MileagePlus: Some reminders regarding the March 3 integration

Hi Everyone, I realize that many of you here are ready and prepared for the 2012 MileagePlus program benefits to begin on March 3rd. We’ve started mailing Premier status credentials for 2012 that you should be receiving soon. Also, starting today we’ll begin sending out an email with some final reminders and details. Here are a few of the highlights:

1. If you don’t already have it, you’ll see your new MileagePlus account number. For those of you who have only a MileagePlus account, you’ll be able to retrieve your new number by logging in to view your personalized merger update page. Your new number will be valid for use starting March 3rd. Remember, if you already have a OnePass account number, it will become your MileagePlus account number.
   
   
2. Effective March 3, you’ll need to know your PIN when calling us to update account information or withdraw miles. Your PIN is not required for any online transactions or updates, though it can always be used as an alternative to your password when logging into your account.
   
   Worth noting: For security reasons, we can’t display your PIN on united.com. So, if you are a MileagePlus-only member who was assigned a PIN, you can simply go online to reset it and it will be emailed to you. You won’t need to know your current PIN to reset it, but, the key is to make sure you have a valid email address in your profile. If you already have a PIN and have forgotten it, this is also the best process to follow. If you have a OnePass account, that PIN will remain valid.
3. Not all billing information will be carried forward. For those of you who have billing information stored in your united.com profile, this data will not be migrated to the new platform for security reasons. Just a heads up that you’ll have to re-enter it after March 3.
   
   
4. Some capabilities will not resume immediately. As part of our system conversion, the process to credit flights will be paused for a few days. And, the ability to redeem Star Alliance Upgrade Awards will be unavailable for a few weeks.

The personalized page has a lot of important information about password, website migration and our transition weekend. As always, thanks for your support and continued feedback.

Shannon Kelly
Director, Customer Insights
United Airlines

Zoinks!

Not that I really care, as that's not a benefit I use or would consider using, but a few weeks will be rough for some folks.

Does that mean if I'm flying a UA or CO flight on March 2nd, and I'm crediting those miles to my US Airways account, that they aren't going to show up for a long time?

Luckily this impacts only a few people who do book full-fares however.

Sabre and travelport systems will not be able to book Y+ for a little while as well.

Hi Shannon,

Few days generally mean 3 or 4 days? I'm flying on the 3rd and 4th, should we expect our flights to post say a week later? (I'm one of those people that log onto my account multiple times a day to see if something posts )

As always thanks for the information you provide here on Milepoint. It is greatly appreciated

What PIN? I am not a CO flyer, I have zero CO miles; never flew on CO and still will do my utmost to avoid CO rebranded metal.

(Red highlight added by me)

On that PIN... I have one for all accounts I manage, so I am okay in that regard. But I don't quite understand the purpose of having a password and a PIN and both allowing access to the account via the website. A PIN that authorizes phone transactions makes sense. But it seems that by giving the agent my PIN and account number, I am essentially giving away access to my account via the web. That seems bizarre. Yes, I know, the agent can probably access my account from the CO UA system, but that system would hopefully be logging who is accessing my account and doing transactions. With the PIN they can now access it at any time from anywhere, no? So a rogue agent could take notes of people's account #s and PINs and sell it.

Seems to me this completely violates the common rule of never asking your customers for their password over the phone. What am I missing?

Added: I suppose a phone-only PIN could also be used for phone-only fraud... And what's the point of having a "strong" password rule (Your password must be at least six characters in length and is case sensitive) and allow a four digit number as an alternative?

The PIN number requirement during phone-interactions (e.g., redemption tickets) has always been a feature of the CO system.

Though, I agree with your point about rogue agents.

And y'all haven't been robbed yet?

I am flying on March 3rd, when does this auto number change happen marched 3rd 11.59pm or at like 12.01am on the 3rd?

How long will the old UA MP number be valid (for partner transactions etc)?

Yes, it violates that "rule" but I find it hard to get worked up over it knowing that it really doesn't matter. The agents can screw you if they want to without the PIN and if you are really that worried about someone in public overhearing you say it and your MP number at the same time then don't call from out in public to redeem an award.

It isn't like someone is going to be able to clean out your FF account and abscond with the loot to a non-extradition country leaving you penniless in the gutter.

I've never understood why CO required that you provide the PIN over the phone particularly since the PIN was what was also used to access the website. I felt very uncomfortable providing the PIN to strangers the few times I had to call the integration desk.

And now that we have to use this method on the new United, I wonder how this system would fair if a 3rd party security organization audited this method.

It matters because many companies spend a lot of effort training their employees and customers to never, ever ask or provide passwords over the phone (similar to how a lot of effort has been spent on teaching people what phishing emails are). And here comes Continental doing their own thing that's against established best practices.

They can (and I said so), but can they without leaving an audit trail?

It just seems completely unnecessary to have the PIN function as a password for the website. Makes me wonder if they also store the password (vs. just a hash) in their database, for agents to see. It seems so 20th century...

Maybe. Looking at my UA balance, it's currently worth significantly more than the balance in my checking account. And my bank has better security.

There is NO...NEED...TO WOORRY!

Some of these we presumably can't fix ourselves. Would Chase let us change the MP number on our VISA? With iDine, I see no way of updating the MP #.

"Simple" workaround: reset your PIN to something new each time after providing it to a CO agent.

Don't know the answer to that. However, I wouldn't be surprised if they contact Chase with the info for those with linked accounts, once the integration is complete.

bolding mine

Just like native SHARES

Although I think a simple numeric pin is too easy to break as an online password, it is far more convenient in a telephone conversation. Usually they've already used caller-ID on me to figure out who I am. They just need verification.

So much for using the "advanced" CO system as the basis for the new United.

As you mentioned, there's no easy solution that's both secure and user friendly. As long as there is some kind of phone authenticator, anyone can call in and pretend to be you with that phone authenticator. There's no (strong) audit trail per se since it's all customer (by phone) initiated things. (Potential way to make this secure is you can login online to generate a one-time phone token with a short expiration. However, this is painful extra step for most people.)

So whether online and phone authenticators are the same really doesn't impact things that much. But yes, this is very much counter-intuitive to every best practice when you get asked for your pin over the phone.

EK has a PIN system for their Gold members. You call in from your registered phone number. Punch the pin. You are immediately recognized as a Gold, and someone picks the phone almost immediately.

I've worked in-house providing IT support for a number of customers. My very first job had a strict "never ask for a password" policy and it made plenty of sense. Every single place I've worked since - well over 50 different organizations, large and small - has not cared at all. Just because it is a "best practice" doesn't mean that everyone else is doing it or that it really matters.

Almost certainly not. EVERYTHING is audited in these systems.

But you have much easier recourse if someone "steals" all your points. :-: