Is it common practice to allow frequent flyer account access with easily available personal details?
Is it common practice for airline frequent flyer miles programs to allow account access using publicly available personal details?
I've just discovered (in the most unfortunate way) that a frequent flyer miles program I use requires only
- street address
- birth date
to give full account access, including the ability to redeem miles, view and change existing itineraries, access to sensitive personal information such as stored passport numbers (which the site encourages users to submit for "your security") and even to change email address (thus initiating the process of full account takeover through password reset).
Is this lax security a common practice in the industry?
Best Answer
No! This is not common at all. Of all of the FF programs I've used (Delta, Southwest, Korean Air, etc.) all require a password to log in. Not only is this uncommon, it's an absolutely horrible security practice for the reasons you've found out.
Here are a couple of examples of how major programs currently handle this:
Delta
Delta's website requires a username and password to log in normally.
If you've forgotten your password, you need to enter your name and e-mail address and they send the link to change your password to that e-mail address, so having control of that e-mail account is required to reset.
If you've forgotten your username or SkyMiles number, you again enter your e-mail address and name and they'll e-mail your username to you.
Southwest
Southwest's website also requires a username and password to log in normally.
If you've forgotten your password, like with Delta, you enter your e-mail address and name and they e-mail you the link to change your password.
If you've forgotten your username/account number, you need to enter your name, ZIP code, and e-mail address, and then answer your security questions before it will give you your username and account number. If you don't have access to your original e-mail address, you have to enter your name, ZIP code, old e-mail address, and account number in order to change your e-mail.
Workaround
You say that the program in question is a 'big fish.' If it's big enough to be part of one of the major alliances (OneWorld, Star Alliance, or SkyTeam) and they won't quickly fix their account security, you might want to consider joining a more secure FF program from another one of the members of the same alliance and just start crediting your flights to that program instead. Most of them have reciprocal mileage earn and awards, as well as at least some degree of reciprocal elite benefits with other member airlines of the same alliance.
Pictures about "Is it common practice to allow frequent flyer account access with easily available personal details?"
What is a Frequent Flyer Program? How do you choose one? How do you use it?
Sources: Stack Exchange - This article follows the attribution requirements of Stack Exchange and is licensed under CC BY-SA 3.0.
Images: Eren Li, Julia Larson, Karolina Grabowska, Annushka Ahuja