
It's time to publicly shame United Airlines' so-called online security - galazzah
https://techcrunch.com/2016/08/13/its-time-to-publicly-shame-united-airlines-so-called-online-security/
======
madaxe_again
It's entirely their prerogative as to whether or not they provide a decent
level of security, and it's entirely up to consumers to choose whether or not
to work with them.

The vast majority of people do not know what 2fa is, and sure as hell don't
care to know, so the only people irked by their misleading messaging are IT
professionals, who, again, can fly with someone else.

Essentially, there is clearly no incentive for them to improve their security
unless it hurts their bottom line - and there's no point from their
perspective in investing in something which makes no money.

Of course, if they have a major hack there will be some brief PR damage (none
of the high profile hacks of major companies seem to have inflicted _any_
reputational damage - instead the public blame the "terrorist hackers" the
media parade), and their insurers will cover any direct losses, including
those as a result of a class action, which they're probably indemnified
against anyway.

In short, they have no reason to change, so probably won't. If anything,
they'll be upheld as the golden standard, because legislators will buy into
their PR, not being in any way technical themselves. Perception is reality.

~~~
chrisbolt
> It's entirely their prerogative as to whether or not they provide a decent
> level of security, and it's entirely up to consumers to choose whether or
> not to work with them.

Entirely? Does the security of their website rank anywhere in the top ten of
reasons anyone chooses an airline?

> The vast majority of people do not know what 2fa is, and sure as hell don't
> care to know, so the only people irked by their misleading messaging are IT
> professionals, who, again, can fly with someone else.

And it is the IT professionals who might raise the bar, and protect those who
do not 'care to know'.

> Of course, if they have a major hack there will be some brief PR damage
> (none of the high profile hacks of major companies seem to have inflicted
> any reputational damage - instead the public blame the "terrorist hackers"
> the media parade), and their insurers will cover any direct losses,
> including those as a result of a class action, which they're probably
> indemnified against anyway.

So all that matters is PR damage, and anything that someone is willing to sue
for?

~~~
madaxe_again
_Entirely?_

Yes, entirely. It is up to them how they choose to operate their business, so
long as it is within the bounds of law.

 _And it is the IT professionals who might raise the bar, and protect those
who do not 'care to know'._

Correct, but how will you raise the bar or protect other passengers, if United
do not care about your opinion, as you are a small minority? Unless you can
hurt their bottom line by persuading people to not fly with them, they won't
budge - and just you try persuading aunt Tilda not to fly with United because
their website security is poor, even though their tickets are $200 cheaper
than $competitor. I mean, that television ad said they had the best security
in the business. Why would they lie about something like that, and what do you
know about it anyway?

 _so all that matters is PR damage, and anything that someone is willing to
sue for?_

To them, absolutely.

~~~
oneeyedpigeon
> Yes, entirely. It is up to them how they choose to operate their business,
> so long as it is within the bounds of law.

I guess the law needs to change then. A shop cannot sell you an item of food
that might seriously harm you, because it's unreasonable for the average
consumer to carry out the required testing on every piece of food they
purchase for consumption. Ultimately (I'm not saying this can necessarily
happen overnight), the same should go for online security. Now, it's a
difficult-enough thing that responsibilities need to be very carefully
defined; every mom-and-pop site should do the reasonable minimum themselves,
but a good centralised system should be available for them to use for the
trickier aspects.

~~~
madaxe_again
_I guess the law needs to change then._

I couldn't agree more - but then, what incentive is there for legislators who
are technically illiterate, and have attended many cheque-laden seminars in
which airline lobbyists have told them they don't need to do anything about
that nasty regulation stuff. Imposing strict universal security requirements
would be deemed anti-competitive, and could potentially result in businesses
suing the federal government for loss of profits.

Personally, I think the future comprises a frothing sea of crapware, leaky
everything everywhere, and nobody taking responsibility. The most probable
ultimate response will be a "war on hackers", after someone pulls something
spectacular off, which will generate trillions of dollars in profits for
enforcement agencies, and give the public that warm fuzzy "somebody is being
bombed and it isn't me" feeling.

------
kogepathic
In all fairness to United, it's probably pretty difficult to implement real
2FA in COBOL.

