Why do frequent flyer accounts have such awkward security questions?

Dec 25, 2019

This post contains references to products from one or more of our advertisers. We may receive compensation when you click on links to those products. For an explanation of our Advertising Policy, visit this page.

What’s up with those security questions airlines ask when you log into your frequent flyer account?

You know, the ones that ask what you wanted to be when you grew up; the strangest food you’ve ever eaten; or even who your date to prom was — which can be awkward if you, like me, didn’t have a date.

For the latest travel news, deals and points and miles tips please subscribe to The Points Guy U.K. daily email newsletter.

A tweet about a security question went viral last month after the user claimed a JetBlue question asked who their favorite child was. The airline even played along by tweeting back, “Say it. You know you have one”.

While JetBlue told TPG the question it actually asks is, “What is the name of your favorite childhood friend?” it still made us curious about an airline’s process for creating a security question.

And who is even responsible for dreaming up these sometimes ridiculous questions? Is there a copy editor at an airline’s headquarters writing queries designed to make millions of frequent flyers cringe, or a team of developers crafting clever ways to stump potential hackers in their tracks?

I reached out to all of the U.S. domestic airlines, and those that responded said technology teams are responsible for those strange security questions that, however personal, you’ll still never remember how you responded.

“Our security questions are suggested from our IT security business partner”, a JetBlue spokesperson said. Southwest, too, relies on a technology team to “[develop] password-protection questions that ask customers to provide unique answers that will enhance online security”.

OK, so the questions aren’t posed by some moonlighting comedian or clandestine copy editor, as I initially thought. But though trained professionals are responsible for designing the questions, some industry security experts say the questions aren’t doing enough to safeguard accounts. One reason may be the increase in social media use.

“Criminals can use social media”, explained Charles Henderson, IBM’s global managing partner of X-Force Red. “You can find out a lot about an individual [there]. Because of that, a lot of these questions aren’t thought out”. For him, security questions such as, “What month did you meet your significant other? are poor because there are only so many answers to pick from — in this case, 12.

Regardless of whether the questions make you chuckle or wince, now is the time to mention how important it is to safeguard your frequent flyer accounts. That means thinking carefully about those security questions, and asking yourself if a hacker could easily determine your answers — or look them up on social media.

Henderson has an interesting suggestion for how travelers can really safeguard their frequent flyer accounts, but it’s something your mother told you never to do: lie.

“This is the time to lie”, said Henderson. “Don’t tell the same lie on every site … what you want to do is use a unique, non-correct answer for those security questions … something that is nonsensical, even”.

Lying — or bending the truth — can save you headache, time and points. It’s estimated that $1 billion a year is lost to crimes related to travel loyalty programs, according to the Javelin Strategy & Research firm. And hackers recognize how much information about travelers is out there — and how valuable frequent flyer miles and credit card points are.

According to the 2019 IBM X-Force Threat Intelligence Index, the travel and transportation industry is the second-most attacked industry, attracting 13% of all observed attacks. That’s a huge increase since 2017, when the industry was 10th-most targeted. Since January 2018, 566 million records from the travel and transportation industry have been leaked or compromised in publicly reported breaches.

“The problem is, most consumers don’t pay nearly as much attention to their points as they do their credit card statements,” Henderson said. “And if you’re a criminal, you can use points to bankroll a black-market travel agency.”

That means your mother’s maiden name or the name of your first dog (sorry, Migo) probably aren’t the best questions to answer, unless you want your hard-earned points to end up in somebody else’s account.

Featured image courtesy of Getty Images

Editorial Disclaimer: Opinions expressed here are the author’s alone, not those of any bank, credit card issuer, airlines or hotel chain, and have not been reviewed, approved or otherwise endorsed by any of these entities.

Disclaimer: The responses below are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser’s responsibility to ensure all posts and/or questions are answered.