
United Airlines’ so-called online security (2016) - helloka
https://techcrunch.com/2016/08/13/its-time-to-publicly-shame-united-airlines-so-called-online-security/
======
Gasparila
I had one experience reporting a security vulnerability to United's bug bounty
program and never want to do it again. I reported an issue to that I could
reset anybody's MileagePlus number by only guessing a multiple choice security
question ("what is your favorite sport", etc), bypassing any email
confirmation or anything like that. After 3 months of back and forth with
their security team, they released an Android update that patched the issue. I
was then told "It turns out this fix was pushed by the QA team and was
actually unrelated to your Bug Bounty submission" and that my submission was
ineligible. At least they have a program I guess?

~~~
jrootabega
Thanks for sharing your experience. No one wants innocent peoples' data to be
compromised, but maybe your story will do something to discourage others from
participating, and United will feel the consequences as a result. Having a bug
bounty program is one thing; standing behind it is another. Is there a ranking
of bug bounty programs in terms of ease of use, good faith, etc?

~~~
tapland
It's never good to have bugs in the wild that could risk customer information.
I want to see United shape up, but I don't want regular guys to suffer for it.

~~~
jplayer01
If people aren't going to be given the reward they deserve for all the work
they put in, why should any of them help United? It isn't a free service.

~~~
tapland
Am I forcing them to by not wanting there to be a United data leak? What kind
of reasoning is that?

~~~
krageon
You were making a point - is it not fair for people to respond to the problems
they see with it?

------
moreira
I've often read discussion about how you can't regulate this sort of thing
because the industry moves so fast that what's a best practice today can be
tomorrow's horrible security (then enforced by law).

But, isn't it possible to legislate this on a blacklist basis? "Fine of up to
$X if you're storing passwords in plaintext. Fine of up to $X if you're
limiting the length of passwords to < 16 characters. Fine of up to $X if you
misrepresent your 2FA implementation (as in the article). Fine of up to $X if
you accept unencrypted logins over the web."

Outlawing a small set of easily identifiable and correctible attack vectors,
would be enough to get companies thinking about security a bit more seriously.
It doesn't have to be anything big, and I wager it'd have a serious impact.

~~~
omeid2
This kind of law would be very ineffective as they need to grand-father
previously built applications and so enforcement becomes very complicated and
only practical in data-breach scenarios, so might as well make laws that fines
for data breach in relations to non-zero day and neglect of security by
industry standards (I know it when I see it, expert opinion, et al).

That is, don't legislate implementation but consequences.

~~~
kevincox
Why would you need to grandfather previously built applications? It seems to
be that these would be the best things to target with the law. When you pass
the law include a date at which enforcement starts. Now you need to fix any in
use applications.

------
helloka
[https://krebsonsecurity.com/2016/08/united-airlines-sets-
min...](https://krebsonsecurity.com/2016/08/united-airlines-sets-minimum-bar-
on-security/)

United began debuting new authentication systems wherein customers are asked
to pick a strong password and to choose from five sets of security questions
and _pre-selected_ answers.

This has been in place for 3 years despite public shaming.

~~~
killjoywashere
I'm stuck flying United most of the time and I get the sense their
cybersecurity posture is consistent with their broader business posture: "If
you do nothing, nothing will happen. If something external forces change,
deny, deny, deny." Very old school. In all the worst ways.

~~~
lbill
Does this mean that United Airlines is still using the inadequate system
described in the article? In my opinion, public shaming is the last resort:
when you tried everything and failed to make your legitimate concerns about
cyber-security heard by the company, you go public and hope that the bad press
creates some kind of PR issue... But what if it doesn't? What if the public
shaming proves useless? What can be done then?

~~~
mgkimsal
"boycott"? you can quit flying with them, but individuals doing this will have
pretty much 0 effect. in many cases, a specific airline may be the only
practical way to get from A to B, so you're generally stuck. This is even more
grating on me when I fly and hear "we know you have a choice, thank you for
flying with _____ today!". No, really, most of the time, I don't have much of
a choice. Drive 7 hours or spend 4 hours in airport. Fly ABC direct or DEF via
2 layovers. Neither are great choices (if they exist at all).

