According to Brian Krebs, United Airlines has rolled out a series of updates to its website that it claims will improve the security of its customer accounts. These changes include moving from a 4-digit PIN to a password, as well as customers being required to pick five different security questions and answers. Robert Capps, VP of business development at NuData Security commented below.
Robert Capps, VP of Business Development at NuData Security:
“United Airlines is clearly attempting to incrementally advance consumer security, while maintaining usability. We remind ourselves every day that security is a process, and for it to be so, it has to become part of business as usual… not a milestone, or a sprint to the finish line. The race has not been run, or won. It’s not, in fact, a race at all – and although hackers might not see it that way, we’re in it for the duration. Any good security program must be a balance between effectiveness and convenience, between threat protection and customer friction and in perfect unison, in sequence and timing, just like a good duet.
The approach United Airlines is taking seems thoughtful and appropriate, given the number of customers who use the system on a daily basis, and the need to provide timely and ubiquitous access to flight information, reservations, tickets and other travel information.
United’s approach is unlike many companies we’ve seen of late. It’s not about deploying the most visible and impactful (or some would say, disruptive) techniques in front of consumers in an effort to demonstrate security to customers. It’s early, but it just might be the case that United is doing the opposite — forming the key elements of a foundational plan to incrementally increase actual consumer security.
As they continue along this path, I would expect to see United leading the way with new and innovative techniques to secure their customer base, but first… let’s let them get started. I’m sure there is more to follow. As practitioners, we can choose to take a step back and deploy our curiosity rather than scepticism, and give United the space they need to demonstrate leadership in this area.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.