I had one experience reporting a security vulnerability to United's bug bounty program and never want to do it again. I reported an issue to that I could reset anybody's MileagePlus number by only guessing a multiple choice security question ("what is your favorite sport", etc), bypassing any email confirmation or anything like that. After 3 months of back and forth with their security team, they released an Android update that patched the issue. I was then told "It turns out this fix was pushed by the QA team and was actually unrelated to your Bug Bounty submission" and that my submission was ineligible.
At least they have a program I guess?
Thanks for sharing your experience. No one wants innocent peoples' data to be compromised, but maybe your story will do something to discourage others from participating, and United will feel the consequences as a result. Having a bug bounty program is one thing; standing behind it is another. Is there a ranking of bug bounty programs in terms of ease of use, good faith, etc?
It's never good to have bugs in the wild that could risk customer information. I want to see United shape up, but I don't want regular guys to suffer for it.
I've often read discussion about how you can't regulate this sort of thing because the industry moves so fast that what's a best practice today can be tomorrow's horrible security (then enforced by law).
But, isn't it possible to legislate this on a blacklist basis? "Fine of up to $X if you're storing passwords in plaintext. Fine of up to $X if you're limiting the length of passwords to < 16 characters. Fine of up to $X if you misrepresent your 2FA implementation (as in the article). Fine of up to $X if you accept unencrypted logins over the web."
Outlawing a small set of easily identifiable and correctible attack vectors, would be enough to get companies thinking about security a bit more seriously. It doesn't have to be anything big, and I wager it'd have a serious impact.
I think requiring mandatory insurance against "cyber-disaster" for qualifying types of companies would be the best way to accomplish this.
Insurance premiums of all types are based on risk factors, so the policy would be written against a checklist of best practices.
Similar to how having a fire extinguisher in your kitchen reduces your home insurance premiums by small percentage, the same could be said for each security practice. Encrypted passwords: -2%. Mandatory 2FA in place: -3%. Etc.
This kind of law would be very ineffective as they need to grand-father previously built applications and so enforcement becomes very complicated and only practical in data-breach scenarios, so might as well make laws that fines for data breach in relations to non-zero day and neglect of security by industry standards (I know it when I see it, expert opinion, et al).
That is, don't legislate implementation but consequences.
Why would you need to grandfather previously built applications? It seems to be that these would be the best things to target with the law. When you pass the law include a date at which enforcement starts. Now you need to fix any in use applications.
They don't need to grandfather anything - it's similar to the GDPR in the sense that you can give companies time to prepare, and then it comes into force.
Prepare the law, give companies 3-5 years to prepare, and after that, anything is fair game. If your company is accepting plaintext passwords there should be something that makes you say "oh we have 3 years to change this, let's hire someone to fix this". If a system is live and in use, it -should- follow some -minimal- standards for security.
That doesn't preclude your data breach fine idea - that'd be useful for more advanced security situations that can't be predicted (as you said, based on expert opinions).
But something as basic as "you're not allowed to pretend it's 2FA if it's just password + questions" or "you're not allowed to store passwords in plaintext", that sort of thing should be the minimal baseline that companies should have to adhere to, surely.
You can regulate by having legislation that has 2 components. One is the law that such companies have to follow best practices. Second, best practices are created and published by a set of companies who have the best record of implementing security correctly, or even having security professionals (and there are many well respected security experts who can do this since they talk about it on their blogs all the time).
You can also regulate by having fines or substantial civil damages for breaches, requiring insurance to cover the liability, and letting the insurers figure out what practices are needed to get cheap rates.
United began debuting new authentication systems wherein customers are asked to pick a strong password and to choose from five sets of security questions and pre-selected answers.
This has been in place for 3 years despite public shaming.
I'm stuck flying United most of the time and I get the sense their cybersecurity posture is consistent with their broader business posture: "If you do nothing, nothing will happen. If something external forces change, deny, deny, deny." Very old school. In all the worst ways.
Does this mean that United Airlines is still using the inadequate system described in the article?
