SINGAPORE: Earlier this week, it was reported that a member of Singapore Airlines’ KrisFlyer frequent flier programme alleged her account was hacked and 76,000 miles were drained from it.
Ms Sherie Low told Channel NewsAsia that Krisflyer should update its security system, which requires members to log in with their membership account number and a six-digit personal identification number (PIN).
"At the very least it should be protected with a one-time password," she said. "They cannot have such a flimsy system that allows hackers to get into accounts so easily and also add nominees so easily."
SIA is currently investigating the incident, so it is not certain that Ms Low’s account was hacked into, and if so, whether it was because of vulnerability in the password.
Asked to comment on its security measures, the airline said it takes the privacy of its customers' data "seriously" and takes all "reasonable measures" to ensure their information remains safe and protected, as well as carry out regular reviews to continue providing a secure online platform for its customers.
SIA also repeated its advice to customers to take measures to prevent phishing, which it gave when asked to comment for the original article on Wednesday.These include changing passwords regularly, using antivirus and logging into their KrisFlyer accounts only through the official website.
AdvertisementAdvertisementKrisFlyer is not the only frequent flier programme that uses numeric-only passwords. Qantas’ Frequent Flyer programme, for example, uses a four-digit numeric PIN system as does Morocco’s national carrier Royal Air Maroc’s Safar Flyer scheme.
Cybersecurity experts, though, told Channel NewsAsia that numeric passwords are “extremely weak”, and could potentially be cracked in minutes.
Mr Eugene Aseev, vice president of data storage and protection company Acronis, said in general, it would take “a few minutes on a regular PC to brute-force” a six-digit numeric password. Brute force attacks refer to an automated, trial-and-error method to decrypt passwords using an application.
For KrisFlyer, a 'three-tries' policy before users are locked out for 24 hour adds a layer of tedium for hackers, Mr Aseev said. “With a limited number of allowed log-in attempts, brute-forcing becomes quite tedious – and if you have to wait 24 hours before the next attempt, it could take a several months to hack into one’s account using this way.”
Another malware expert, Mr William Tsing from US-based cybersecurity firm Malwarebytes, shed more light on brute-force attacks.
The malware analyst pointed out that numeric passwords are easy to crack using modern resources. He cited the example of a tool called GrayKey, which unlocks iPhones and can break into a six-digit code within 11 hours.
“Depending on how the code is stored, that time to crack can be lower,” Mr Tsing said.
MULTI-FACTOR AUTHENTICATION MOOTED
So what could airlines do to improve the security of their frequent flier programmes? Especially since one’s frequent flier miles have a monetary value, given that credit card points can be used to convert to these miles and vice versa. There are also online sites that purport to buy these air miles from customers.
Mr Sumit Bansal, managing director of Sophos in ASEAN and Korea, said one way these organisations can strengthen security is to deploy multi-factor authentication. This means users need to authenticate their credentials more than once in order to access their accounts.
“It is an essential layer but not many sites implement it equally – some do so more securely than others,” he pointed out.
This suggestion was reiterated by Mr Shashwat Khandelwal, head of Southeast Asia consumer business at McAfee.
“By implementing multi-factor authentication, biometrics such as a fingerprint or retina scan as well as facial recognition can be used as forms of authentication before sensitive transactions can be completed,” he said.
Malwarebytes’ Tsing also suggested that SIA and the other airlines using numeric passwords should change their policy and allow users to create longer passwords containing other characters.
“To better protect consumers, a minimum of 12-digit password that includes letters, numbers, and special characters should be required, and the password shouldn’t have an upper limit on characters.”
Let's block ads! (Why?)
More...