Iโm not what you might call a security expert, but even I know that using a six-digit PIN for account security is woefully inadequate.
The gold standard for passwords is an alphanumeric combination featuring upper/lowercase and special characters. Thatโs what Asia Miles requires, and according to audit site howsecureismypassword, such a password would take more than 200 million years to brute force.
KrisFlyerโs six-digit PINs, on the other hand, would be cracked in 25 microseconds. Clearly, something is wrong with this picture.
Weโve already seen how this system is a breach waiting to happen. Back in April 2018, a KrisFlyer member lost 76,000 miles when hackers emptied her account redeeming one-way economy class tickets on Lufthansa (thatโs the real crime here) from Frankfurt to Saint Petersburg.
The member was eventually made whole by KrisFlyer, but the incident highlighted a glaring flaw in account security. As if a six-digit PIN wasnโt bad enough, there was no OTP mechanism in place for high-risk transactions like adding or changing redemption nominees. Once an intruder got into your account, he/she could have a field day without so much as a peep from the system.
To Singapore Airlinesโ credit, they responded by adding OTPs in June 2018. Youโre now asked to provide an OTP when carrying out certain transactions, which can be received either on your phone or via email.
However, weโve still been stuck with the issue of six-digit PINs.
KrisFlyer will replace PINs with passwords
Well, thereโs some good news on this front.
From 24 September 2019, KrisFlyer will be replacing six-digit PINs with password logins. Youโll be prompted to change your PIN to a password when you log in on or after this date.
Your new password must contain 8 to 16 alphanumeric characters and include a combination of:
- Numbers (0-9),
- Uppercase and lowercase letters (A-Z and a-z), and
- Special characters (!@#$%^&*())
And that, quite frankly, is exactly how it should be.
| Donโt wipe your current PIN from your memory banks though- itโll still be used for verification purposes when calling up KrisFlyer membership services |
In addition to this, youโll also be able to log in with your email address instead of your KrisFlyer number if you prefer. More FAQs about these changes can be found here.
Conclusion
Itโs good to see KrisFlyer adopt these changes, because thereโs simply no reason why frequent flyer accounts shouldnโt be secured with more robust security measures.
Remember: miles are as good as money, so thereโll always be neโer-do-wells looking to pilfer them. Protect your frequent flyer account the same way you would your bank account, and change your PIN to a password as soon as you can.
Wrote in last year to ask them to do this, to which they replied that they believe the current 6 digit PIN is sufficient. Shameful reply but oh well better late than neverโฆ
How will the hotline will authenticate you from now? It used to be KF number + the 6-digit PIN.
Donโt wipe your current PIN from your memory banks though- itโll still be used for verification purposes when calling up KrisFlyer membership services
Tried an early reset using the link SQ gave but it just made me reset the same 6 digit pin. Haiz.