24
Aug 16

United Airlines Sets Minimum Bar on Security

United Airlines has rolled out a series of updates to its Web site that the company claims will help beef up the security of customer accounts. But at first glance, the core changes — moving from a 4-digit PINs to password and requiring customers to pick five different security questions and answers — may seem like a security playbook copied from Yahoo.com, circa 2009. Here’s a closer look at what’s changed in how United authenticates customers, and hopefully a bit of insight into what the nation’s fourth-largest airline is trying to accomplish with its new system.

United, like many other carriers, has long relied on a frequent flyer account number and a 4-digit personal identification number (PIN) for authenticating customers at its Web site. This has left customer accounts ripe for takeover by crooks who specialize in hacking and draining loyalty accounts for cash.

Earlier this year, however, United began debuting new authentication systems wherein customers are asked to pick a strong password and to choose from five sets of security questions and pre-selected answers. Customers may be asked to provide the answers to two of these questions if they are logging in from a device United has never seen associated with that account, trying to reset a password, or interacting with United via phone.

Some of the questions and answers United come up with.

Some of the questions and answers United come up with.

Yes, you read that right: The answers are pre-selected as well as the questions. For example, to the question “During what month did you first meet your spouse or significant other,” users may select only from one of…you guessed it — 12 answers (January through December).

The list of answers to another security question, “What’s your favorite pizza topping,” had me momentarily thinking I using a pull down menu at Dominos.com — waffling between “pepperoni” and “mashed potato.” (Fun fact: If you were previously unaware that mashed potatoes qualify as an actual pizza topping, United has you covered with an answer to this bit of trivia in its Frequently Asked Questions page on the security changes.)

I recorded a short video of some of these rather unique questions and answers.

United said it opted for pre-defined questions and answers because the company has found “the majority of security issues our customers face can be traced to computer viruses that record typing, and using predefined answers protects against this type of intrusion.”

This struck me as a dramatic oversimplification of the threat. I asked United why they stated this, given that any halfway decent piece of malware that is capable of keylogging is likely also doing what’s known as “form grabbing” — essentially snatching data submitted in forms — regardless of whether the victim types in this information or selects it from a pull-down menu.

Benjamin Vaughn, director of IT security intelligence at United, said the company was randomizing the questions to confound bot programs that seek to automate the submission of answers, and that security questions answered wrongly would be “locked” and not asked again. He added that multiple unsuccessful attempts at answering these questions could result in an account being locked, necessitating a call to customer service.

United said it plans to use these same questions and answers — no longer passwords or PINs — to authenticate those who call in to the company’s customer service hotline. When I went to step through United’s new security system, I discovered my account was locked for some reason. A call to United customer service unlocked it in less than two minutes. All the agent asked me for was my frequent flyer number and my name.

(Incidentally, United still somewhat relies on “security through obscurity” to protect the secrecy of customer usernames by very seldom communicating the full frequent flyer number in written and digital communications with customers. I first pointed this out in my story about the data that can be gleaned from a United boarding pass barcode, because while the full frequent flyer number is masked with “x’s” on the boarding pass, the full number is stored on the pass’s barcode).

Conventional wisdom dictates that what little additional value security questions add to the equation is nullified when the user is required to choose from a set of pre-selected answers. After all, the only sane and secure way to use secret questions if one must is to pick answers that are not only incorrect and/or irrelevant to the question, but that also can’t be guessed or gleaned by collecting facts about you from background checking sites or from your various social media presences online.

Google published some fascinating research last year that spoke to the efficacy and challenges of secret questions and answers, concluding that they are “neither secure nor reliable enough to be used as a standalone account recovery mechanism.”

Overall, the Google research team found the security answers are either somewhat secure or easy to remember—but rarely both. Put another way, easy answers aren’t secure, and hard answers aren’t as useable.

But wait, you say: United asks you to answer up to five security questions. So more security questions equals more layers for the bad guys to hack through, which equals more security, right? Well, not so fast, the Google security folks found.

“When users had to answer both together, the spread between the security and usability of secret questions becomes increasingly stark,” the researchers wrote. “The probability that an attacker could get both answers in ten guesses is 1%, but users will recall both answers only 59% of the time. Piling on more secret questions makes it more difficult for users to recover their accounts and is not a good solution, as a result.”

Vaughn said the beauty of United’s approach is that it uniquely addresses the problem identified by Google researchers — that so many people in the study had so much trouble remembering the answers — by providing users with a set of pre-selected answers from which to choose.

An infographic from Google's research study on secret questions. Source: Google.

An infographic from Google’s research study on secret questions. Source: Google.

The security team at United reached out a few weeks back to highlight the new security changes, and in a conversation this week they asked what I thought about their plan. I replied that if United is getting pushback from security experts and tech publications about its approach, that’s probably because security people are techies/nerds at heart, and techies/nerds want options and stuff. Or at least the ability to add, enable or disable certain security features.

