Dear executives of United Airlines, I have some advice for you. 1: Fire whoever is in charge of your online security. 2: Burn down the building in which they worked; it may be tainted. 3: Salt the ground so nothing ever grows there again, to be safe. 4: Hire somebody competent who will not infuriate your users while simultaneously compromising their security.
I know I probably sound like a disgruntled passenger who just had an unpleasant airline experience. Not so! I am actually fond of United, have flown hundreds of thousands of miles with them, and have upper-tier status with them. But I’m also an engineer who writes about security.
It was bad enough when they replaced their free-form password security questions with drop-down selections — I am not making this up — for “Your favorite artist,” “Your favorite pizza topping,” etc., citing — I am still not making this up — the threat of keylogging malware.
This has already been appropriately eviscerated by Josephine Wolff in Slate, and, in fairness, it’s a kind of idiocy that seems to be common to large organizations. Citibank UK did the same thing for years, before they realized how dumb it was.
The thing that bumbling bureaucrats like United’s security team never seem to realize is: you don’t make your systems more secure by making them hard to use. They will react by trying to make it easy again — by, for instance, picking the first answer in every option, rather than trying to remember both questions and answers that they did not devise and have no resonance for them.
(Similarly, you should not force your users to change passwords frequently, or their passwords will grow weaker, they will write them down in multiple places, etc. I’m looking at you, AOL-which-owns-TechCrunch.)
But even that was merely bad, eyeroll-provoking, frustration-inducing; whereas this week’s compounding sin provoked something more like righteous fury. This week they sent me an email saying:
Your security questions will also be used as part of upcoming two-factor authentication to further protect your account — you’ll be asked to answer your security questions the first time you sign in from a device that we don’t recognize.
0 comments:
Post a Comment