CHICAGO _ United Airlines' latest hacker-thwarting tool involves getting to know its passengers' favorite artists and pizza toppings.
Starting Friday morning, the Chicago-based airline will ask MileagePlus frequent flier program members two extra security questions when they attempt to access their accounts from a device the airline doesn't recognize.
The airline has been nudging MileagePlus members to set up the new security questions since February. Each customer will select five to fill out from a larger pool of options, though not everyone will see the same slate of choices. And instead of filling in their own answers, United is giving fliers a drop-down list of possible responses.
The multiple-choice format is meant to combat computer viruses that track every key a user types, potentially recording login credentials, said Ben Vaughn, United's director of IT security intelligence.
Although the changes weren't made in response to any particular incident, and United can't be certain how many security issues can be traced back to keystroke logging, "based on our analysis we see this as a significant threat not just to our customers, but the internet in total," Vaughn said.
Some of United's questions and suggested answers have raised eyebrows. Potential favorite pizza toppings include mashed potato _ Vaughn insists it's on menus in Chicago _ and za'atar, a Middle Eastern spice mix.
This isn't "mother's maiden name" or "high school mascot" territory, and the questions are meant to be a little unusual, Vaughn said. If United asks different security questions than other online services, someone who got access to a United customer's account on a different website probably wouldn't get the answers to United's questions, he said.
United also tried to avoid questions that could be answered with a Google search or guessed based on a flier's gender and approximate age. The questions also had to apply to customers all over the world, which is why some suggested favorite artists or musical instruments might sound off to Americans, Vaughn said.
The extra questions are United's version of two-factor authentication, which asks for an extra piece of information beyond a password to prove the person logging in is who he or she claims to be.
Ordinarily, that means requiring a different type of authentication, like verifying a code sent via text message, not demonstrating you know a second piece of password-like information, said Jeremiah Grossman, chief of security strategy at SentinelOne and founder of WhiteHat Security.
But United said it couldn't assume its global, highly mobile customers would always have access to texting while in the air or traveling abroad.
"We had to solve for all the strange ways in which an airline does electronic business," Vaughn said.
And while a drop-down menu of answers may provide more protection against keyloggers than open-ended fill-in-the-blank responses, it could be less secure against other types of attacks because there are fewer options to pick from, Grossman said.
According to Vaughn, the drop-down menus also can be more secure against certain automated attacks because United shuffles the list of options each time. But the main goal was balancing extra security against extra hassle, he said.
"Having 100 options instead of 10 might be better for security, but not for the user," he said.
Even if the extra questions aren't exactly ironclad, they could be enough of a deterrent to justify the small inconvenience, Grossman said.
Customers may also be asked to answer the security questions if trying to access their MileagePlus accounts in person or over the phone at the airport.
On Friday, MileagePlus members who have not yet set up the security questions will be required to do so upon logging in, and the airline no longer will accept personal identification numbers instead of passwords.