But the reality today is that almost any security system designed for use by tens of millions of people who aren’t techies is always going to cater to the least sophisticated user on the planet — and that’s about where the level of security for that system is bound to stay for a while.

So I told the United people that I was a somewhat despondent about this reality, mainly because I end up having little other choice but to fly United quite often.

“At the scale that United faces, we felt this approach was really optimal to fix this problem for our customers,” Vaughn said. “We have to start with something that is universally available to our customers. We can’t sent a text message to you when you’re on an airplane or out of the country, we can’t rely on all of our customers to have a smart phone, and we didn’t feel it would be a great use of our customers’ time to send them in the mail 93 million secure ID tokens. We felt a powerful onus to do something, and the something we implemented we feel improves security greatly, especially for non-technical savvy customers.”

Arlan McMillan, United’s chief information security officer, said the basic system that the company has just rolled out is built to accommodate additional security features going forward. McMillan said United has discussed rolling out some type of app-based time-based one-time password (TOTP) systems (Google Authenticator is one popular TOTP example).

“It is our intent to provide additional capabilities to our customers, and to even bring in additional security controls if [customers] choose to,” McMillan said. “We set the minimum bar here, and we think that’s a higher bar than you’re going to find at most of our competitors. And we’re going to do more, but we had to get this far first.”

Lest anyone accuse me of claiming that the thrust of this story is somehow newsy, allow me to recommend some related, earlier stories worth reading about United’s security changes:

TechCrunch: It’s Time to Publicly Shame United Airlines’ So-called Online Security

Slate: United Airlines Uses Multiple Choice Security Questions

Tags: , , , , , ,

52 comments

  1. Do they list clam chowder as a pizza topping?

  2. One of the security question choices should be “What is your favorite security paradox?” My answer would be “Usability vs. Security.”

    • cc @jdmurray It doesn’t have to be a question of security vs. usability. In fact, it’s actually the opposite! Secure systems need to be usable. If they’re not, people will use something else. Examples would be e-mail encryption, people need to understand PGP’s trust model or understand what a certificate is and why they need Comodo to issue one. Result: few people use end-to-end encryption for e-mail. Counterexample: TLS. It’s something people actually use. When they don’t use it, typically the provider (e.g. website operator) is blamed, and as they should be. Users shouldn’t need to think about such things. To perpetuate this meme that security impedes usability is not helping anyone, especially those of us who are trying to build more secure systems! Please stop. Also, if you are building a system and can’t figure out how to make it both secure and usable, don’t release your system until you have it sorted out. Instead, get it sorted, and then release an awesome product. The world could use more of them. Unless it’s another secure messaging platform. We already have too many, none of which are compatible with one another.

      • You just religated about 30% of the population to use insecure communications. What do I mean? From the people who do not have the eyesight capabilities of a 10 yesar old, will now have to carry a mini computer in their pocket or purse, in stead of useful phone.
        Personally, I like my 3g phone, it reaches towers that are out of sight in busy cities. Keeping me more connected. And no, not, for some message from an airlines, but, here is my question, would a keyloggers defeat pgp?
        Why rail for something that a grandmother cannot use safely? Or grandpa, or do they not fly?

  3. Good grief! These security questions seem useless. My 1st pet’s name is rover and I forgot my gmail password. Please send it. Thanks.

    I have strong password type answers to these, and I use a password manager.

    Without this combination, security questions in general should be dropped.

    • I do the same thing, but I still find the security questions to be completely useless, and I hate that most places allow you to reset your password with them. Multiple layers of passwords is still “something you know.” I much prefer no security questions and “something you have” or “something you are” as the second factor.

  4. Thanks for covering. When I was forced to setup these questions on my last access to the site I got SUCH a headache.

  5. It was “newsy” enough for me! Great article Brian!

  6. Actually rather interesting because by not using “industry” standard security measures put liability directly on them. Grant it this was a few years ago.. Credit card companies were implementing directing mfa measures for security.. Wells Fargo reverted back from MFA to simple username and password because that was industry standard at the time.. any compromise even using mfa (IE.. enter your username,, they return an image,, you provide description,, they ask for password).. Wasn’t considered standard at the time..

    It seems like UA is willing to take on that liability

  7. Why not just use two-factor authentication?

    Seems overly complex for the return, and they didn’t gain much security or usability.

    • Exactly. The worst answer is secret question answers I can’t create out of 1Password or other password manager to be what I want.

      Now, if they had ’12 answers or make your own’, okay.

  8. I absolutely hate these security questions. Any developer implementing these should be sent to jail.

    • There needs to almost be rules for website/login security where things are outlawed. Like ‘secret’ questions.

      • The nr 2 on the OWASP Top 10 list is “Broken Authentication and Session Management”. In the description of this risk, “Credentials can be guessed or overwritten through weak account management functions” is mentioned.