(In passing jest to:
[https://news.ycombinator.com/item?id=12246490](https://news.ycombinator.com/item?id=12246490)
)

~~~
idlewords
SECURITY DIVISION.

    
    
      Begin.
    
       PERFORM Login WITH TEST BEFORE
    
        UNTIL FactorCount GREATER THAN 2.

------
oneeyedpigeon
To be fair, all UA say is:

> Your security questions will also be used as part of upcoming two-factor
> authentication to further protect your account

The stupid nature of the 'enum answers' aside, this doesn't necessarily mean
they're not implementing 2FA properly. They _might_ have 2F set up as securely
as the very best practitioners, then have this security question crap layered
on top. We need to know for sure that they think the security question is one
of the two factors before tearing them a new one.

~~~
Matt3o12_
They apparently think that those security questions, combined with the
password, are the 2FA.

Unfortunately , this is not true. 2FA authentication means something that you
know and something that you have. The advantage is the second one: if the
attacker has compromised your PC/password wallet, they still can't get into
your account because they are missing something (you have).

With UA's approach, an attacker can still successfully hijack the vicitims
account if they have a key logger because UA's authentication only requires
"something(s) that you know"

~~~
oneeyedpigeon
Sure, I understand what you're saying about 2FA but:

> They apparently think that those security questions, combined with the
> password, are the 2FA.

What makes you say that? I see nothing that concretely backs this up.

~~~
dankohn1
It's as bad as it seems. Every time you log in from a new machine, it asks for
you to answer security questions, and calls it two factor, which it's
obviously not.

------
chris_7
The dropdowns are hilarious for non-security reasons, you have to choose your
favorite artist... from a list of about 12 artists. I suppose it could be an
improvement on the misogynist, homophobic, and Facebook-able "mother's maiden
name".

I'm almost disappointed that they're not having their phone staff ask for your
actual password - I'd love to have the experience of reading my 1Password-
generated password to them.

------
stwe
The author seems to use authorization and authentication interchangeably
multiple times in the text. They may be right about the point they are making,
but it leaves a bad taste.

------
swang
security questions as a recovery mechanism are fucking terrible.

most people are going to fill in the same response for their security q/a over
multiple sites so pretty much any bad actor in any organization could possibly
look at the security q/a, guess that their question/answers are the same on
other sites and exploit that avenue.

also fuck remembering all of that.

but i think hsbc was even worse than what united is asking for. for their
online banking you had to enter in your password then enter in another
password using a browser based keyboard (AVOIDS KEYLOGGING!) and then answer a
security question or something like that. i must have asked for a new passcode
to reset everything every couple of months (they mail these to you via snail-
mail).

of course the problem with the system was (and i forgot exactly how) there was
a way sometimes to reset all these systems so you didn't have to remember your
answer for each security measure. i was pretty sure it was a bug with the
system but fuck if i want to endure the hell in trying to explain to a website
with terrible security that you've found a bug in their terrible system and
please don't put me in jail and what do you mean, 'what is a hash function?'

------
calanya
Providing account authentication as a service seems like a no-brainer.

Does no company in this space know how to sell to conservative IT
organizations like air lines?

~~~
cm2187
Well that was the promise of OAuth. But then that service company (in this
case Google and Facebook) have full and perfect visibility on all the websites
you use which raises some other problems. Which is why I never wanted to touch
it and why I think they are not so popular.

What I really like is concepts like Steve Gibson's SQRL, which provides a
pretty secure alternative to passwords, but in a fully decentralised way, i.e.
SQRL only provides the protocol and the cryptography, but the authentication
only involves you (and your devices) and the website, no reliance on a third
party.

~~~
oneeyedpigeon
You think OAuth didn't take off because people are _too aware_ of
security/privacy issues? I think it's the exact opposite reason.

~~~
cm2187
I see a lot of people who find these privacy issues creepy. They might not
necessary care enough to get off google, gmail or facebook, but care enough to
install an ad blocker, and I presume declining to use facebook to login to
some place.

------
cmurf
Apple also uses security questions like this for Apple ID accounts. I don't
like it, but where's the outrage? Is there is a way to do this correctly,
other than the user asking their own question?

------
desdiv
I wonder at what point will companies finally realize that it would be cheaper
and easier to just give each customer a security token.

~~~
hboon
Don't give them ideas. I have 1 security token for each bank over here in
Singapore and a few others. I wish they use something like Google
Authenticator rather than cook up their own.

------
duncan_bayne
Can we start by shaming Techcrunch.com's mobile layout?

[https://s4.postimg.org/5er0ol93h/Screenshot_2016_08_14_17_59...](https://s4.postimg.org/5er0ol93h/Screenshot_2016_08_14_17_59_56.png)

