Slashdot Log In
Identity Theft From Tossed Airline Boarding Pass?
Posted by
Zonk
on Thu May 04, 2006 08:07 AM
from the just-ouch dept.
from the just-ouch dept.
crush writes "The Guardian newspaper has a great story about how the gathering of information for 'anti-terrorist' passenger screening databases allowed a reporter and security guru Adam Laurie to lay the groundwork for stealing the identity of a business traveller by using his discarded boarding-pass stub." From the article: "We logged on to the BA website, bought a ticket in Broer's name and then, using the frequent flyer number on his boarding pass stub, without typing in a password, were given full access to all his personal details - including his passport number, the date it expired, his nationality (he is Dutch, living in the UK) and his date of birth. The system even allowed us to change the information."
Related Stories
[+]
Another Setback for Biometric Passports 70 comments
trydk writes "The Register has an article on the lack of security in biometric passports. This time, according to Dutch TV program Nieuwslicht (Newslight), the Dutch biometric passports have been cracked, potentially revealing all biometric information stored in them." From the article: "[...] an attack can be executed from around 10 meters and the security broken, revealing date of birth, facial image and fingerprint, in around two hours. Riscure notes that that the speed of the crack is aided by the Dutch passport numbering scheme being sequential."
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Boycott (Score:5, Insightful)
Ever since 9/11, I refuse to travel by air. Not because of the scary terrorists, but because of my scary government. While the article talks about a UK program with bad security, the author is clear that this is all because of pressure from the United States.
I sent an email to the TSA a while ago telling them that I despise their spying programs and I am boycotting the airline industry. I don't want to be treated like a second-class citizen, spyed on, and my rights violated. Sure, the majority of airline passengers don't have a problem, but there are a significant quantity that do hit security snags on a daily basis. What has this increased illusion of security bought us? Pork. We haven't caught terrorists because of spending on ineffective security programs. Each alleged terrorist since 9/11 was caught because of people. People who thought something was wrong -- the shoe bomber who had trouble with his bomb, and passengers and flight attendants handled the situation. Not computers, not databases. People.
As far as I'm concerned, the airline industry can rot in hell for giving in to government pressure. They know these security programs do nothing more than waste money on pork and make certain politicians feel smug, earning brownie points with their constituents. Until the government gets a clue, I will not fly. If the airlines suffer, so be it. Money is what drives this country. Maybe when the government realizes that the airlines aren't making money, someone, somewhere, will get a clue and start implementing good security that does not violate our privacy.
Re:Boycott (Score:2, Insightful)
No, I am not a fan on the war on freedom^H^H^H^H^H^H^Hterrorism. But get over it. Both countries are capable of putting together a more secure system. Quit blaming the US for all the world's problems.
This assumes the guardian is reporting a true story. They have been know to be free with the truth.
Re:Boycott (Score:3, Insightful)
Maybe you should have read the article before commenting:
Re:Boycott (Score:4, Insightful)
Our problem is that we have elected people who put moronic rules into place.
Parent
Re:Boycott (Score:3, Insightful)
Indeed they are. Good thing the rest of us are allowed to take a hint and decide we're not welcome. Guess we'll just go somewhere else with our business.
Re:Boycott (Score:2)
By the same logic, I blame the US for lax identity theft laws when I hear about ABC company divulging information about tens of thousands of their customers. A company will do what is profitable. It is their job. When governments let companies get away with murder, I place the blame on the gov't for not having a tight enough
Re:Boycott (Score:2, Insightful)
Reference, please.
Re:Boycott (Score:2)
Perhaps your 'Don't blame the US' line is every bit as much a knee-jerk reaction as you think the 'Blame the US' line is?
J.
Run that one by me again. (Score:2, Informative)
Correct me if I am wrong, but didn't the 9/11 bombers use US internal airlines because the security was so poor? A situation caused by the airline companies not agreeing to previous government calls for tighter security due to concerns that people might be put off flying.
I dont like all the pointless security either but some of it is defintely neccessary, and that wasn't the case on US internal airlines pre
Re:Run that one by me again. (Score:3, Insightful)
Correct me if I am wrong, but didn't the 9/11 bombers use US internal airlines because the security was so poor?
By internal I take it you mean using U.S. airlines to attack the U.S. Duh? This place isn't like Europe with a bunch of little countries next to each other. If they didn't use U.S. airlines taking off from U.S. airports, what would they have used?
Anyway, the problem wasn't security. The hijackers had clean records, were in this country legally, and had authentic identification. There was no wa
Re:Run that one by me again. (Score:3, Insightful)
I'd suggest that if someone really wanted to hijack another plane in the US, or wherever, it would still be possible, even with the extra security. A number of scenarios spring to mind, but forgive me if I don't suggest them out loud! You're all clever people and I don't doubt for a second you could all come up with a number of feasible plans. The current security might make some of t
But the wiping / gas chromatograph thing does...? (Score:3, Interesting)
And yet the little wipe said all w
Re:Boycott (Score:5, Interesting)
And surprisingly, they didn't catch any terrorists that day, either.