        I’d say that includes any form of security questions for recovery…

  9. Why do they have to track user data anyways? Why can’t my travel be anonymous, at least to them (if not the TSA)?

    • Because their business model requires that tickets be nontransferable, and without tying a name to a ticket there is no way to prevent that. Airlines, it has been said, loved the post-9/11 requirement to show ID to get on a plane because it prevented resale of cheap tickets to last-minute travelers.

  10. Every time I have to wade through ‘secret’ questions, I have to make notes, and then transcribe those notes into 1Password.

    Then I *hate* the more-frequent sites now that are using them EVERY time when you login. What’s the point of a good password, etc., when you have look up answers because their ‘added’ security is so bad (like stupid questions such as what month did you meet spouse (um, perhaps which one…)).

    I agree, it does give one a headache.

  11. Had to add another comment, remembering the sub-thread about using ‘Google’ Authenticate. I would recommend NOT EVER using this one TOTP generator. There is a screaming thread going on over at Google Support because there is recently NO way to migrate your data to a new phone/device.

    It used to be so, it existed, there is doc for it. It no longer exists. So, you set up a dozen or many more accounts, want to move it to a new phone, and you are in trouble.

    I got a bit down that road, and moved everything to 1Password, so I don’t need to deal with Google’s idiocy.

  12. It’s just like that old adage says:

    “Fast, cheap, good – pick any two.”

    Although, with pizza, I have found it can actually be all three.

    Great article, Brian – thanks!

  13. The most important feature is account locking for multiple unsuccessful login attempts. But they need to do a better job of unlocking than the example in this article (frequent flyer number and name).

    The problem is that many web developers have no code in place to slow down, or stop, brute-forcing programs that automate the guessing of PINs and passwords. At a rate of 1,000 guesses per second, which is possible, it takes only 5 seconds on average to guess a four digit PIN.

    United gave me a new frequent flyer number in early 2013. My guess is that’s when they stopped using the whole number on every correspondence. Later they allowed usernames instead of frequent flyer number on the website. But they still used PINs before using passwords in 2015. Now they are back to using frequent flyer number. Seems less secure to me.

  14. how come pictures on your articles are not showing pictures on google chrome?is there a problem .they show up on firefox but not on google chrome. whats up with that mr krebs? please help. thank you very much.

    • That happens if you access the site through https. The image links are http, and Chrome apparently refuses to load insecure images in a secure (https) session. There may be an option to allow mixed content.
      Chrome dev tools show this log entry:
      Mixed Content: The page at ‘https://krebsonsecurity.com/2016/08/united-airlines-sets-minimum-bar-on-security/#more-36022’ was loaded over HTTPS, but requested an insecure image ‘http://krebsonsecurity.com/wp-content/uploads/2013/01/pharmawarsg-252×228.png’. This content should also be served over HTTPS.

      • Thank you for someone finally asking the question, and for the answer other than the one I assumed: “Because you screwed around with your settings and broke it, dummy!”

        Brian, can this be changed so the image links are https: ?

        • fwiw, I agree. https: only subresources would be great. (Or at least https: for any subresource for which the equivalent resource exists.)

          One could use protocol relative urls[1], but they’re less secure (i.e. not at all for http: users). Also, it’s possible some servers don’t have equivalent content available via https.

          The reason people usually don’t use https: urls is they aren’t aware if they’re available, or if a database/framework doesn’t support protocols. I can’t remember why @brian doesn’t…

          [1] http://www.paulirish.com/2010/the-protocol-relative-url/

  15. How quickly will they get to a real 2FA? I do *not* want to use this poor excuse for security! Seems ripe for social engineering.

    • And how many people would actually use it if it were available? If you exclude the sorts of people who read this blog, probably not many.

      And then there is the question of what the 2nd factor actually is. To do it right, there will be something that you have to go out and buy, and while these things exist and aren’t all that expensive, most people have no clue or don’t want to be bothered. Or do you do it the dumb and easy way by using an SMS to your cellphone as 2FA?

      Finally, what happens when your 2nd factor is lost or stolen? How do you provide a method for the customer to regain access, and how do you have systems in place to prevent the bad guys from using these same methods to hijack someone else’s account?

  16. Hey! You left out my anchovies!

    Seriously — better not to have a reset mechanism at all than one that bad.

  17. The best solution would be to just cut prices and cancel the fancy loyalty programs. I can say, my loyalty will be to the best prices (and a big enough seat).

    Lacking that – they should outsource customer verification to a security company. The airlines would be indemnified for all mis-identified customers, and the security company could make money by finding the balance between usability and security.

  18. Brian, understanding that AAs system is not optimal, that security systems have to be designed for the masses and companies have to start somewhere, what alternative suggestions do you have for companies trying to offer secure online system access for customers?

