It's entirely their prerogative as to whether or not they provide a decent level of security, and it's entirely up to consumers to choose whether or not to work with them.
The vast majority of people do not know what 2fa is, and sure as hell don't care to know, so the only people irked by their misleading messaging are IT professionals, who, again, can fly with someone else.
Essentially, there is clearly no incentive for them to improve their security unless it hurts their bottom line - and there's no point from their perspective in investing in something which makes no money.
Of course, if they have a major hack there will be some brief PR damage (none of the high profile hacks of major companies seem to have inflicted any reputational damage - instead the public blame the "terrorist hackers" the media parade), and their insurers will cover any direct losses, including those as a result of a class action, which they're probably indemnified against anyway.
In short, they have no reason to change, so probably won't. If anything, they'll be upheld as the golden standard, because legislators will buy into their PR, not being in any way technical themselves. Perception is reality.
> It's entirely their prerogative as to whether or not they provide a decent level of security, and it's entirely up to consumers to choose whether or not to work with them.
Entirely? Does the security of their website rank anywhere in the top ten of reasons anyone chooses an airline?
> The vast majority of people do not know what 2fa is, and sure as hell don't care to know, so the only people irked by their misleading messaging are IT professionals, who, again, can fly with someone else.
And it is the IT professionals who might raise the bar, and protect those who do not 'care to know'.
> Of course, if they have a major hack there will be some brief PR damage (none of the high profile hacks of major companies seem to have inflicted any reputational damage - instead the public blame the "terrorist hackers" the media parade), and their insurers will cover any direct losses, including those as a result of a class action, which they're probably indemnified against anyway.
So all that matters is PR damage, and anything that someone is willing to sue for?
> Your security questions will also be used as part of upcoming two-factor authentication to further protect your account
The stupid nature of the 'enum answers' aside, this doesn't necessarily mean they're not implementing 2FA properly. They might have 2F set up as securely as the very best practitioners, then have this security question crap layered on top. We need to know for sure that they think the security question is one of the two factors before tearing them a new one.
They apparently think that those security questions, combined with the password, are the 2FA.
Unfortunately , this is not true. 2FA authentication means something that you know and something that you have. The advantage is the second one: if the attacker has compromised your PC/password wallet, they still can't get into your account because they are missing something (you have).
With UA's approach, an attacker can still successfully hijack the vicitims account if they have a key logger because UA's authentication only requires "something(s) that you know"
The dropdowns are hilarious for non-security reasons, you have to choose your favorite artist... from a list of about 12 artists. I suppose it could be an improvement on the misogynist, homophobic, and Facebook-able "mother's maiden name".
I'm almost disappointed that they're not having their phone staff ask for your actual password - I'd love to have the experience of reading my 1Password-generated password to them.
The author seems to use authorization and authentication interchangeably multiple times in the text. They may be right about the point they are making, but it leaves a bad taste.
security questions as a recovery mechanism are fucking terrible.
most people are going to fill in the same response for their security q/a over multiple sites so pretty much any bad actor in any organization could possibly look at the security q/a, guess that their question/answers are the same on other sites and exploit that avenue.
also fuck remembering all of that.
but i think hsbc was even worse than what united is asking for. for their online banking you had to enter in your password then enter in another password using a browser based keyboard (AVOIDS KEYLOGGING!) and then answer a security question or something like that. i must have asked for a new passcode to reset everything every couple of months (they mail these to you via snail-mail).
of course the problem with the system was (and i forgot exactly how) there was a way sometimes to reset all these systems so you didn't have to remember your answer for each security measure. i was pretty sure it was a bug with the system but fuck if i want to endure the hell in trying to explain to a website with terrible security that you've found a bug in their terrible system and please don't put me in jail and what do you mean, 'what is a hash function?'
Well that was the promise of OAuth. But then that service company (in this case Google and Facebook) have full and perfect visibility on all the websites you use which raises some other problems. Which is why I never wanted to touch it and why I think they are not so popular.
What I really like is concepts like Steve Gibson's SQRL, which provides a pretty secure alternative to passwords, but in a fully decentralised way, i.e. SQRL only provides the protocol and the cryptography, but the authentication only involves you (and your devices) and the website, no reliance on a third party.
Why is it a no-brainer? Consider their perspective - it'll cost money, their customers won't thank them, and in fact will probably be frustrated by the experience, and it won't enhance shareholder value.
Apple also uses security questions like this for Apple ID accounts. I don't like it, but where's the outrage? Is there is a way to do this correctly, other than the user asking their own question?
