Go Back  FlyerTalk Forums > Miles&Points > Airlines and Mileage Programs > United Airlines | MileagePlus
Reload this Page >

UA initiates Account Security Update (Security Q&A authentication added 2016)

UA initiates Account Security Update (Security Q&A authentication added 2016)

Old Feb 13, 2016, 4:58 pm
  #121  
 
Join Date: Jan 2008
Location: EAU
Programs: UA 1K, CO Plat, NW Plat, Marriott Premiere Plat, SPG Plat, Priority Gold, Hilton Gold
Posts: 4,712
Originally Posted by findark
Assuming it's like most other security-question based authentication systems, you also need access to the email account in question in order to gain unauthorized access to the account.
Nope, you don't. Answer the two questions right and you can pick a new password right there in the browser.

It's that bad.
raehl311 is offline  
Old Feb 13, 2016, 5:00 pm
  #122  
 
Join Date: Mar 2012
Location: IAD
Programs: UA GS, 1MM; Marriott Lifetime Titanium Elite
Posts: 561
I just went to the site, always log on with MP# and password, which does nothing and returns to the home screen.

fricking amateur hour.

anyone figure out the solution?


I just chose 'forgot' password, and reset and i am in now.
fivevsone is offline  
Old Feb 13, 2016, 5:07 pm
  #123  
 
Join Date: Jan 2008
Location: EAU
Programs: UA 1K, CO Plat, NW Plat, Marriott Premiere Plat, SPG Plat, Priority Gold, Hilton Gold
Posts: 4,712
They do appear to lock your account after ONE failed password reset attempt.

Which while mitigating the obscene stupidity of the whole thing, just means when you forget what your "favorite kind of movie" was 5 years ago you have to call in to reset your password.

On top of that, they don't just lock your account against changing passwords, they LOCK YOUR ACCOUNT ENTIRELY. Can't log in AT ALL unless you call them.

So if someone else tries to reset your password, you can't log into your account at all until you call them.



This all is so phenomonally stupid that whoever was in charge of this really, really, really needs to be fired.
raehl311 is offline  
Old Feb 13, 2016, 5:09 pm
  #124  
 
Join Date: Jan 2008
Location: EAU
Programs: UA 1K, CO Plat, NW Plat, Marriott Premiere Plat, SPG Plat, Priority Gold, Hilton Gold
Posts: 4,712
Originally Posted by fivevsone
I just went to the site, always log on with MP# and password, which does nothing and returns to the home screen.

fricking amateur hour.

anyone figure out the solution?


I just chose 'forgot' password, and reset and i am in now.


After checking what happens when you put in a wrong answer to the security questions, I got an email saying my account was locked from any logins at all until I call 1-800-421-4655.

So those of you who can't get into your account might try calling that number.

Has to be between 7 AM and Midnight central.
raehl311 is offline  
Old Feb 13, 2016, 5:10 pm
  #125  
Dub
 
Join Date: Sep 2000
Location: Boston
Programs: UA 1K, 2MM
Posts: 956
Originally Posted by raehl311
They do appear to lock your account after ONE failed password reset attempt.

Which while mitigating the obscene stupidity of the whole thing, just means when you forget what your "favorite kind of movie" was 5 years ago you have to call in to reset your password.

On top of that, they don't just lock your account against changing passwords, they LOCK YOUR ACCOUNT ENTIRELY. Can't log in AT ALL unless you call them.

So if someone else tries to reset your password, you can't log into your account at all until you call them.



This all is so phenomonally stupid that whoever was in charge of this really, really, really needs to be fired.
You are kidding! I have to call them??? This is insane!
Dub is offline  
Old Feb 13, 2016, 5:13 pm
  #126  
 
Join Date: Mar 2012
Location: IAD
Programs: UA GS, 1MM; Marriott Lifetime Titanium Elite
Posts: 561
Originally Posted by fivevsone
I just went to the site, always log on with MP# and password, which does nothing and returns to the home screen.

fricking amateur hour.

anyone figure out the solution?


I just chose 'forgot' password, and reset and i am in now.


Upon logging out and trying to log back in with my new password, I am back to being stuck on the home page.

Glad i dont need to actually buy a ticket or something...

so incredibly STUPID
fivevsone is offline  
Old Feb 13, 2016, 5:13 pm
  #127  
 
Join Date: Oct 2004
Location: Anywhere but home
Programs: UA 1K/MM, DL GM/MM, HH Dia, PC Plat, MR Gold, ALL Sil,
Posts: 4,558
After the repeated loop of answering 2 "security" questions in Firefox, I tried IE and was able to answer a 3rd security question and then enter a new password. Looks like some compatibility issues with Firefox.
FlytheTail is offline  
Old Feb 13, 2016, 5:20 pm
  #128  
 
Join Date: Apr 2012
Location: ORD/EGE
Programs: UA GS/Global Entry
Posts: 191
Also cannot log in. Needed to book a ticket. Good thing AA flies the same route and I can log into my AA account!

