United Airlines Updates Login Protections With Pre-Selected Security Question Answers

Earlier this year a man was accused of hacking United Airlines in order to steal travel vouchers from some frequents fliers. In an attempt to better protect loyal customers’ vouchers, mileage points, and other information, the carrier recently unveiled a slew of updates to its website, including employing a security question section with pre-selected answers. Wait, what? 

Krebs on Security reported Wednesday that United Airlines has moved away from requiring customers to use their frequent flyer account numbers and 4-digit personal indentification numbers to access accounts, in favor of a process that includes a password and five security questions.

However, these questions aren’t the typical “Mother’s Maiden Name” queries that are unique to each user — but which, in some cases, could be easily figured out. Instead, the new questions are less likely to turn up on public records, like “What is your favorite pizza topping?” The catch is that you can’t just write in your custom answer. You have to select from a drop-down list of pre-selected answers like “mashed potatoes, “garlic,” or “barbecue chicken.”

While this update removes some easily discoverable answers from the equation, some cybercrime experts question whether it will ultimately do anything to prevent clever hackers.

United tells Krebs on Security that the airline chose to go with pre-written answers because a “majority of security issues our customers face can be traced to computer viruses that record typing, and using predefined answers protects against this type of intrusion.”

But Krebs counters that this may not be effective in fighting hack attacks, as most malware that relies on logs users’ keystrokes also uses “form grabbing,” which captures data submitted through forms like the one United is now using on its site.

United’s director of IT security intelligence says the airline will randomize the questions to throw off programs seeking to automate the submission of answers. Additionally, security questions answered incorrectly will be “locked” and not asked again.

The carrier says it will also use the security question and answer option to authenticate users who call the airline directly.

Arlan McMillan, United’s chief information security officer, tells Krebs that the system was created in a way that the carrier can include additional security features in the future, such as app-based one-time passwords.

“It is our intent to provide additional capabilities to our customers, and to even bring in additional security controls if [customers] choose to,” McMillan said. “We set the minimum bar here, and we think that’s a higher bar than you’re going to find at most of our competitors. And we’re going to do more, but we had to get this far first.”

Despite United assurances that the process will be more secure, Krebs points to a Google research paper published last year that suggests question and answer security barriers are “neither secure nor reliable enough to be used as a standalone account recovery mechanism.”

Still, the carrier believes the new system is a step in the right direction and better than doing nothing.

“At the scale that United faces, we felt this approach was really optimal to fix this problem for our customers,” United’s Benjamin Vaughn tells Krebs. “We have to start with something that is universally available to our customers.

United Airlines Sets Minimum Bar on Security [Krebs on Security]