I had one experience reporting a security vulnerability to United's bug bounty program and never want to do it again. I reported an issue to that I could reset anybody's MileagePlus number by only guessing a multiple choice security question ("what is your favorite sport", etc), bypassing any email confirmation or anything like that. After 3 months of back and forth with their security team, they released an Android update that patched the issue. I was then told "It turns out this fix was pushed by the QA team and was actually unrelated to your Bug Bounty submission" and that my submission was ineligible.
At least they have a program I guess?
Thanks for sharing your experience. No one wants innocent peoples' data to be compromised, but maybe your story will do something to discourage others from participating, and United will feel the consequences as a result. Having a bug bounty program is one thing; standing behind it is another. Is there a ranking of bug bounty programs in terms of ease of use, good faith, etc?
I've often read discussion about how you can't regulate this sort of thing because the industry moves so fast that what's a best practice today can be tomorrow's horrible security (then enforced by law).
But, isn't it possible to legislate this on a blacklist basis? "Fine of up to $X if you're storing passwords in plaintext. Fine of up to $X if you're limiting the length of passwords to < 16 characters. Fine of up to $X if you misrepresent your 2FA implementation (as in the article). Fine of up to $X if you accept unencrypted logins over the web."
Outlawing a small set of easily identifiable and correctible attack vectors, would be enough to get companies thinking about security a bit more seriously. It doesn't have to be anything big, and I wager it'd have a serious impact.
I think requiring mandatory insurance against "cyber-disaster" for qualifying types of companies would be the best way to accomplish this.
Insurance premiums of all types are based on risk factors, so the policy would be written against a checklist of best practices.
Similar to how having a fire extinguisher in your kitchen reduces your home insurance premiums by small percentage, the same could be said for each security practice. Encrypted passwords: -2%. Mandatory 2FA in place: -3%. Etc.
This kind of law would be very ineffective as they need to grand-father previously built applications and so enforcement becomes very complicated and only practical in data-breach scenarios, so might as well make laws that fines for data breach in relations to non-zero day and neglect of security by industry standards (I know it when I see it, expert opinion, et al).
That is, don't legislate implementation but consequences.
You can regulate by having legislation that has 2 components. One is the law that such companies have to follow best practices. Second, best practices are created and published by a set of companies who have the best record of implementing security correctly, or even having security professionals (and there are many well respected security experts who can do this since they talk about it on their blogs all the time).
United began debuting new authentication systems wherein customers are asked to pick a strong password and to choose from five sets of security questions and pre-selected answers.
This has been in place for 3 years despite public shaming.
I'm stuck flying United most of the time and I get the sense their cybersecurity posture is consistent with their broader business posture: "If you do nothing, nothing will happen. If something external forces change, deny, deny, deny." Very old school. In all the worst ways.
You think that's bad, there's major Canadian banks where the password for your online banking account can't be longer than 8 characters or numbers, can't contain punctuation marks, and is stored in plaintext on their backend.
Edit: oh yeah, I forgot, it also doesn't recognize case sensitivity. A = a
I'm assuming they're storing them in all caps, 8 character length database fields on a monstrous ancient mainframe software application.
For what it's worth, such password schemes usually include lockouts after small-N tries to prevent the passwords from being brute-forced from the outside, and an attacker with database-level access is probably going to use it not to compromise passwords but to directly change balances.
Not to excuse such password schemes - they're horrible, and banks need to get with the times - but if they were really so ineffective, their coffers would have been drained long ago.
Not quite as bad but I got a letter recently from something bank-ish (huge, international, traditional) that contained some serious admonitions including one about never using password managers or writing down the password in any way, concealed or not didn't matter.
I have problems taking any security advice seriously from such companies after that but since I fully expect them to use ut against me if I ever have to file a fraud complaint I guess I'll have to deal with it - and get another account with a company that isn't braindead when it comes to security.
United need to be heavily litigated when accounts eventually get compromised. This must be a wanton disregard for security, rather than simple naivety as many other sites exhibit.
There needs to be real, material damages for companies who do not properly secure data following best-practice guidelines. Not just a 'oh sorry your account was compromised, please change your password!' circus - actual, concrete damages by way of fines or the like put on those who do not properly look after user data.
Funny enough, they did burn the building down back in the mid 90s. There was so much copper wiring that melted together that they just left the blob between the floors because it would be too hard to remove. I’m sure it has been dealt with since then with the whole wifi and cell phone issues that it would cause though.
I worked there as an IT intern in the early 2000s. I vowed to never work in IT. Yet here I am. I guess the siren song was too much.
But... but do I really need all this security with an airline website? What's the worst thing someone can do with my account? Buy me a ticket? See my address?
If you have stored credit cards, they can buy tickets for anyone. They can change existing reservations. They can steal your passport number. All sorts of things.
Gasparila|7 years ago
jrootabega|7 years ago
moreira|7 years ago
But, isn't it possible to legislate this on a blacklist basis? "Fine of up to $X if you're storing passwords in plaintext. Fine of up to $X if you're limiting the length of passwords to < 16 characters. Fine of up to $X if you misrepresent your 2FA implementation (as in the article). Fine of up to $X if you accept unencrypted logins over the web."
Outlawing a small set of easily identifiable and correctible attack vectors, would be enough to get companies thinking about security a bit more seriously. It doesn't have to be anything big, and I wager it'd have a serious impact.
mr_overalls|7 years ago
Insurance premiums of all types are based on risk factors, so the policy would be written against a checklist of best practices.
Similar to how having a fire extinguisher in your kitchen reduces your home insurance premiums by small percentage, the same could be said for each security practice. Encrypted passwords: -2%. Mandatory 2FA in place: -3%. Etc.
omeid2|7 years ago
That is, don't legislate implementation but consequences.
StreamBright|7 years ago
helloka|7 years ago
United began debuting new authentication systems wherein customers are asked to pick a strong password and to choose from five sets of security questions and pre-selected answers.
This has been in place for 3 years despite public shaming.
killjoywashere|7 years ago
walrus01|7 years ago
Edit: oh yeah, I forgot, it also doesn't recognize case sensitivity. A = a
I'm assuming they're storing them in all caps, 8 character length database fields on a monstrous ancient mainframe software application.
solatic|7 years ago
Not to excuse such password schemes - they're horrible, and banks need to get with the times - but if they were really so ineffective, their coffers would have been drained long ago.
eitland|7 years ago
I have problems taking any security advice seriously from such companies after that but since I fully expect them to use ut against me if I ever have to file a fraud complaint I guess I'll have to deal with it - and get another account with a company that isn't braindead when it comes to security.
pmalynin|7 years ago
But hey they require security questions!
It’s 2019, how can this be...
chelmzy|7 years ago
rnotaro|7 years ago
Do you have a source about the plain text passwords claim? I won't even be surprised if that's true.
piquadrat|7 years ago
Well that was the worst place the author could have mixed up authorization and authentication...
In fact, he seems to use authorization and authentication pretty much interchangeably, which kind of undermines his rant a bit...
koolba|7 years ago
NamTaf|7 years ago
There needs to be real, material damages for companies who do not properly secure data following best-practice guidelines. Not just a 'oh sorry your account was compromised, please change your password!' circus - actual, concrete damages by way of fines or the like put on those who do not properly look after user data.
pdx_flyer|7 years ago
I know they have fought quite a bit of mileage theft out of a number of countries and they thought this was a good idea of doing that but it's awful.
dismalpedigree|7 years ago
AlexTWithBeard|7 years ago
Or I am just extremely naive?
huslage|7 years ago
ryanthedev|7 years ago
virgakwolfw|7 years ago
simooooo|7 years ago
[deleted]