  19. It’s dinner and I know what I’m having tonight. Extra cheese please

  20. Someone please help me understand why we don’t use PKI for authentication. Establish a trusted CA, issue me a cert (I’ll even pay a nominal fee) and let me present the cert whenever I need to ID myself. Where’s the problem? Too hard? Not scalable? Too expensive? (Maintaining the CRL?). Why does what seems to be a suitable solution languish unused? Why do we have to use pizza toppings instead?
    Thx,

    • Some forms of 2FA (like U2F) are kind of a step in this direction. I would certainly rather have a physical 2nd factor rather than have to deal with purchasing a certificate.

      But I would guess that most end users will find it too confusing and frustrating.

    • Because most of United’s customers are not security nerds* like many readers of this site. You really think grandma wanting to fly United to see her grandkids has the ability to figure out buying a cert and installing it (and eventually renewing it)? My mom can barely keep a grip on her plethora of passwords. And browser security warnings are still too hard to decipher for most users.

      * not to mention that many security nerds couldn’t even explain how PKI works to someone

    • There are a number of problems w/ PKI:

      1. Users don’t understand it.
      2. Moving certificates between browsers/devices is complicated, risky, and sometimes prohibited.
      3. Not all devices support them at all.
      4. Certificates can be misused for tracking purposes (including persistently tying user identities across sites) — this is sort of a “duh”, but the way to protect against this leads to the next point.
      5. The UX in browsers is awful, which means that site developers don’t want to use them.
      6. Generating certificates can involve the non-standard {keygen} tag, which isn’t supported by a number of modern browsers (and the vendors who do support it would like to drop it).

  21. I’m one of the guys who hasn’t ridden on united for many years precisely because no service customer service was the norm. This looks to be more of the same.
    I think more than ever that I did the right thing and I’m divesting myself of so-called airline miles as fast as I can by purchasing items I need using them as cash.

  22. Standard chartered bank of India has been the first

  23. Hi brian
    Since several days, I receive false professionnal emails sending me à contract to sign or à document to read. Of course the attachéd document certainly contains à malware.

    I Never read posts about this problem. Have you studied Who send these spam ?
    Best

    • I’ve seen a ton of this happen in past few months.
      Just delete anything you have a doubt about, and be cautious about opening anything you think is legit.

  24. United should add the option of time based authentication to their smart phone apps, for those of us using their app already? Not my favorite way of dealing with this, but this has been implemented by Facebook.

  25. I lost faith in UA’s data security practices years ago. I make frequent use of tailored email addresses (something like Google’s email aliases for gmail). I crafted email addresses for use with United only.

    Twice, over the course of two years, those United-only email addresses somehow leaked onto spammer lists. After the first one ended up spam lists, I crafted another and updated my United account. Within a year, that email address as well ended up on spammer lists. I’d receive copies of the same spam to both addresses.

    Of the many many other email addresses I have crafted for use with different companies and people, only a few ever end up on spam lists. Because of that and because the email addresses I gave United both ended up on the same spam lists, I concluded it was probably United who was either selling me out or losing my data. I shut down my account.

    This all happened years ago. I had hoped they’d improved their practices over time, but it looks like they have a good way to go.

  26. United said it opted for pre-defined questions and answers because the company has found “the majority of security issues our customers face can be traced to computer viruses that record typing, and using predefined answers protects against this type of intrusion.”

    And your username and password is predefined as well ?! It’s a poor planned feature. They had near zero talent at the table when it came to thinking out of the box.
    Commmon – the more secure way to these question and absurdtions is to lie about them. Topping? Now the people who fill these questions out out avoid having to pick a standard answer are forced to lower their security posture to become compliant – or fly with another airline. Putting your own creative words and having them case sensitive is the best security approach. Topping? Heck I don’t know, use something like DONKEY_Bombs. Who’d even try to duplicate that?

    What the heck does that have to do with some sort of airline theme? If it was tailored towards a airplane theme then areas of the plane you’d like to sit in,

  27. Usa is land of the milk and honey. Its only purpose is this aswell send army meat for bankers war. Long life for kabans and rotchilds

  28. This answer in the FAQ is pretty concerning:

    What happens now when I call the contact center?

    If you contact United by phone, you’ll be asked for your password when using the automated system or for your security answers when you speak to a United representative. For security purposes, if you’re asked for your password you will only need to share the first five characters.

  29. I’m locked out of United’s web site because all of the answers are wrong, e.g., what is your favorite musical group with the responses all being groups I never heard of.
    I’m sorry, but this is just asinine.

  30. I accidentally cracked my brother’s account at the power company – we have the same first initial and last name, and he chose a username I’ve used before. The security question was “What city were you born in?” so it only took me seconds to get a password reset and access what turned out to be his account. I would guess that a substantial number of power company customers in a given area were born in the same city.