------
walrus01
You think that's bad, there's major Canadian banks where the password for your
online banking account can't be longer than 8 characters or numbers, can't
contain punctuation marks, and is stored in plaintext on their backend.

Edit: oh yeah, I forgot, it also doesn't recognize case sensitivity. A = a

I'm assuming they're storing them in all caps, 8 character length database
fields on a monstrous ancient mainframe software application.

~~~
solatic
For what it's worth, such password schemes usually include lockouts after
small-N tries to prevent the passwords from being brute-forced from the
outside, and an attacker with database-level access is probably going to use
it not to compromise passwords but to directly change balances.

Not to excuse such password schemes - they're horrible, and banks need to get
with the times - but if they were really so ineffective, their coffers would
have been drained long ago.

~~~
jjeaff
Full write access to a database is a totally different thing than reading out
the plaintext passwords or getting a leaked dump of the data. Perhaps a
mishandled backup.

~~~
solatic
Which is one of the reasons why these schemes are horrible. But the point
remains that banks are afraid of database leaks for other reasons.

Maybe think of it like this: imagine that you have an airgapped system where
all the endpoints are running Windows XP (reasoning being something like
hardware drivers that were written by defunct companies and can't / won't be
upgraded). Is it horrible that such machines are running unsupported, EOL
versions of Windows? No question. But if there are other controls in place
(like airgapping, like 24/7 physical access control to the endpoints), it
might still be possible to provide de-facto effective security.

------
piquadrat
> Two-factor authorization has a specific meaning: ...

Well that was the worst place the author could have mixed up authorization and
authentication...

In fact, he seems to use authorization and authentication pretty much
interchangeably, which kind of undermines his rant a bit...

~~~
koolba
Ha! Two-factor authorization sounds like it’d be some kind of multi-sig
protocol. The digital equivalent of “ _Turn both keys simultaneously_ ”.

------
NamTaf
United need to be heavily litigated when accounts eventually get compromised.
This must be a wanton disregard for security, rather than simple naivety as
many other sites exhibit.

There needs to be real, material damages for companies who do not properly
secure data following best-practice guidelines. Not just a 'oh sorry your
account was compromised, please change your password!' circus - actual,
concrete damages by way of fines or the like put on those who do not properly
look after user data.

------
pdx_flyer
The questions they ask are ridiculous. And you have to use them when trying to
do certain things over the phone as well.

I know they have fought quite a bit of mileage theft out of a number of
countries and they thought this was a good idea of doing that but it's awful.

------
dismalpedigree
Funny enough, they did burn the building down back in the mid 90s. There was
so much copper wiring that melted together that they just left the blob
between the floors because it would be too hard to remove. I’m sure it has
been dealt with since then with the whole wifi and cell phone issues that it
would cause though. I worked there as an IT intern in the early 2000s. I vowed
to never work in IT. Yet here I am. I guess the siren song was too much.

------
AlexTWithBeard
But... but do I really need all this security with an airline website? What's
the worst thing someone can do with my account? Buy me a ticket? See my
address?

Or I am just extremely naive?

~~~
huslage
If you have stored credit cards, they can buy tickets for anyone. They can
change existing reservations. They can steal your passport number. All sorts
of things.

~~~
AlexTWithBeard
But whoever buys a ticket will have to provide his passport information,
surely not something a hacker wants to do?

~~~
zius
You would be surprised. I work at an airline fraud prevention platform, and
the legal hassle with credit card/loyalty fraud (which is what this would be)
is so complex that fraudsters are often not charged with fraud. They just go
ahead and provide their real information. Or change it right before takeoff at
the airport, leaving the fraud analysts with no time.

~~~
AlexTWithBeard
I am indeed surprised, but thank you for reminding me the world is not as
simple as it seems.

------
ryanthedev
When you’re waterfall and try to act agile.

------
virgakwolfw
There are so many fuckups in security systems these days, so it's not strange.

