Identity Theft From Tossed Airline Boarding Pass?

crush writes "The Guardian newspaper has a great story about how the gathering of information for 'anti-terrorist' passenger screening databases allowed a reporter and security guru Adam Laurie to lay the groundwork for stealing the identity of a business traveller by using his discarded boarding-pass stub." From the article: "We logged on to the BA website, bought a ticket in Broer's name and then, using the frequent flyer number on his boarding pass stub, without typing in a password, were given full access to all his personal details - including his passport number, the date it expired, his nationality (he is Dutch, living in the UK) and his date of birth. The system even allowed us to change the information."

Boycott

Ever since 9/11, I refuse to travel by air. Not because of the scary terrorists, but because of my scary government. While the article talks about a UK program with bad security, the author is clear that this is all because of pressure from the United States.

I sent an email to the TSA a while ago telling them that I despise their spying programs and I am boycotting the airline industry. I don't want to be treated like a second-class citizen, spyed on, and my rights violated. Sure, the majority of airline passengers don't have a problem, but there are a significant quantity that do hit security snags on a daily basis. What has this increased illusion of security bought us? Pork. We haven't caught terrorists because of spending on ineffective security programs. Each alleged terrorist since 9/11 was caught because of people. People who thought something was wrong -- the shoe bomber who had trouble with his bomb, and passengers and flight attendants handled the situation. Not computers, not databases. People.

As far as I'm concerned, the airline industry can rot in hell for giving in to government pressure. They know these security programs do nothing more than waste money on pork and make certain politicians feel smug, earning brownie points with their constituents. Until the government gets a clue, I will not fly. If the airlines suffer, so be it. Money is what drives this country. Maybe when the government realizes that the airlines aren't making money, someone, somewhere, will get a clue and start implementing good security that does not violate our privacy.

Re:Boycott

Maybe you shouldn't automatically suck down everything a news article tells you. I did RTFA. However, the US is allowed to make lawas about who can come into their country. Other countries have to respect those rules. If those countries choose to allow insecure systems like this to come into place, then that is THEIR problem, not ours.

Our problem is that we have elected people who put moronic rules into place.

Re:Boycott

I flew from Sydney to Vancouver, and the plane happened to stop in Honolulu for refueling. Since Honolulu is in the US, every single person had to get off the plane, have their picture taken, and be finger printed. Then we all got back on, and flew the rest of the way to Canada. It took 2 hours, for nothing. Nobody was staying in Honolulu, we only wanted some fuel. Thanks US.

And surprisingly, they didn't catch any terrorists that day, either.

Shenanigans

The system even allowed us to change the information....

That's right, (*snicker*) Broer is now a 38 year old pregnant mother of four from Belgrade with a passport that expired in 1983. Let's see how long it takes him to figure out he's the victim of identity mod!

I doubt "Mrs." Broer will ever throw away her airplane ticket stub again!

Halal == potential terrorist?

"The problem is that if the system doesn't have a lot of information on you, or you have ordered a halal meal, or have a name similar to a known terrorist, or even if you are a foreigner, you'll most likely be flagged amber and held back to be asked for further details" [emph mine]

WTF? I didn't think the US did racial profiling - this is quite sad for Muslims (as well as people like me, who just order different 'special' [I like kosher] meals at random). Not only that, it's not going to help fight terrorists, just irritate the law-abiding.

Re:Halal == potential terrorist?

To add insult to injury, if your name even remotely resembles the name of a known or suspected "evildoer," you get flagged. My entire family now suffers an extra 45 minutes of screening at the airport, every single time we fly, because my dad's name matches that of some IRA gunman who was last active in the early 80's. (Before you go thinking this might be a valid concern, consider that we're talking about an extremely common name. "John Murphy" isn't exactly "Zaccarias Moussaoui.") And of course, all this color-coded rigmarole does not make us one bit safer, just more vulnerable to the constant fear-mongering coming out of Washington.

Re:Halal == potential terrorist?

I didn't think the US did racial profiling - this is quite sad for Muslims

Sometimes it's not on purpose, they just freak out when they hear or see certain things... a guy over here started taking the required action to have his name legally changed a couple of years ago... his first name being Jihad, you can guess the reaction he gets in airports when they ask his name.