What a joke this is. Get your act together UA IT. When was the last time you saw a reputable online business like Amazon mess up like this? Trick question: never!
UAGLOBAL is offline  
Old Feb 13, 2016, 5:31 pm
  #129  
 
Join Date: Sep 2005
Location: BOM-SIN-EWR
Programs: UA*G (1K again), Sixt Plat, *was*: SQ QPP01 & SK EBS/EBG, LH SEN, AA EXP, 9wPlat
Posts: 8,607
*And* to top it off, my javascript blocking one or more of their tracking websites:

doubleclick.net

ensighten.com

maxymiser.net

google-analytics.com

googleadservices.com


Makes my Firefox browser unusable when trying to price out itineraries while logged in now.

So, United is apparently datamining and wishes to track our personal browsers...
SuperFlyBoy is offline  
Old Feb 13, 2016, 7:03 pm
  #130  
 
Join Date: Apr 2008
Location: RDU
Posts: 5,306
Originally Posted by raehl311
This all is so phenomonally stupid that whoever was in charge of this really, really, really needs to be fired.
I work in IT and I agree. I think this change wasn't sufficiently tested. Some VP or Project Manager needs to be taken out to the woodshed.
zitsky is online now  
Old Feb 13, 2016, 7:06 pm
  #131  
 
Join Date: Aug 2012
Location: SLC
Programs: DL FO, KM, & 1.7MM; UA nothing; HH♦; National EE
Posts: 6,344
Originally Posted by zitsky
Some VP or Project Manager needs to be taken out to the woodshed.
Or the cowshed?
Howste is offline  
Old Feb 13, 2016, 7:33 pm
  #132  
 
Join Date: Jan 2008
Location: EAU
Programs: UA 1K, CO Plat, NW Plat, Marriott Premiere Plat, SPG Plat, Priority Gold, Hilton Gold
Posts: 4,712
Originally Posted by zitsky
I work in IT and I agree. I think this change wasn't sufficiently tested. Some VP or Project Manager needs to be taken out to the woodshed.
Testing isn't the (only) problem.

The problem is the design is horrible, period. Even if they rolled it out and it worked exactly as it's been designed to, the following things would still be true:

- You have a 1 in 100 chance of gaining access to any Mileage Plus account you know the name and number to.
- To reset your password, you have to answer "security questions" with answers you had to select from drop-down lists, many of which are questions about your tastes. Like I'm going to remember 5 years from now what movie genre I thought I liked the most...
- If you fail your password reset ONCE, or if ANY OTHER PERSON tries to hack your account and fails, it doesn't just prevent your password from being changed, it LOCKS OUT YOUR ACCOUNT ENTIRELY until you call.


These are just plain bad design decisions. These bad decisions were made before any of the software was written. Someone had to come up with them and someone had to sign off on them.


The fact that that happened indicates absolute complete incompetence on the part of the parties responsible.
raehl311 is offline  
Old Feb 13, 2016, 8:59 pm
  #133  
 
Join Date: Mar 2012
Programs: Mileage Plus 1K; Marriott Platinum; Hilton Gold
Posts: 6,355
Originally Posted by raehl311
Testing isn't the (only) problem.

The problem is the design is horrible, period. Even if they rolled it out and it worked exactly as it's been designed to, the following things would still be true:
....


These are just plain bad design decisions. These bad decisions were made before any of the software was written. Someone had to come up with them and someone had to sign off on them.


The fact that that happened indicates absolute complete incompetence on the part of the parties responsible.
For the IT experts out there, I have two questions:

How likely is it that the design decisions on this cluster of a security enhancement were all signed off on during the Smisek regime?

How long and how much effort is needed to fix this mess?
transportprof is offline  
Old Feb 13, 2016, 9:10 pm
  #134  
 
Join Date: Jan 2008
Location: EAU
Programs: UA 1K, CO Plat, NW Plat, Marriott Premiere Plat, SPG Plat, Priority Gold, Hilton Gold
Posts: 4,712
Originally Posted by transportprof
For the IT experts out there, I have two questions:

How likely is it that the design decisions on this cluster of a security enhancement were all signed off on during the Smisek regime?
Likely, but also not something that would have risen up to Smisek level review. This is really something that the IT department should make "just work" for the company, and your CTO (or United equivalent) is the person whose head should roll.

How long and how much effort is needed to fix this mess?
Now that they've made it live, a lot more effort. Even if they did it "right" and could just roll back the changes tomorrow, they still have to deal with a bunch of customers who now think they have passwords and security questions, which means whatever they do to fix it now has to have a migration path from both the original system and this "middle" system.

What they should do immediately is stop asking people to choose passwords and security questions. Then fire whoever was responsible for this. Then find whoever when this was first being discussed said it was a poor design and make them in charge and go back to the drawing board.

If they have competent in-house people who have just been being overruled by incompetent people, at least 6 months. If they need to go hire some people who are competent, a year.
raehl311 is offline  
Old Feb 13, 2016, 9:16 pm
  #135  
Suspended
 
Join Date: Sep 2014
Posts: 3,072
This is probably the busiest travel site on the internet and the thread is only four pages long, which suggests the problem is mostly isolated to a small percentage of users.
jsk1973 is offline  

Thread Tools
Search this Thread

Contact Us - Manage Preferences Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service -

This site is owned, operated, and maintained by MH Sub I, LLC dba Internet Brands. Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Designated trademarks are the property of their respective owners.