On Security

I was on a work trip to California two weeks ago. It was an enjoyable experience full of firsts both exciting and trepidatious!

In preparing for the trip, I attempted to reactivate my Delta Skymiles account. I'll be simplifying some details, but it turns out that I still had an (empty) account from a decade ago. I wanted to keep that one active, but I didn't have access to my email from that long ago (as of pretty recently, actually). The support person was able to add in my trip's miles to the account, but I wasn't able to access it without that email.

The solution was to physically send a letter to the address in the account with a new PIN to re-access it. I thought that was funny, but I was happy at the tight security Delta appeared to have in all this. The support person couldn't give me many details about my account, since I never fully, completely proved I was the owner. All was tied to the reliability of information in the account. So if I were some bad guy, I may have been thwarted. Great!

After I get back from my trip, last week, the letter arrives. And soon after my enthusiasm for Delta's security evaporates. Everything until this point has been the level of security I would come to expect for accounts holding quite a bit of value, until I actually read the PIN Delta chose to reset my account with.

I'm expecting those reading this to guess what it is, and that should be an indication of how bad it was. It is the most-naively-used and most-easily-hijackable four-number combination possible.

Which renders all these other security measures for naught! If the bad guy simply knows that Delta resets PINs to the simplest four digits possible, he need only know the Skymiles account number, which he most likely already did by getting as far as he did in the phone call, and he's set. He's got the account!

Now I don't know for sure if Delta always resets to that number. I have a sample size of one. But the likelihood is one in ten-thousand if it were random. And Delta mailing out reset PINs doesn't seem very common, so it's likely this is an overlooked hole. But I felt it important to share this experience and perhaps inform Delta of what I believe to be a security flaw in their Skymiles account system.

January update:

Delta sent me another piece of mail which contained the password I had set up on the account (to replace the PIN system they are trying to phase out). Talk about complaining of emails having passwords in plain text, this was mine printing in ink and mailed to me.

I didn't even need it, really, but I guess this was a final notice to the owner of the account in case all this time it was being hijacked. But printing out my password? Unnecessary. Risky.