According to online security expert Brian Krebs, United Airlines has rolled out a series of updates to its website that it claims will improve the security of its customer accounts. These changes include moving from a four-digit PIN to a password, as well as customers being required to pick five different security questions and answers.
United Airlines is clearly attempting to incrementally advance consumer security, while maintaining usability. We remind ourselves every day that security is a process, and for it to be so, it has to become part of business as usual not a milestone, or a sprint to the finish line. The race has not been run, or won. It’s not, in fact, a race at all and although hackers might not see it that way, we’re in it for the duration. Any good security program must be a balance between effectiveness and convenience, between threat protection and customer friction and all in perfect unison, in sequence and timing, just like a good duet.
The approach United Airlines is taking seems thoughtful and appropriate, given the number of customers who use the system on a daily basis, and the need to provide timely and ubiquitous access to flight information, reservations, tickets and other travel information.
United’s approach is unlike many companies we’ve seen of late. It’s not about deploying the most visible and impactful (or some would say, disruptive) techniques in front of consumers in an effort to demonstrate security to customers. It’s early, but it just might be the case that United is doing the opposite: forming the key elements of a foundational plan to incrementally increase actual consumer security.
As they continue along this path, I would expect to see United leading the way with new and innovative techniques to secure its customer base. But first, let’s let them get started. I’m sure there is more to follow. As practitioners, we can choose to take a step back and deploy our curiosity rather than skepticism, and give United the space they need to demonstrate leadership in this area.
Robert Capps is VP of business development at NuData Security, a company which develops systems that can positively verify users online, using real-time behavioral analytics
