United Vacations -- Bad IT security practices

Discussion in 'United Airlines | MileagePlus' started by HaveMilesWillTravel, Nov 2, 2014.  |  Print Topic

  1. HaveMilesWillTravel
    Original Member

    HaveMilesWillTravel Gold Member

    Messages:
    12,504
    Likes Received:
    20,199
    Status Points:
    16,520
    About United Vacations

    A company you can trust
    United Vacations is the leisure vacation package product for United Airlines and is operated by The Mark Travel Corporation (TMTC). TMTC is a privately held company headquartered in Milwaukee, Wisconsin, and has been fulfilling millions of vacation dreams with unparalleled customer care and at exceptional value for over 40 years.


    Based on a recent experience, United Vacations is definitely not a company I can trust.

    United Vacations does not practice sound IT security practices. Create an account with them and then use the "Forgot my Password" feature. They'll ask you for your email address and then send you - in clear text - the password you used to create the account.

    In other words, they not only transmit passwords via insecure channels (email), but they also store the password (instead of a hashed version). @UA Insider - is this a company you want to host on your domain (vacations.united.com) with your logo? Oh, wait... you also still use 4-digit pins...
     
    Sammich likes this.
  2. Sammich

    Sammich Gold Member

    Messages:
    5,644
    Likes Received:
    22,439
    Status Points:
    11,025
    We have a bank up here in Canada (one of the big 4's...I think that particular one was number 3). That uses 4-6 digit PIN's as passwords for your bank account.

    Now THAT's security.
     
  3. HaveMilesWillTravel
    Original Member

    HaveMilesWillTravel Gold Member

    Messages:
    12,504
    Likes Received:
    20,199
    Status Points:
    16,520
    My wife's credit union does the same, Sammich. They'll soon be her ex-credit union (not the only reason, but it fits the picture).
     
    Sammich likes this.
  4. HaveMilesWillTravel
    Original Member

    HaveMilesWillTravel Gold Member

    Messages:
    12,504
    Likes Received:
    20,199
    Status Points:
    16,520
    Not exactly surprising perhaps, but as I went to change my wife's password on vacations.united.com, all login-related pages seem to result in this at the moment:

    unitedvacations.png
     
    Sammich likes this.
  5. Sammich

    Sammich Gold Member

    Messages:
    5,644
    Likes Received:
    22,439
    Status Points:
    11,025
    You know that particular financial institution doesn't give a rats a** about your information security if thats how they enforce authentication. Any company who still uses 'PIN's as a method of authentication is waiting for something big to come down on them. It's 2014, not 1990's.

    Unfortunately a lot of companies I've consulted and talked with are reluctant to do any changes because of 'cost' and office political bureaucracy, but once something goes on the media. Bam, suddenly they're all so efficient.
     
    anileze and HaveMilesWillTravel like this.
  6. Sammich

    Sammich Gold Member

    Messages:
    5,644
    Likes Received:
    22,439
    Status Points:
    11,025
    Looks like a major overhaul will be needed...
     
    HaveMilesWillTravel likes this.
  7. HaveMilesWillTravel
    Original Member

    HaveMilesWillTravel Gold Member

    Messages:
    12,504
    Likes Received:
    20,199
    Status Points:
    16,520
    Oh boy...

    united_vacation_comment2.png

    It's "invalid" due to the quotes around "Forget Password". Now I really trust their code injection prevention.
     
    Sammich likes this.
  8. HaveMilesWillTravel
    Original Member

    HaveMilesWillTravel Gold Member

    Messages:
    12,504
    Likes Received:
    20,199
    Status Points:
    16,520
    United Vacations commitment to information security
    To prevent unauthorized access, maintain data accuracy, and ensure the correct use of information, there are appropriate physical, electronic, and managerial procedures to safeguard and secure the information we collect online. We use SSL (Secure Socket Layers) to encrypt and protect your personal information. We understand this is vital in the exchange of credit card and password information.

    http://vacations.united.com/generalinformation/privacypolicy.aspx

    I don't think they understand what appropriate procedures are. But let's see what they come back with in response to the comment I submitted.
     
    Sammich likes this.
  9. Sammich

    Sammich Gold Member

    Messages:
    5,644
    Likes Received:
    22,439
    Status Points:
    11,025
    LOL :rolleyes::rolleyes::rolleyes:
    My experience is that they usually won't :( Either that or a very generic response.
     
    HaveMilesWillTravel likes this.
  10. HaveMilesWillTravel
    Original Member

    HaveMilesWillTravel Gold Member

    Messages:
    12,504
    Likes Received:
    20,199
    Status Points:
    16,520
    I'll report back.

    united_vacation_response.png
     
    blackjack-21 and Sammich like this.
  11. HaveMilesWillTravel
    Original Member

    HaveMilesWillTravel Gold Member

    Messages:
    12,504
    Likes Received:
    20,199
    Status Points:
    16,520
    Response:

    Good afternoon,

    Thank you for contacting United Vacations.

    We appreciate you for taking time out of your day to provide your valuable feedback. To view United Vacations privacy policy, please visit our website at http://vacations.united.com/GeneralInformation/PrivacyPolicy.aspx.

    Have a nice evening!

    Sincerely,

    Teresa

    Customer Care
    United Vacations
    Operated by The Mark Travel Corporation
    I sure hope that "Teresa" is a script responding with a generic message to all messages in the "Security and Privacy" category.

    In any case, United Vacations are not alone and I will be submitting them to http://plaintextoffenders.com/

    If you happen to have an account with United Vacations and were using a password that you also used on other sites, I would strongly recommend changing it (and this practice).
     
    WilliamQ and Sammich like this.
  12. Sammich

    Sammich Gold Member

    Messages:
    5,644
    Likes Received:
    22,439
    Status Points:
    11,025
    LOL.

    I'm speechless.
     
    WilliamQ likes this.
  13. HaveMilesWillTravel
    Original Member

    HaveMilesWillTravel Gold Member

    Messages:
    12,504
    Likes Received:
    20,199
    Status Points:
    16,520
    I am surprised the email didn't end with "PS: Would you need a Hertz rental car at your destination?"
     
  14. Sammich

    Sammich Gold Member

    Messages:
    5,644
    Likes Received:
    22,439
    Status Points:
    11,025
    "Please send me your credit card details in plain text by replying this email"
     
    WilliamQ likes this.
  15. WilliamQ

    WilliamQ Gold Member

    Messages:
    4,504
    Likes Received:
    14,272
    Status Points:
    10,675
    You do actually still read about these occasionally when databases gets hacked. Can be real painful and embarrassing for the victims.

    I had the misfortune of standing in lines and then the credit card does not work due to no fault of mine.. The lame "could you please try that again..."
     
    Sammich likes this.
  16. HaveMilesWillTravel
    Original Member

    HaveMilesWillTravel Gold Member

    Messages:
    12,504
    Likes Received:
    20,199
    Status Points:
    16,520
    I'd be shocked if they protected credit card information any better. Which makes me think that the likes of Visa and Mastercard should be interested in revoking the ability to process credit cards from sites with obviously negligent IT security departments.
     
    Sammich likes this.
  17. Sammich

    Sammich Gold Member

    Messages:
    5,644
    Likes Received:
    22,439
    Status Points:
    11,025
    Probably not hashed as well. Maybe just in plain text.
     

Share This Page