Singapore KrisFlyer Improves Account Security

Filed Under: Singapore

While I’m by no means a tech security expert, there are some travel companies that have mind-numbingly bad security practices. For example, IHG continues to use four digit PINs. IHG accounts get hacked all the time.

Can anyone — anyone — help me understanding how in 2019 they still do this? Accounts get hacked all the time, and when they do IHG typically makes people whole and gives them back their points. So how is it that they still think that’s the best system?

Singapore KrisFlyer Isn’t Much Better

Singapore Airlines’ KrisFlyer program is annoying in two ways when it comes to logging into your account and security:

  • You can only log into your account online using your KrisFlyer number, and not your email address or a username; this means I always have to look up my KrisFlyer number before logging into my account (I use LastPass for most things, but since I manage many KrisFlyer accounts, I don’t add that to my LastPass)
  • KrisFlyer requires you to have a six digit PIN, rather than a password

Well, there are some positive updates on both of those fronts.

How KrisFlyer Is Improving Account Security

It has been announced that Singapore KrisFlyer will be making two changes to how you log into your account as of September 24, 2019:

  • You’ll be able to log into your KrisFlyer account using the email address you have registered on your account, in addition to the current option of logging in with your 10-digit KrisFlyer number
  • Your six digit KrisFlyer PIN will be replaced by a password

You’ll automatically be able to log in with your email address as of September 24, and as of that date you’ll also be prompted to come up with a password (you can’t decide on your password prior to that).

Your password must contain eight to 16 alphanumeric characters, and can include a combination of:

  • Numbers (0-9)
  • Uppercase and lowercase letters (A-Z and a-z)
  • Special characters ([email protected]#$%^&*())

Bottom Line

These seem like some pretty common sense changes for KrisFlyer to be making. Personally I’m excited to be able to log in with my email address. Beyond that, it seems pretty logical that they’d introduce “real” passwords, rather than the current PINs they use.

Comments
  1. it is really pathetic. 8 character passwords are pretty easy to crack. Personally they should require at least 12 but preferably 16 characters with numbers and special characters.

    I once complained to a stock brokerage and their response was “some people don’t want longer passwords”. Of course in the states we can’t get most people to use the chip in ccs and still swipe them in many/most locations. And most non-fast food restaurants can’t handle Apple Pay (or other phone payment methods).

    Wasn’t BA and Hilton both bad for a while? (Regarding a short pin.)

  2. Wake me up when there is a loyalty program that offers 2-Factor-Authentication for login and transactions. Imho the security of these programs should be regulated the same way as for online banking accounts.

  3. As said above this is still ridiculously lax.
    Why limit the upper number of characters that you can use? It’s not like the extra storage costs are noticeable.
    Also, two factor authentication needs to be implemented.

  4. @Max Qantas FF uses/forces 2FA. It’s actually a little annoying when you are traveling and they force SMS confirmation and are using a different SIM/number.

    But I get the point – too many of these programs use 4-6 digit pins which are ludicrously easy to hack. This is a small step forward for Singapore Airlines and the rest still using PINs should hurry up and follow suit.

  5. Re: Why limit the number of characters in a password? And similarly why limit the special characters you can use?

    Because they’ve hired some cheap enterprise developers who can only build things with copy and paste code and their program managers don’t know a anything about security.

  6. @Lucky – LastPass lets you easily have multiple logins for each site, and then you just pick the one you want.

  7. @michaelr A pin on Windows is safer than a password, as it is tied to the specific device and not stored by Microsoft. Most issues come from remote attackers, which is not possible even with a simple pin.

  8. IHG doesn’t pay their hotels much for stays, so I guess it’s cheaper to put points back into accounts than fix the software?

  9. Not a cyber security expert, but I’ve heard 16 characters of mixed type would take several years to brute-force hack. Good enough for me.

  10. I haven’t used a password with Microsoft, Google or Yahoo in ages. All 2 factor auth. I don’t understand why more organizations don’t make the switch.

Leave a Reply

Your email address will not be published. Required fields are marked *