Don't give them ideas. I have 1 security token for each bank over here in Singapore and a few others. I wish they use something like Google Authenticator rather than cook up their own.
[+] [-] madaxe_again|9 years ago|reply
The vast majority of people do not know what 2fa is, and sure as hell don't care to know, so the only people irked by their misleading messaging are IT professionals, who, again, can fly with someone else.
Essentially, there is clearly no incentive for them to improve their security unless it hurts their bottom line - and there's no point from their perspective in investing in something which makes no money.
Of course, if they have a major hack there will be some brief PR damage (none of the high profile hacks of major companies seem to have inflicted any reputational damage - instead the public blame the "terrorist hackers" the media parade), and their insurers will cover any direct losses, including those as a result of a class action, which they're probably indemnified against anyway.
In short, they have no reason to change, so probably won't. If anything, they'll be upheld as the golden standard, because legislators will buy into their PR, not being in any way technical themselves. Perception is reality.
[+] [-] chrisbolt|9 years ago|reply
Entirely? Does the security of their website rank anywhere in the top ten of reasons anyone chooses an airline?
> The vast majority of people do not know what 2fa is, and sure as hell don't care to know, so the only people irked by their misleading messaging are IT professionals, who, again, can fly with someone else.
And it is the IT professionals who might raise the bar, and protect those who do not 'care to know'.
> Of course, if they have a major hack there will be some brief PR damage (none of the high profile hacks of major companies seem to have inflicted any reputational damage - instead the public blame the "terrorist hackers" the media parade), and their insurers will cover any direct losses, including those as a result of a class action, which they're probably indemnified against anyway.
So all that matters is PR damage, and anything that someone is willing to sue for?
[+] [-] kogepathic|9 years ago|reply
(In passing jest to: https://news.ycombinator.com/item?id=12246490 )
[+] [-] idlewords|9 years ago|reply
[+] [-] oneeyedpigeon|9 years ago|reply
> Your security questions will also be used as part of upcoming two-factor authentication to further protect your account
The stupid nature of the 'enum answers' aside, this doesn't necessarily mean they're not implementing 2FA properly. They might have 2F set up as securely as the very best practitioners, then have this security question crap layered on top. We need to know for sure that they think the security question is one of the two factors before tearing them a new one.
[+] [-] Matt3o12_|9 years ago|reply
Unfortunately , this is not true. 2FA authentication means something that you know and something that you have. The advantage is the second one: if the attacker has compromised your PC/password wallet, they still can't get into your account because they are missing something (you have).
With UA's approach, an attacker can still successfully hijack the vicitims account if they have a key logger because UA's authentication only requires "something(s) that you know"
[+] [-] chris_7|9 years ago|reply
I'm almost disappointed that they're not having their phone staff ask for your actual password - I'd love to have the experience of reading my 1Password-generated password to them.
[+] [-] stwe|9 years ago|reply
[+] [-] swang|9 years ago|reply
most people are going to fill in the same response for their security q/a over multiple sites so pretty much any bad actor in any organization could possibly look at the security q/a, guess that their question/answers are the same on other sites and exploit that avenue.
also fuck remembering all of that.
but i think hsbc was even worse than what united is asking for. for their online banking you had to enter in your password then enter in another password using a browser based keyboard (AVOIDS KEYLOGGING!) and then answer a security question or something like that. i must have asked for a new passcode to reset everything every couple of months (they mail these to you via snail-mail).
of course the problem with the system was (and i forgot exactly how) there was a way sometimes to reset all these systems so you didn't have to remember your answer for each security measure. i was pretty sure it was a bug with the system but fuck if i want to endure the hell in trying to explain to a website with terrible security that you've found a bug in their terrible system and please don't put me in jail and what do you mean, 'what is a hash function?'
[+] [-] calanya|9 years ago|reply
Does no company in this space know how to sell to conservative IT organizations like air lines?
[+] [-] cm2187|9 years ago|reply
What I really like is concepts like Steve Gibson's SQRL, which provides a pretty secure alternative to passwords, but in a fully decentralised way, i.e. SQRL only provides the protocol and the cryptography, but the authentication only involves you (and your devices) and the website, no reliance on a third party.
[+] [-] madaxe_again|9 years ago|reply
I can't see why they would.
[+] [-] cmurf|9 years ago|reply
[+] [-] desdiv|9 years ago|reply
[+] [-] hboon|9 years ago|reply
[+] [-] walrus01|9 years ago|reply
Where is your god now?
[+] [-] duncan_bayne|9 years ago|reply
https://s4.postimg.org/5er0ol93h/Screenshot_2016_08_14_17_59...