So yeah, some people are flagged just based on their name.

BA could be liable for damages...

..under the UK's Data Protection Act. See http://www.dataprotection.gov.uk/ [dataprotection.gov.uk] for details...

No piece of paper is safe

From the artice: Using this information and surfing publicly available databases, we were able - within 15 minutes - to find out where Broer lived, who lived there with him, where he worked, which universities he had attended and even how much his house was worth when he bought it two years ago. (This was particularly easy given his unusual name, but it would have been possible even if his name had been John Smith. We now had his date of birth and passport number, so we would have known exactly which John Smith.)

Laurie was anything but smug.

"This is terrible," he said. "It just shows what happens when governments begin demanding more and more of our personal information and then entrust it to companies simply not geared up for collecting or securing it as it gets shared around more and more people. It doesn't enhance our security; it undermines it.

Anything that has even one piece of critical information on it (name, address, account numer of any sort, etc.) is vulnerable. That's why my shredder works overtime. I don't throw boarding passes away; I have quite a collection of them from my trips to Europe and the ones I don't want get consigned to the shredder. You can't take for granted that once you toss away a piece of paper, it will be on its way to the landfill soon enough. Trash may sit unattended for hours, even at a busy airport, and is a ripe picking ground. Mind you, I think airport security might look at you funny if you were poking around in all the trash cans, but you never know.

Modern Living Lesson One: Shred Everything

I even shred my scratch pad, sticky notes and code written on napkins.

Anyone ever heard of a

Shredder? I really don't know if this is common knowledge/thought/attitude, but keep everything with your name and and identifying number on it until you have access to a shredder.

Shred anything with more then one piece of identifying information on it. Examples: Name and address (junk mail), Name andSSN (should know this by now), Name and phone# (yeah, it's in phone book, but don't let it float around). There are tons of combinations. I'd go so far as to shred directions from and to a destination, or even ATM receipts.

You'd be suprised how much seemingly worthless information can be compiled to gain terrific insight into people.

At the expense of sounding paranoid, I even shred my baggage check tickets (Name+flight#+someID#).

Passport Required!!!!

I am curious as to how the person got so far through the BA website without a password or PIN. Last time I looked, you needed this. Perhaps Mr Broer hadn't registered one. Otherwise did they compromise BA's website?

The important thing is that you will not be allowed on an international flight without showing a valid passport. BA boarding procedures mandate a check of the passport against the ticket at the gate. This is kind of necessary now that outbound passengers from the UK are very rarely checked by immigration. True, an airline is unlikely to even have a UV light let alone a scanner there so it may be possible to get through with a forged passport.

Real ID act

Yesterday I was stopped by a cop in the Concord, MA national park because the muffler on my old vw bus was a bit loud. I handed him my Vermont driver's license, which is a bit of paper with no SSN, only a coded address and no photo. His response- "What's this". "My driver's license" I replied. "Well how do they hope to stop terrorists with this?"

Being an opponent of the current craze for every more comprehensive and intrusive IDs and ID checks here in the US, I hope some proponents of the Real ID act will pay heed to unintended consequences of this absurdity.

Re:Real ID act

A friend told me she'd tried to buy some beer at a liquor store, and when asked for an ID, she'd used her passport. "Don't you have a driver's license?" the person behind the counter had asked, "Anyone can get a passport." So I guess the driver's license is the "real" ID in the US...

Security scans

On 2004 I travelled a lot to USA.

This don't seem to be much, but I was "selected" for manual scanning of my handbag in almost every USA airport.

Common sense and good diplomatics told me to accept that and never question authorities when you are a foreign citizen, but on the last scan, at MIA airport, though I created the guts to ask the nice TSA security agent why I was being scanned over and over. The answer shocked me: "It is all that electronics you carry. Makes very difficult to see what you have". I always carried my cellphone, myPDA, my digital camera and my CD player with me, on the same bag, and it really looked a mess.