Parent
Re:That story scares me. (Score:3, Informative)
No, an airport is national territory. And by convention an airplane becomes part of the national territory the moments the doors open (with doors closed different regulations apply (Warsaw Convention, Montreal Convention))
Most International Airports have designated transit area for passengers transiting a country to save them from the hassle of immigration and emigration - Except for the US, where most international airports do not have real transit areas, thus requiring all transiting passengers to ente
Re:That story scares me. (Score:3, Funny)
Slight amendment...
You CURRENTLY don't need US visas to overfly US airspace.
Re:Boycott (Score:2, Funny)
Re:Boycott (Score:3, Interesting)
Want to really cause panic in the air traffic system and probably get it shut down? Get you and four of your friends to do the same thing at five different airports at the same time on the same day. Say 12 noon eastern time the day before Thansksgiving.
If anyone from any three letter ag
Shenanigans (Score:5, Funny)
I doubt "Mrs." Broer will ever throw away her airplane ticket stub again!
Halal == potential terrorist? (Score:4, Insightful)
Re:Halal == potential terrorist? (Score:2)
Re:Halal == potential terrorist? (Score:2)
You act like you've never heard of the TSA. Basically all they do is confiscate plastic bullets off of keychains and let people onboard with a pocket full of sharp metallic pens. As much as they try, their entire purpose is to be a purely psychological barrier to entry -- to scare away potential terrorists, and to appease the masses. If they think airline security is good (which it is not, it's pitiful) they will fly mo
Re:Halal == potential terrorist? (Score:5, Interesting)
Parent
Re:Halal == potential terrorist? (Score:3, Interesting)
Re:Halal == potential terrorist? (Score:4, Funny)
Sometimes it's not on purpose, they just freak out when they hear or see certain things... a guy over here started taking the required action to have his name legally changed a couple of years ago... his first name being Jihad, you can guess the reaction he gets in airports when they ask his name.
So yeah, some people are flagged just based on their name.
Parent
BA could be liable for damages... (Score:3, Interesting)
Re:BA could be liable for damages... (Score:2, Informative)
You, of course, must be able to demonstrate and document the damage and distress too.
No piece of paper is safe (Score:3, Interesting)
From the artice: Using this information and surfing publicly available databases, we were able - within 15 minutes - to find out where Broer lived, who lived there with him, where he worked, which universities he had attended and even how much his house was worth when he bought it two years ago. (This was particularly easy given his unusual name, but it would have been possible even if his name had been John Smith. We now had his date of birth and passport number, so we would have known exactly which John Smith.)
Laurie was anything but smug.
"This is terrible," he said. "It just shows what happens when governments begin demanding more and more of our personal information and then entrust it to companies simply not geared up for collecting or securing it as it gets shared around more and more people. It doesn't enhance our security; it undermines it.
Anything that has even one piece of critical information on it (name, address, account numer of any sort, etc.) is vulnerable. That's why my shredder works overtime. I don't throw boarding passes away; I have quite a collection of them from my trips to Europe and the ones I don't want get consigned to the shredder. You can't take for granted that once you toss away a piece of paper, it will be on its way to the landfill soon enough. Trash may sit unattended for hours, even at a busy airport, and is a ripe picking ground. Mind you, I think airport security might look at you funny if you were poking around in all the trash cans, but you never know.
Modern Living Lesson One: Shred Everything (Score:5, Funny)
Anyone ever heard of a (Score:5, Insightful)
Shred anything with more then one piece of identifying information on it. Examples: Name and address (junk mail), Name andSSN (should know this by now), Name and phone# (yeah, it's in phone book, but don't let it float around). There are tons of combinations. I'd go so far as to shred directions from and to a destination, or even ATM receipts.
You'd be suprised how much seemingly worthless information can be compiled to gain terrific insight into people.
At the expense of sounding paranoid, I even shred my baggage check tickets (Name+flight#+someID#).
Re:Anyone ever heard of a (Score:2)
I chew and eat them lol!
Re:Anyone ever heard of a (Score:3, Insightful)
Passport Required!!!! (Score:5, Interesting)
The important thing is that you will not be allowed on an international flight without showing a valid passport. BA boarding procedures mandate a check of the passport against the ticket at the gate. This is kind of necessary now that outbound passengers from the UK are very rarely checked by immigration. True, an airline is unlikely to even have a UV light let alone a scanner there so it may be possible to get through with a forged passport.
Re:Passport Required!!!! (Score:2)
Re:Passport Required!!!! (Score:2)
Re:Passport Required!!!! (Score:2)
Re:Passport Required!!!! (Score:3, Informative)
Re:Passport Required!!!! (Score:3, Informative)
As I understand it, the chain of events is this...
If you're a member of the BA loyalty club, you didn't used to have to go through the web site... probably still don't have to.
You could sign up by one of the handouts at airports, get your card and give the number (along with all the stuff the USA wants) to your travel agent, and never visit BA's website.
