I have a tendency to go on rants when I encounter a major service provider doing something upsetting. I will do my best to temper my feelings and exhibit gracious proffesionalism while discussing some aspects of United’s Mileage Plus program that are lackluster.

I am sharing my thoughts with the hope that someone feeling the same feelings as me on the matter can either provide some advice, counterpoint, or at least to know that they are not alone.

That said, the security standards enforced by the United Mileage Plus program are a bit of a joke.

I recently received an email saying that I must enable security questions on my account with United Mileage Plus or I will not be able to access said account.

The problem is that security questions are not really secure. There are far better security experts (at United and in the community at large) than me who can explain why this is a bad idea, but I will try to summarize as best as I can.

available security questions

Security questions like these are relatively easy for someone to guess. If the answer is obvious to you, then it is probably obvious to others as well.

Have you ever posted something on Facebook along the lines of “I can’t believe it’s been four years since my spouse and I first met at …"? Have you ever posted a photo of your dog on Facebook? Have you mentioned some of your sport interests on LinkedIn?

Then congratualations, an attacker may very well already know the answer to three of your security questions.

If you are not on social media, or if you do a good job of controlling your privacy settings, then you are more likely to be safe.

However, questions like these were designed to be easy for someone who might describe themselves as “not good with computers”. And that type of person is far less likely to perform their own security and privacy audits.

These questions aren’t even that good. Not everyone has a favorite sea animal, or plays an instrument. I love dogs, but I do not have a favorite breed. Forcing me to pick an option when I don’t really have one means that I’m more likely to forget the answer and have to talk to customer support in the future.

This is especially upsetting to me as United could have spent time and energy implementing a security measure that would have actually been more secure, like two factor authentication. Instead, they chose a route they probably assumed would be simlper for customers, but adds more hassle than security.

On top of that, United Mileage Plus provied a similarly archaic user experience for me a few years ago when it, without warning, truncated my password when I went to change it.

I will happily admit that the odds of you, me, or anyone being exploited by this are relatively low. The problem is that are better security options than this, and that United’s time and the time of consumers like me would have been better spent on one of those better options than with security questions.