In my opinion, public shaming is the last resort: when you tried everything and failed to make your legitimate concerns about cyber-security heard by the company, you go public and hope that the bad press creates some kind of PR issue... But what if it doesn't? What if the public shaming proves useless? What can be done then?
"boycott"? you can quit flying with them, but individuals doing this will have pretty much 0 effect. in many cases, a specific airline may be the only practical way to get from A to B, so you're generally stuck. This is even more grating on me when I fly and hear "we know you have a choice, thank you for flying with _____ today!". No, really, most of the time, I don't have much of a choice. Drive 7 hours or spend 4 hours in airport. Fly ABC direct or DEF via 2 layovers. Neither are great choices (if they exist at all).
You think that's bad, there's major Canadian banks where the password for your online banking account can't be longer than 8 characters or numbers, can't contain punctuation marks, and is stored in plaintext on their backend.
Edit: oh yeah, I forgot, it also doesn't recognize case sensitivity. A = a
I'm assuming they're storing them in all caps, 8 character length database fields on a monstrous ancient mainframe software application.
For what it's worth, such password schemes usually include lockouts after small-N tries to prevent the passwords from being brute-forced from the outside, and an attacker with database-level access is probably going to use it not to compromise passwords but to directly change balances.
Not to excuse such password schemes - they're horrible, and banks need to get with the times - but if they were really so ineffective, their coffers would have been drained long ago.
Full write access to a database is a totally different thing than reading out the plaintext passwords or getting a leaked dump of the data. Perhaps a mishandled backup.
Which is one of the reasons why these schemes are horrible. But the point remains that banks are afraid of database leaks for other reasons.
Maybe think of it like this: imagine that you have an airgapped system where all the endpoints are running Windows XP (reasoning being something like hardware drivers that were written by defunct companies and can't / won't be upgraded). Is it horrible that such machines are running unsupported, EOL versions of Windows? No question. But if there are other controls in place (like airgapping, like 24/7 physical access control to the endpoints), it might still be possible to provide de-facto effective security.
Not quite as bad but I got a letter recently from something bank-ish (huge, international, traditional) that contained some serious admonitions including one about never using password managers or writing down the password in any way, concealed or not didn't matter.
I have problems taking any security advice seriously from such companies after that but since I fully expect them to use ut against me if I ever have to file a fraud complaint I guess I'll have to deal with it - and get another account with a company that isn't braindead when it comes to security.
seems to be continuing the pattern of shifting responsibility. 20 years ago, we had 'bank fraud', but now much of that same activity is 'identity theft'. This shifts the burden from 'their' problem to 'my' problem.
From people I know who've interacted with the customer service representatives, in particularly weird/complicated situations once you've reached the second or third tier of people who resolve unusual problems, and authenticated yourself, it's possible to get them to read back your own password to you.
United need to be heavily litigated when accounts eventually get compromised. This must be a wanton disregard for security, rather than simple naivety as many other sites exhibit.
There needs to be real, material damages for companies who do not properly secure data following best-practice guidelines. Not just a 'oh sorry your account was compromised, please change your password!' circus - actual, concrete damages by way of fines or the like put on those who do not properly look after user data.
Funny enough, they did burn the building down back in the mid 90s. There was so much copper wiring that melted together that they just left the blob between the floors because it would be too hard to remove. I’m sure it has been dealt with since then with the whole wifi and cell phone issues that it would cause though.
I worked there as an IT intern in the early 2000s. I vowed to never work in IT. Yet here I am. I guess the siren song was too much.
But... but do I really need all this security with an airline website? What's the worst thing someone can do with my account? Buy me a ticket? See my address?
If you have stored credit cards, they can buy tickets for anyone. They can change existing reservations. They can steal your passport number. All sorts of things.
You would be surprised. I work at an airline fraud prevention platform, and the legal hassle with credit card/loyalty fraud (which is what this would be) is so complex that fraudsters are often not charged with fraud. They just go ahead and provide their real information. Or change it right before takeoff at the airport, leaving the fraud analysts with no time.