I’m not what you might call a security expert, but even I know that using a six-digit PIN for account security is woefully inadequate.
The gold standard for passwords is an alphanumeric combination featuring upper/lowercase and special characters. That’s what Asia Miles requires, and according to audit site howsecureismypassword, such a password would take more than 200 million years to brute force.
KrisFlyer’s six-digit PINs, on the other hand, would be cracked in 25 microseconds. Clearly, something is wrong with this picture.
We’ve already seen how this system is a breach waiting to happen. Back in April 2018, a KrisFlyer member lost 76,000 miles when hackers emptied her account redeeming one-way economy class tickets on Lufthansa (that’s the real crime here) from Frankfurt to Saint Petersburg.
The member was eventually made whole by KrisFlyer, but the incident highlighted a glaring flaw in account security. As if a six-digit PIN wasn’t bad enough, there was no OTP mechanism in place for high-risk transactions like adding or changing redemption nominees. Once an intruder got into your account, he/she could have a field day without so much as a peep from the system.
To Singapore Airlines’ credit, they responded by adding OTPs in June 2018. You’re now asked to provide an OTP when carrying out certain transactions, which can be received either on your phone or via email.
However, we’ve still been stuck with the issue of six-digit PINs.
KrisFlyer will replace PINs with passwords
Well, there’s some good news on this front.
From 24 September 2019, KrisFlyer will be replacing six-digit PINs with password logins. You’ll be prompted to change your PIN to a password when you log in on or after this date.
Your new password must contain 8 to 16 alphanumeric characters and include a combination of:
- Numbers (0-9),
- Uppercase and lowercase letters (A-Z and a-z), and
- Special characters ([email protected]#$%^&*())
And that, quite frankly, is exactly how it should be.
|Don’t wipe your current PIN from your memory banks though- it’ll still be used for verification purposes when calling up KrisFlyer membership services|
In addition to this, you’ll also be able to log in with your email address instead of your KrisFlyer number if you prefer. More FAQs about these changes can be found here.
It’s good to see KrisFlyer adopt these changes, because there’s simply no reason why frequent flyer accounts shouldn’t be secured with more robust security measures.
Remember: miles are as good as money, so there’ll always be ne’er-do-wells looking to pilfer them. Protect your frequent flyer account the same way you would your bank account, and change your PIN to a password as soon as you can.