The funny thing: I felt safer, because they were really looking at the x-ray. The only time I got stopped by airport security where I live, was because I told the guys my cellphone never made those portals beep... THAT DAY, it beeped!!!

And you don't know half of the absurdity of it!

First about the BP stubs. Info on the BP stubs, is in plain sight for the TRAVELER information. If the traveller then drop it it is a stupidity concern, not a security concern. For example, Would you throw out a bank receipt with your account sold, bank account, bank name, signature and all the tralala out ? This is the same problem here.

Now the fact they could buy a document in the name of the pax on an unsecurised web site IS a concern.

As for APIS, having worked on the implementation on a main frame for a big airline, we used to joke a LOT about US version of security.

Pay Cash ? You automatically get flagged as suspectful. Pay with CC ? This is seen as OK. Be a frequent traveller ? You are automatically flagged as safe. Take only a one way ticket ? Be preparred for the "glove" search... Knowing the rule it would be blantantly easy to bypass this check (take a round trip, on a frequent flyer, using a CC, do it 10 times, then afterward you are a "safe" traveller...). We always laughed at the stupidity of that. I left shortly afterward so I dunno if the US kept that security concept today.

Shouldn't come as a surprise

The fact that the information was on the stub and was easily retreivable shouldn't come as a surprise to anyone. Companies are way too free with where they put such information. Companies need to be held accountable for such things. Casinos actually do things the right way in this case. Loyalty cards and cash out tickets are usually encoded only with an ID number and no more. PINs, address information and such are almost never included.

Dumbest thing I've ever read

the author is clear that this is all because of pressure from the United States.

I am a Norwegian, and I am saddened by the new religion that has Europe in it's grips. There are various sects in this religion, but they all have one thing in common, the big "Satan" is the US of effing A. Anything bad that goes on in the world is the fault of the US. This article, and the response to it, is an example of how fanatics suffering from this religion think.

The system they hacked was the BA frequent flyer system. This system has nothing to do with passenger security or US national security. This is a convenience system made so that BA passengers easily can buy tickets, earn miles, buy upgrades etc. This system shouldn't have information such as the passport number. The fact that it does is an internal matter for BA and has absolutely nothing to do with the USA.

I travel a lot for business and I am a member of most of the frequent flyer systems in Europe and the US, but not BA since I am already a member of one of their co-shares. None of the airlines have my passport number stored on the frequent flyer site. Not one of them.

This is an internal BA problem, BA should never have had the passport number stored on the FF site, they should never allow this to be accessed without a password etc.

Blaming the US for this is ridiculous in the extreme. The US has nothing to do with how an airline designs its Frequent Flyer website, and no, the US does not require that your passport number of other personal information is stored on the FF site or anywhere else for that matter. They only require the information be sent before you board the plane.

Sadly, the new European religion requires full frontal lobotomy prior to joining, something that has not reduced the number of Europeans who sign on.

Shredders arn't that great

If I was looking for sensitive info on a street on garbage day I'd look for the shredded stuff. Also, of course, you can put it back together.

Shredders are your friends

I knew there was a reason my boarding passes went into the shredder when I got home...

I call bullshit

This whole article sounds like complete and utter bullshit.

First, the writer said he logged into BA's site, using only the supposed victim's frequent flyer number. But if you go to http://www.britishairways.com/travel/home/public/e n_gb [britishairways.com] and look on the right side of the screen, you'll see you need a password along with your ID to access the site. So either 1) the person had no password (doubtful, most sites won't permit a blank password), or 2) he's lying. I'll go with #2 and assume he's lying. Since he's lying about how he got the information, it can be safely assume he made up everything else in the article.

As for the rest of the article, it might be accurate, but somehow I doubt that. The whole thing just utterly fails to pass the smell-o-scope test, pegging right between 'horse manure' and 'grade A Kentucky bullshit'.

Re:I call bullshit

Okay, I'll bite.

From TFA, the guy is a business traveller. Now look what happens if you "need help" logging in [britishairways.com] to BA's website:

As a member of the British Airways Executive Club, On Business or as a registered customer with britishairways.com, you can now log in to manage your account and access our exclusive online services. You log in by entering your details in the boxes at the top right hand corner of the screen.

