rhialto: Me under a waterfall (Default)
[personal profile] rhialto
Executive Summary: 6-digit PIN codes do not offer a sufficient protection for personal information on a web site!

Recently I became a KLM Flying Blue "frequent flyer". For that one can of course login on klm.com with a password. Well... password... a "PIN". Just digits. The default length is 4, and the maximum is 6! Obviously this is ridiculously unsafe! There is a lot of personal information "protected" by that PIN, such as passport numbers...
I tried to tell this to the customer service, but (also of course) they didn't even understand what I was talking about.
To make things confusing, there are apparently two different logins. If you just book a flight, you can access that information later on, and for that there is an actual password of sufficient strength possible. That is called a "KLM account".
Things got confusing when I first only had a booked flight and hence a "KLM account", but later added the "Flying Blue account". You log in for both through the same login form.
And apparently, once you have the "Flying Blue account" it doesn't accept the password for the "KLM account" any more (if both have the same email address used for logging in).
If it *had* accepted the password there, I would probably not even have noticed that you can also login with the weak PIN.
My main worry is the incredible stupidity of digit-only PIN codes that are also at most 6 digits long (and the default is 4, for instance when you reset it). What to do to get the appropriate people to look at it and get that strengthened?

And if you want to double-check it for yourself... if you click "inschrijven" (or "register" maybe) you'll see you can register for 2 different kinds of accounts, and the Flying Blue one wants a PIN while the other one wants a password...


rhialto: Me under a waterfall (Default)

February 2019

101112131415 16

Style Credit

Expand Cut Tags

No cut tags
Powered by Dreamwidth Studios