hertz PC, and my wallet
Posts: 19,853
Originally Posted by milepig
Hmmm. Much of the problem I was having was indeed while overseas. This, of course, assumes that UA IT has the ability to set up a system that tracks where you are, geographically. That may be a stretch.
For UA it probably is, for others not so.
Silver Fox is offline  
Old Sep 7, 16, 4:41 pm
  #527  
 
Join Date: Dec 2011
Programs: UA 1K, Marriott Plat, Avis First, Hertz PC
Posts: 575
The more pieces of information required, and the more secret they are (it is debatable if security questions are secret as they can be socially engineered), the smaller the chance of getting hacked.

However one disturbing trend in IT is to use the security questions as a method for changing/resetting a password. In this way an account becomes far LESS secure than a username/PW account since the questions are easy to guess or brute force with a dictionary. If a hacker has already taken over an email account (sometimes via guessing such weak questions), it opens the door to accessing many more accounts.

Personally I steer all my clients toward anomaly/outlier detection systems. It takes highly paid experts to setup and train, but in the end is much more effective that 2FA, esp with minimizing the maximum losses from fraud. Personally I think questions like "What city did you attend high school?" is a 2000s anachronism, but some companies, like airlines, are still living in the 1990s.
johnden is offline  
Old Sep 7, 16, 7:59 pm
  #528  
FlyerTalk Evangelist
 
Join Date: May 2001
Posts: 10,776
Originally Posted by milepig
Hmmm. Much of the problem I was having was indeed while overseas. This, of course, assumes that UA IT has the ability to set up a system that tracks where you are, geographically. That may be a stretch.
Then some people might feel Big Brother is watching.

It is a little ridiculous an airline, out of all people, can't understand people might travel out of the country
username is offline  
Old Sep 12, 16, 9:59 am
  #529  
 
Join Date: Jan 2010
Location: EWR, NJ
Programs: UA 2 MM, UA 1K
Posts: 662
Have been reading and following this thread and just had my first problem. Just got asked questions today when using the desktop that I use all the time to access their site. About 2 months ago I redid my questions. I took a snapshot just in case. One of the questions I was asked today was not on the list (and interestingly it was one I was asked on the phone and I wasn't sure what to answer so I gave her the answer to one of the others and she accepted that). I don't think it was one of the questions on my original list, but maybe... So they asked me another question (ice cream). I was given a list of choices that did not include the selection I made from when I reset the questions and took the screen shot. Maybe it was the choice I made the first time. I had been asked about ice cream when I first used my iPad and the same thing happened (my choice was not listed) so I picked that alternate flavor and it took it. What a system...

Had to call in and talk to agent about something and mentioned this problem. If you use "remember me" it apparently doesn't reset the questions and answers. It is my original questions and answers that it sees, not the ones I reset a month ago. I cleared cookies yesterday and that is why I had to re-ID myself on my desktop. Agent had me go in to reset my questions and I had a mostly different list of questions, majority of which I could never have an answer to (musical instrument I play). So the questions change from person to person, and the list of answers they see to check your answer against is a small subset of the full list. She read them to me for the pizza question for me to guess what I had chosen...

Last edited by dogloverjb; Sep 12, 16 at 10:36 am Reason: new info added
dogloverjb is offline  
Old Sep 17, 16, 10:22 am
  #530  
 
Join Date: Mar 2012
Programs: Mileage Plus 1K; Marriott Platinum; Hilton Gold
Posts: 6,354
Had a new experience using the 2 factor authentication today. Because of my computer security settings, I have to answer questions every time I log in, as there are never cookies for UA to remember my machine by. I've gotten used to answering the two questions, but today, I went to a third screen that asked me to answer one more question for additional security.

Anyone else encounter multiple pages of security questions recently?
transportprof is offline  
Old Sep 17, 16, 12:32 pm
  #531  
Moderator: United Airlines; FlyerTalk Evangelist
 
Join Date: Jun 2007
Location: SFO
Programs: UA Plat 1.9MM, Hyatt Discoverist, Marriott Plat/LT Gold, Hilton Silver, IHG Plat
Posts: 63,091
Originally Posted by transportprof
Had a new experience using the 2 factor authentication today. Because of my computer security settings, I have to answer questions every time I log in, as there are never cookies for UA to remember my machine by. I've gotten used to answering the two questions, but today, I went to a third screen that asked me to answer one more question for additional security.

Anyone else encounter multiple pages of security questions recently?
Occurred to me on the first day and couple times since. On the first day may have been due to a miss entry and need to reset the account. There other cases were "related" (related may have been a coincidence) to adding another device..
WineCountryUA is offline  
Old Sep 25, 16, 11:43 am
  #532  
Moderator: United Airlines; FlyerTalk Evangelist
 
Join Date: Jun 2007
Location: SFO
Programs: UA Plat 1.9MM, Hyatt Discoverist, Marriott Plat/LT Gold, Hilton Silver, IHG Plat
Posts: 63,091
Protect Your Frequent-Flier Miles From Theft (WSJ article -- behind their paywall, but an internet search may give you access)
Thieves stole miles from thousands of accounts last year, including those belonging to United and American customers, after obtaining passwords from a chat-room site and using the same passwords to get into mileage accounts.