Login ID Your login ID is either your: > Executive Club membership number or > On Business membership number or > Username

PIN/Password When logging in with the following: > Executive Club membership number, use your 4-digit PIN or > On Business use your login id and password or > username, use your password

Executive Club members If you need a PIN or have forgotten your PIN, then please click here to apply for one >>

On Business members If you have forgotten your password or login id click here for more information >>

Forgotten your password? Enter your username in both the Login ID and the PIN/Password boxes to receive your password prompt.

From what I can tell, if the reporter is in fact not lying, if the "victim" was an Executive Club member, you need the following if you need a PIN, or have forgotten your PIN:

• Membership number
• First name
• Family/Last name

Hmm. This is printed on the boarding pass already. Oh, and if he's an On Business member, you only need the username to retrieve the password, and the website tells you that it's "2 characters 6 digits"; what's the chance of that being the membership number printed on the boarding pass?

I wouldn't call this complete and utter bullshit yet. There are reasonable explanations for how this was accomplished.

flying

I just got back from Interop in Vegas (yeah, it rocked) and flying just sucks anymore. I was wearing flip flops and they insisted I take them off and send them through the xray machine! Another guy I was traveling with had to go to the counter because his name is "John White" and they thought it might be an alias for some Muslim suicide loser...the dude couldn't be any more gringo! Next time we are just going to drive, since I live in Arizona it shouldn't take much longer.

Define the issues

First of all, shame on BA for letting anyone with a FF number access personal data without a password. That certainly is the root of the problem. AA requires a password. So does every other carrier I use.

Second, and you can quote me on this,

DUH.

You've got a piece of paper with your name and potentially a receipt (some airlines print their receipts on the tickets, which sometimes also form the boarding pass). You should destroy any piece of paper with your name on it. If you don't understand that, then you don't understand how to protect yourself against identity theft. Smart people have been shredding their used boarding passes for years.

Shoe Carnival

On sites like FlyerTalk [flyertalk.com] there are numerous threads about shoe carnival airports. Basically, if you do not take off your shoes and do not set of the alarm, all you have to get is a swab of your shoes to test for explosives residue. If they do anything more to you it's against TSA regulations and you should file a complaint form. Of course you always have a chance at a retaliatory screening. Some airports are better than others. Basically, if we stop taking off our shoes that do not set off the detector, we will teach the TSA that a full secondary screening is unnecessary.

What inforamtion needs to be private?

Recently, my wife got on my case because I left my mail in the back seat of my car "somebody can see and know your address!"

So? What good does it do a burgler to know my address? Unless that burgler figures that somebody who drive a 1992 Ford Festiva has untold riches. Why would the burgler target my house instead of somebody elses?

Then on the news, I hear that people are stealing cars to steal identies. They get the identity from the registration and insurance. WTF? What information does my registration and insurance card have that would allow somebody to steal my identity?

Bring back swiss army knives for passengers

Some of the changes since 9/11 are completely illogical.

One that really annoys me is forbidding small knives/tools/nail clippers in carry-ons. I always keep a Swiss Army knife in my briefcase; just a geek thing to do I guess. However, on my last trip, I forgot to take it out of my bag; it got flagged in x-ray, big commotion etc. I was allowed to ship it home for $15 dollars.

Here's my point. If something goes wrong, you NEED to have bystanders who can take some action, hence they could use the tools/knives etc.

Look at the "United 93" (I hope I've got that right) scenario. The ONLY thing that saved the US Capitol is passengers who could take action. I really wonder what we've learned collectively after 9/11.

Fraud |= Theft

Same as in the copyright discussions. 'Fraud' does NOT equal 'theft'!

No one can STEAL your name or who you are! They can fraudulently use your name, SSN, etc, but you cannot have your name STOLEN! It is impossible.

Can we PLEASE quit calling it "identity theft" and use a more accurate description of "identity fraud".

Re:BA website fault

funny you should mention northwest... you can do EXACTLY this on their website, you only need confirmation # and last name, fairly easy to obtain.

https://www.nwa.com/cgi-bin/res_info.pro [nwa.com]