MileagePlus Account Protection: Why United Should Switch from PIN to Password

“B rian you should also do a write up about United they use the 4 digit pin for login”, reader Pete posted in the Comments area of this article warning about the security of accounts in the Hilton HHonors frequent guest loyalty program, as some have been accessed and even sold by thieves. “Like Hilton it can’t be disabled. It also has to be provided to the customer service personnel when calling them. I believe the only way to get these companies to change sometimes is to put public pressure on them.”

I was thrilled when I was able to keep my OnePass frequent flier loyalty program account number after Continental Airlines merged with United Airlines, as I was never able to memorize my Mileage Plus frequent flier loyalty program account number; but the days of the four-digit personal identification number — or PIN — still prevail to the chagrin of those who are concerned about the security of their accounts.

It is quite easy to remember a four-digit personal identification number as opposed to a complex password; but unfortunately, it is also easy for a thief to break into your account and either use your frequent travel loyalty program miles or points for their own nefarious purposes — including redeeming them for their own use or selling them to someone else.

Delta Air Lines recently switched from a four-digit personal identification number to a password which requires a minimum of six characters. The password requirements include the following criteria where it:

  • Must be 6-20 characters long
  • Cannot be the same as your SkyMiles frequent flier loyalty program account number, e-mail address or username
  • Cannot contain any special characters or non-English characters

 

In this case, you have your choice of numbers or letters for your password — which can be your former four-digit personal identification number plus two additional characters, if you so choose. I personally switched to an entirely different password and may switch it again in the near future.

To be clear, there have not been any reports of compromised MileagePlus frequent flier loyalty program accounts of which I am personally aware — but why wait until they happen before action is taken?

“Why Hilton is so behind the times I have no idea”, reader And recently posted in the Comments area. “If my account is compromised due to their lack of security I expect them to fully compensate me for the points. I’ve also removed my saved credit cards and urge everyone else to do the same.”

I believe that And is correct. There is no reason in this day and age to have an antiquated system which offers minimal protection at best to what amounts to the currency of an account of a frequent travel loyalty program. United Airlines needs to implement true password protection for the accounts of MileagePlus frequent flier loyalty program members to help prevent what some Hilton HHonors frequent guest loyalty program members are currently experiencing…

…and while we are on this subject, are there any other frequent travel loyalty programs which still use a four-digit personal identification number — or similarly weak protection — as the only means of protection of accounts? If so, please post it in the Comments section below.

2 thoughts on “MileagePlus Account Protection: Why United Should Switch from PIN to Password”

  1. Greg says:

    Didn’t realize it was a risk . Was annoyed when Delta did away with the easy 4 digit pin.

  2. Ford says:

    @greg if you don’t know how vulnerable your passwords are play with this tool:

    https://howsecureismypassword.net/

    (note, I wouldn’t enter your real passwords there in case I’m a terrible person and it’s a phishing site, but it’ll give you an indea what’s important in password complexity. Also, you should probably start using a PW manager so you aren’t tempted to use 3-5 passwords(at best) for almost every site. They’ll all get hacked eventually, all you can do is damage control/compartmentalize by having a unique pw for all of them.

Leave a Reply

Your email address will not be published. Required fields are marked *