When I logged into United’s site to check in for a flight this week, I discovered that they’ve changed their user security approach. There’s been some chatter on flyertalk, twitter, and a couple of other places about the changes, and I thought I’d chime in.
First, let’s take a look at what United’s trying to protect. Obviously, they want to avoid mischief with cancelled reservations, fake reservations and other annoyances. They’re also working to protect user identity information – they’re right up there with doctors and financial institutions in holding PII. From passport numbers, global entry and/or TSA redress numbers, it’s all information that we want held in confidence. Obviously they deal with credit card numbers and are subject to PCI-DSS requirements. Even the travel information itself is sensitive – if a corporate officer is consistently traveling to a competitor’s headquarters, that’s valuable insider information about a pending merger. They also hold in trust billions of air miles worth hundreds of millions of dollars – essentially a virtual currency. And that’s probably one of their crown jewels.
Major airlines have some unique challenges in their user base. They have to support access worldwide – which makes two factor very difficult (SMS and phones don’t work overseas reliably). They have a large population that doesn’t speak English (for United, particularly in Asia and Latin America). And they have a mobile user population, who (contrary to good practice), probably use untrusted devices on a regular basis. Airlines need to have pretty good security, and it appears United is trying to up their game.
The first change is the elimination of the PIN as a login option, a long-overdue and essential change. Good for them.
Now on to the security questions. These have a mixed reputation in the security community, and can often degrade security rather than improve it. The strongest (in potential) option is to enter both the question and answer, but that only works if you provide good questions and good answers. Unfortunately, users are generally terrible at doing that.
So most typical security questions are prescriptive – you’re either given the questions, or allowed to choose them from a short list of common ones. Once that’s done, in most implementations you’re allowed to enter free form text as a response.
And that’s where the problems start. With social media, the majority of ‘security question’ answers can be easily discovered – the celebrity breaches over the past few years all resulted from that kind of attack. In those cases, I always recommend that folks, well, lie – pick random words (diceware is excellent for that), and record those fake answers in a secure repository (like 1Password as notes in the login entry), with appropriate backups in a secure location.
In most cases, the worst option, is a prescriptive question with restricted answers. So a question like ‘When is your parent’s wedding anniversary?’ and a system that requires a valid date is terrible. By forcing a real date with a restricted range, the site leads users to enter real information, and a date that’s likely on social media. Terrible design.
My initial reaction to United’s system was not very complimentary – but it’s mandatory, I have to fly, so I did it (using false answers at least). Now after I did my account, my wife did hers – and received a different set of questions. Interesting. So I asked around, and sure enough, it looks like there’s a fairly large population of questions available. Something’s going on here.
So let’s look at the questions themselves. They’re fairly odd. While some of the answers may be on social media, not all of them will be. There’s also a fairly large number of pre-selected answers – much larger than most prescribed systems I’ve seen, and many answers you would normally expect are missing. Something’s definitely up.
What I think is going on here is that United is doing some pretty serious math behind the scenes. Multiple questions, with a large number of answers, adds up to a decent amount of entropy (a measure of security strength) – not as much as a robust password, but far more than most security questions. I haven’t been through the re-authentication process with the questions yet, but if they only ask for a subset, that’d be more information pointing in that direction.
Now why would United choose this system? Well, let’s look at a couple of ways people use and access their accounts. Aside from their own trusted machines, the most common, and the dumbest was possible, is using a public kiosk in a hotel, business center, rental car hub or similar location. I’ve told folks for years to never, ever use one of those – miss your flight first. Most are infected with malware and keyloggers designed to capture credentials, steal information, and then infect your own machine if you’re careless enough to use a thumb drive in both. If a machine’s in public, assume it’s compromised – using one is the digital equivalent of visiting a kissing booth in a mononucleosis ward at a hospital.
But even though my wife’s horse stall is cleaner than a machine in a hotel business center, every trip I see someone logging in and printing boarding passes. Want to bet that’s a major threat vector for the airlines?
So what happens if someone has a momentary mental lapse and uses United’s new system from an infected kiosk? It’ll grab the password – no way around that. But by not entering the answers on the keyboard, it’s much harder to capture the security questions. I suppose malware could evolve to scrape the screen, but that’s much harder to do – and even if it did, if United only presents a subset of answers, the account is unlikely to be completely compromised.
The other use case for those answers is phone transactions. Right now, if you want to redeem miles over the phone, you have to provide a PIN number. So that means that the call center representative now has a PIN that can login to my account. Don’t get me wrong – I think United has amazing people (they work in a tough situation, but the new CEO is improving that). But any organization is going to have some bad eggs get through the screening process. From a security standpoint, again, the most they can capture is a subset of answers, so the account is still secure.
A colleague recently pointed out something I hadn’t considered: some folks use profanity or vulgarity in free form answers, so this protects the call center reps from having to deal with that. Many years ago I built a marketing system for a large restaurant chain based on delivery records. You wouldn’t believe what I saw entered into the ‘comments’ field. Comcast has had recent problems in this area too, so its an additional benefit.
I do have some open questions:
- Do they really only ask a subset of questions?
- How do they deal with indicators of compromise (consistently getting one or two questions right, but others consistently wrong)?
- How do you gain access back if you’ve forgotten all the questions?
- Do they treat untrusted computers differently?
- Do they have a threat feed that monitors known compromised machines (probably via IP addresses) and deny them access completely?
Not to feed conspiracy theories, but I did wonder if they’d had an incident that triggered this change. I don’t think so: United would have had to disclose a breach, so it looks like this is just an upgrade. If we continue to see additional features in this area, it’s probably a broad strategy to improve their security posture.
United gets a lot of grief these days. Some is deserved – I’d like to see them install the slim-line seats in their board room and executive suites, and their operations folks need to add slack back into the system for when things go wrong. Some isn’t – the customer facing people I’ve dealt with will do their best to make things right when something goes wrong. They’ve just been working in a really tough operational environment.
So which category do these changes fall in? My first, off the cuff reaction, wasn’t promising. Yet, after a deeper look, the system appears subtly robust. It’s clearly designed to be unobtrusive, and if what I’ve outlined above is correct, it’s about as secure a ‘security question’ solution as I’ve seen. It’s far better than most – mother’s maiden name? Last four of SSN? Please.
So kudos to United, for working to make the skies both more friendly and more secure.
So you’re a security expert? I suggest you review the definition of multi-factor authentication before posting more worthless cr@p. Just like the whole $7+ billion TSA expenditure, this is yet more security theater from the idiots in the transportation industry.
As I noted, multi-factor authentication is a very tough problem for this particular use case. SMS doesn’t work overseas, and they have to support multiple access channels (phone, mobile app, computer).
Could those of us who know what we’re doing be more secure? Absolutely. But what about the 80 year old grandmother traveling internationally who logs in from her grandchild’s computer to change seats for a return flight? Or the nature photographer who books a return flight from his phone at the only internet connection in the middle of the Alaska wilderness? Getting a second factor in those situations is essentially impossible.
United did reduce security slightly for the tiny population that has good practices in order to uplift the security of the general population. Much like vaccinations, there is a lot to be said for herd immunity. Is it perfect? Nope. But it’s better than it was, and better than most of their peers.