About time: Singapore Airlines is improving KrisFlyer account security

KrisFlyer is introducing alphanumeric passwords from 24 September 2019, which will make your account a lot tougher to crack.

I’m not what you might call a security expert, but even I know that using a six-digit PIN for account security is woefully inadequate.

The gold standard for passwords is an alphanumeric combination featuring upper/lowercase and special characters. That’s what Asia Miles requires, and according to audit site howsecureismypassword, such a password would take more than 200 million years to brute force.

KrisFlyer’s six-digit PINs, on the other hand, would be cracked in 25 microseconds. Clearly, something is wrong with this picture.

We’ve already seen how this system is a breach waiting to happen.ย  Back in April 2018, a KrisFlyer member lost 76,000 miles whenย hackers emptied her account redeeming one-way economy class tickets on Lufthansa (that’s the real crime here) from Frankfurt to Saint Petersburg.

The member was eventually made whole by KrisFlyer, but the incident highlighted a glaring flaw in account security. As if a six-digit PIN wasn’t bad enough, there was no OTP mechanism in place for high-risk transactions like adding or changing redemption nominees. Once an intruder got into your account, he/she could have a field day without so much as a peep from the system.

To Singapore Airlines’ credit, they responded by adding OTPs in June 2018. You’re now asked to provide an OTP when carrying out certain transactions, which can be received either on your phone or via email.ย 

However, we’ve still been stuck with the issue of six-digit PINs.

KrisFlyer will replace PINs with passwords

Well, there’s some good news on this front.

From 24 September 2019, KrisFlyer will be replacing six-digit PINs with password logins. You’ll be prompted to change your PIN to a password when you log in on or after this date.

Your new passwordย must contain 8 to 16 alphanumeric characters and include a combination of:

  • Numbers (0-9),
  • Uppercase and lowercase letters (A-Z and a-z), and
  • Special characters (!@#$%^&*())

And that, quite frankly, is exactly how it should be.

Don’t wipe your current PIN from your memory banks though- it’ll still be used for verification purposes when calling up KrisFlyer membership services

In addition to this, you’ll also be able to log in with your email address instead of your KrisFlyer number if you prefer. More FAQs about these changes can be found here.

Conclusion

It’s good to see KrisFlyer adopt these changes, because there’s simply no reason why frequent flyer accounts shouldn’t be secured with more robust security measures.

Remember: miles are as good as money, so there’ll always be ne’er-do-wells looking to pilfer them. Protect your frequent flyer account the same way you would your bank account, and change your PIN to a password as soon as you can.

Aaron Wong
Aaron Wong
Aaron founded The Milelion to help people travel better for less and impress chiobu. He was 50% successful.

Similar Articles

Comments

4 COMMENTS

Subscribe
Notify of
guest

4 Comments
Oldest
Newest
Inline Feedbacks
View all comments
Dizzy

Wrote in last year to ask them to do this, to which they replied that they believe the current 6 digit PIN is sufficient. Shameful reply but oh well better late than never…

Jon

How will the hotline will authenticate you from now? It used to be KF number + the 6-digit PIN.

JL

Donโ€™t wipe your current PIN from your memory banks though- itโ€™ll still be used for verification purposes when calling up KrisFlyer membership services

Lady G

Tried an early reset using the link SQ gave but it just made me reset the same 6 digit pin. Haiz.