Skip Links

Account Password Reset Procedures a Joke

You wont believe what happened to me today

By jheary on Mon, 08/17/09 - 3:42pm.

When I logged into one of my online accounts today it said it was locked out and I needed to call to get it reset. You wont believe what happened next.
Sure SSL attacks, keyboard loggers, man-in-the-middle attacks, etc. are sexy and hip hacks for stealing someone's passwords. However, exploiting an online account password reset procedure is unfortunately way easier. Sadly it seems that the infamous hacking of Sarah Palin's Email account by exploiting the password reset procedure did little to help. Sure the big online companies stood up and took measures but that is about it.

So as I said one of my accounts was locked out so I called the number listed on the webpage. Someone answered right away and asked for my account number and Full name. I gave it to them. Then they asked for my address and phone number. I gave them this as well. Then they said, "Do you have a pen and paper so you can write down your new temporary password?" Dumbstruck I said, "Sure I do, ready when you are." They then gave me a new 6 digit temporary password. They then waited on the phone till I logged in successfully. Just in case you didn't catch that, everything they asked me for can be found in the phonebook except my account number! Are you kidding me! This account is able to store up to 4 credit cards in your file to make purchases easier! I don't do it but I know others do. Well, it gets worse.

I travel a lot on just about every airline you can think of. So as a result I've signed up for just about every frequent fly program there is. As you probably know, your frequent flyer number is conveniently printed out on every boarding pass you've ever had. Like many people, I'm guilty of not treating my boarding passes with security in mind. I sometimes leave it in the back of the seat pocket, throw it in the trash without shredding it, and just generally don't care if someone where to steal it (after my flight that is). Well that all stopped today. The account number that the person asked for to reset my account was my frequent flyer account number! So, let's see, someone finds/looks for ticket stubs which has your name and account number on it. They search whitepages.com and obtain your address and phone number. They lock out your online account, call the number and obtain a new password for your account. They login and steal your credit cards and any other bits of information available (itineraries, transfer miles, current email address, etc.)

So in this case, the typical "forgot your password procedure" is worthless. BTW, they did have the below procedure if you forget your password.

• You must answer 2 different security questions below.
• Each question must have a different answer.
• Your answers must be at least 4 characters long and cannot contain any special characters (periods and dashes are ok).


Not that you can't find answers to these question for someone but its just easier to call and unlock the account. Ironically, the message on the screen read,
You have exceeded the maximum number of allowable attempts to access this account. For security reasons, online access to this account has been disabled.

Curious as to how wide spread this problem was I started trying this with my other travel accounts (both airlines and hotels). Some were better than others. But this one took the prize…

I noticed that one of the password reset procedures had two options for getting your password. The first one was typical, it presented all of my security questions I previously picked and asked me to answer them. But the second one, right below the first one, was a bit alarming.


So I called up their customer service number and the conversation went like this. I said, "I cannot remember my password and the email address it showed me is no longer active. Can you help me?" They said sure and asked me for my account number. I gave it to them. They said, "Is this Jamey Heary I'm speaking with?" I said yes.
They then asked for my address. I gave it to them. They looked up the account and said, "I see here that the email we have for you is jheary@blah.com is that correct?" I said no that email is no longer active and gave them my new email address. They put the new one in the system and said give it a try again. So I did, and received the below email (edited of course) in response:

Your online password is: password1

To help ensure your Profile Information remains secure, we recommend changing your password upon receipt of this email. Visit your Profile to change your password.

If you did not request your password, please contact Internet Customer Care at 1-800-ohm-ygod or through our online form

I just about fell out of my chair! Are you kidding me, they actually sent me my real password in clear text in an email to someone who only gave their account number and address. I didn't even have to give my name. Now they have my real password that I may use for several other sites! I couldn't believe that in today's world a company would send out a real password instead of a temporary or click here procedure. And yes this account also is able to store your credit cards for easy purchasing.
Easy for who though? Anyone with my account number and address?
Bottom line is you should treat all of your frequent traveler numbers with the same respect that you give to your credit card number. Of course this isn't possible but do what you can, I know I will from now on.




The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.

More from Jamey Heary:
* Credit Card Skimming: How thieves can steal your card info without you knowing it
* Why you should always shred your boarding pass
* Video rental records are afforded more privacy protections than your online data
* The truth about new SSL attacks
* 2009 Top Urban Legends in IT Security/a>

Go to Jamey’s Blog for more articles on security.