BA print the loyalty
Re:Passport Required!!!! (Score:2)
Real ID act (Score:5, Interesting)
Being an opponent of the current craze for every more comprehensive and intrusive IDs and ID checks here in the US, I hope some proponents of the Real ID act will pay heed to unintended consequences of this absurdity.
Re:Real ID act (Score:4, Interesting)
Parent
Re:Real ID act (Score:3, Funny)
So paper is not sufficient to stop terrorists. But if it's laminated...!
Security scans (Score:5, Interesting)
On 2004 I travelled a lot to USA.
This don't seem to be much, but I was "selected" for manual scanning of my handbag in almost every USA airport.
Common sense and good diplomatics told me to accept that and never question authorities when you are a foreign citizen, but on the last scan, at MIA airport, though I created the guts to ask the nice TSA security agent why I was being scanned over and over. The answer shocked me: "It is all that electronics you carry. Makes very difficult to see what you have". I always carried my cellphone, myPDA, my digital camera and my CD player with me, on the same bag, and it really looked a mess.
The funny thing: I felt safer, because they were really looking at the x-ray. The only time I got stopped by airport security where I live, was because I told the guys my cellphone never made those portals beep... THAT DAY, it beeped!!!
Shouldn't come as a surprise (Score:4, Insightful)
Dumbest thing I've ever read (Score:5, Insightful)
the author is clear that this is all because of pressure from the United States.
I am a Norwegian, and I am saddened by the new religion that has Europe in it's grips. There are various sects in this religion, but they all have one thing in common, the big "Satan" is the US of effing A. Anything bad that goes on in the world is the fault of the US. This article, and the response to it, is an example of how fanatics suffering from this religion think.
The system they hacked was the BA frequent flyer system. This system has nothing to do with passenger security or US national security. This is a convenience system made so that BA passengers easily can buy tickets, earn miles, buy upgrades etc. This system shouldn't have information such as the passport number. The fact that it does is an internal matter for BA and has absolutely nothing to do with the USA.
I travel a lot for business and I am a member of most of the frequent flyer systems in Europe and the US, but not BA since I am already a member of one of their co-shares. None of the airlines have my passport number stored on the frequent flyer site. Not one of them.
This is an internal BA problem, BA should never have had the passport number stored on the FF site, they should never allow this to be accessed without a password etc.
Blaming the US for this is ridiculous in the extreme. The US has nothing to do with how an airline designs its Frequent Flyer website, and no, the US does not require that your passport number of other personal information is stored on the FF site or anywhere else for that matter. They only require the information be sent before you board the plane.
Sadly, the new European religion requires full frontal lobotomy prior to joining, something that has not reduced the number of Europeans who sign on.
Re:Dumbest thing I've ever read (Score:3, Interesting)
But the information wouldn't be there in the first place if it wasn't for the US.
Rubbish! You are clearly not reading what the article states. The US doesn't require that BA stores the passport number on the Frequent Flyer site. In fact, the US doesn't require that BA stores the information anywhere as long as they ship it to the US before you board the plane, in other words, they could have you supply the information when you buy the ticket, ship it accross, and promptly remove it.
The only reason BA
Shredders arn't that great (Score:3, Interesting)
Re:Shredders aren't that great (Score:3, Funny)
I call bullshit (Score:3, Informative)
First, the writer said he logged into BA's site, using only the supposed victim's frequent flyer number. But if you go to http://www.britishairways.com/travel/home/public/
As for the rest of the article, it might be accurate, but somehow I doubt that. The whole thing just utterly fails to pass the smell-o-scope test, pegging right between 'horse manure' and 'grade A Kentucky bullshit'.
Re:I call bullshit (Score:3, Informative)
"BA has now closed its security loophole after being contacted by the Guardian in March"
So I wouldn't expect it to work now...
Re:I call bullshit (Score:5, Informative)
Okay, I'll bite.
From TFA, the guy is a business traveller. Now look what happens if you "need help" logging in [britishairways.com] to BA's website:
As a member of the British Airways Executive Club, On Business or as a registered customer with britishairways.com, you can now log in to manage your account and access our exclusive online services. You log in by entering your details in the boxes at the top right hand corner of the screen.
Login ID Your login ID is either your: > Executive Club membership number or > On Business membership number or > Username
PIN/Password When logging in with the following: > Executive Club membership number, use your 4-digit PIN or > On Business use your login id and password or > username, use your password
Executive Club members If you need a PIN or have forgotten your PIN, then please click here to apply for one >>
On Business members If you have forgotten your password or login id click here for more information >>
Forgotten your password? Enter your username in both the Login ID and the PIN/Password boxes to receive your password prompt.
From what I can tell, if the reporter is in fact not lying, if the "victim" was an Executive Club member, you need the following if you need a PIN, or have forgotten your PIN:
Hmm. This is printed on the boarding pass already. Oh, and if he's an On Business member, you only need the username to retrieve the password, and the website tells you that it's "2 characters 6 digits"; what's the chance of that being the membership number printed on the boarding pass?
I wouldn't call this complete and utter bullshit yet. There are reasonable explanations for how this was accomplished.
Parent