...."Its always going to be a cat-and-mouse game, says Arlan McMillan, Uniteds chief information security officer.
....
Bloggers complained United labeled its new security as two-factor authentication when the new requirements dont have a second-device backstop check. Mr. McMillan says Uniteds protocol doesn't satisfy a strict definition of two-factor authentication, but the airline used the term as shorthand for added login requirements. He says United is looking at implementing something closer to whats more widely regarded as two-factor verification.
WineCountryUA is offline  
Old Sep 25, 16, 11:55 am
  #533  
FlyerTalk Evangelist
Hilton Contributor Badge
 
Join Date: Jul 2008
Location: IAH
Programs: DL DM, AC 50K, Hyatt Ist-iest, Starriot Platinum, Hilton Diamond
Posts: 12,230
It's a miracle! I actually remembered the answers to my questions today when logging in under a different computer.
krazykanuck is offline  
Old Sep 25, 16, 4:18 pm
  #534  
FlyerTalk Evangelist
 
Join Date: May 2001
Posts: 10,776
It seems while I was overseas, the default country on top of the screen changes to where I was, not where I am based. Then that might have triggered the prompting of the security question.

It caused me psychological damage when it kept asking me what my least favorite class was in high school
username is offline  
Old Sep 25, 16, 4:19 pm
  #535  
A FlyerTalk Posting Legend
 
Join Date: Apr 2004
Location: GVA (Greater Vancouver Area)
Programs: DREAD Gold; UA 1.034MM; Bonvoy Au-197; PCC Elite+; CCC Elite+; MSC C-12; CWC Au-197; WoH Dis
Posts: 51,454
Originally Posted by username
It caused me psychological damage when it kept asking me what my least favorite class was in high school
At least it didn't ask you to take the final exam for that class to log in...
mahasamatman is offline  
Old Sep 25, 16, 4:45 pm
  #536  
 
Join Date: Feb 2012
Programs: UA 1K
Posts: 158
Whoever came up with those security questions needs to be fired
piemel is offline  
Old Sep 26, 16, 6:39 pm
  #537  
 
Join Date: Jan 2010
Posts: 5
Thumbs down

Originally Posted by UA Insider
Hi everyone,

We’ve been monitoring this thread and taking your feedback into account and have made some quick changes to fix issues you have identified. We also want to use this as an opportunity to answer some of the common questions we have seen on this thread. If you have any other questions, please let us know and we will work with our IT Security team to address them where possible.

"Why can't I type my own answer?"
-At the beginning of our effort we conducted a great deal of research into the security issues our customers face. We found that the vast majority of security issues that customers have with their accounts can be traced to computer viruses that record your typing.
-We purposely chose to use preregistered answers as our first form of enhanced authentication to protect against this keystroke logging. We need to ensure that all of our customers have a high degree of security and our research also indicated that some customers had self-entered security answers that would be very easy to guess.
-Not all customers are asked the same questions, and not all customers receive the same potential answers to each question. This randomization is on purpose and designed for your safety and security.

<<snips>>

Thank you,

-UA Insider
You have not adequately reasoned for the question "Why can't I type my own answer?" because if you are concerned about keyloggers, just provide a virtual keyboard that many banking sites offer where one just clicks instead of typing so keyloggers are easily defeated.

The current system of security questions border on the highly unfriendly (most do not have choices that can be remembered) to highly unsecure (users likely to forget when they are forced to select answers that are not true but had to choose one to proceed). Please scrap this immediately!

Thanks
ennemm is offline  
Old Sep 26, 16, 9:03 pm
  #538  
 
Join Date: Oct 2013
Posts: 87
Originally Posted by ennemm
Please scrap this immediately!
Keep dreaming! They've spent money in this ill-conceived design, - even if done with the best intentions, (someone probably got a promotion out of that). And now, nobody is willing to admit the problem.

PS. And I was surprised to find that someone from UA has even responded to this thread. (It suggests that they are not that evil... maybe just incompetent.) But evidently, nothing has changed since February.
1StRanger is offline  
Old Sep 27, 16, 12:59 am
  #539  
FlyerTalk Evangelist
 
Join Date: Apr 2009
Location: Blair and Brown's Broken Britain
Programs: Lifetime Gold, Global Entry, Hertz PC, and my wallet
Posts: 19,853
I just had to have my laptop re-imaged and it has just dawned on me that I have not been prompted for the security questions. That seems odd to me given that updates to the browser in the past have caused it. Anyway, I am not complaining.
Silver Fox is offline  
Old Oct 30, 16, 7:00 am
  #540  
 
Join Date: Jan 2016
Location: CLE (mostly)
Programs: UA Plat, Hyatt Explorist, Mlife Gold, Starbucks Gold
Posts: 822
The pre-populated answers are annoying...

"During what month did you first meet your spouse or significant other?"

When answering the question, the months are not in chronological (or even alphabetical!) order, and February and July aren't a listed option!
Wooglin is offline  

Thread Tools
Search this Thread