Identity Theft From Tossed Airline Boarding Pass?

crush writes "The Guardian newspaper has a great story about how the gathering of information for 'anti-terrorist' passenger screening databases allowed a reporter and security guru Adam Laurie to lay the groundwork for stealing the identity of a business traveller by using his discarded boarding-pass stub." From the article: "We logged on to the BA website, bought a ticket in Broer's name and then, using the frequent flyer number on his boarding pass stub, without typing in a password, were given full access to all his personal details - including his passport number, the date it expired, his nationality (he is Dutch, living in the UK) and his date of birth. The system even allowed us to change the information."

Re:BA could be liable for damages...

[blowdart]

Not really, the circumstances in which you can claim are pretty limited (media summary [informatio...ner.gov.uk]);

The right to compensation

An individual can claim compensation from a data controller for damage and distress caused by any breach of the act. Compensation for distress alone can only be claimed in limited circumstances.

You, of course, must be able to demonstrate and document the damage and distress too.

Run that one by me again.

[Don_dumb]

As far as I'm concerned, the airline industry can rot in hell for giving in to government pressure.

Correct me if I am wrong, but didn't the 9/11 bombers use US internal airlines because the security was so poor? A situation caused by the airline companies not agreeing to previous government calls for tighter security due to concerns that people might be put off flying.

I dont like all the pointless security either but some of it is defintely neccessary, and that wasn't the case on US internal airlines pre-September 2001. And anyway people need to see security at airports/on planes, in order to allievate fear of flying, which many people had after 9/11 and which would of course impact on the number of passengers.

I call bullshit

[corbettw]

This whole article sounds like complete and utter bullshit.

First, the writer said he logged into BA's site, using only the supposed victim's frequent flyer number. But if you go to http://www.britishairways.com/travel/home/public/e n_gb [britishairways.com] and look on the right side of the screen, you'll see you need a password along with your ID to access the site. So either 1) the person had no password (doubtful, most sites won't permit a blank password), or 2) he's lying. I'll go with #2 and assume he's lying. Since he's lying about how he got the information, it can be safely assume he made up everything else in the article.

As for the rest of the article, it might be accurate, but somehow I doubt that. The whole thing just utterly fails to pass the smell-o-scope test, pegging right between 'horse manure' and 'grade A Kentucky bullshit'.

Re:Passport Required!!!!

[Catullus]

The article states that they informed BA about the security hole in March, and BA fixed their website, so that may explain what you noticed.

Re:What is halal?

[Anonymous Coward]

Halal is very similar to kashrut (the jewish dietary law.) In fact, Halal is generally more permissive with the exception that alcohol is completely forbidden, and the Dhabia, which is the permissible method to slaughtering animals. Basically, this requires that animals be pointed towards Mecca and slaughtered in the name of Allah. Many more liberal muslims will simply take kashrut as good enough, and some further simply do not eat pork and ignore the Dhabia. However, conservative Muslims will not break strict halal unless doing otherwise will cause starvation. One can assume that an extremely conservative Muslim who is on his way to perform what he considers to be a holy act will not break halal. Although for some reason It seems that fasting would be a more appropriate course of action. But then not eating your meal would probably be considered suspicious by the airlines.

Re:I call bullshit

[ISoldMyLowIdOnEbay]

From TFA

"BA has now closed its security loophole after being contacted by the Guardian in March"

So I wouldn't expect it to work now...

Re:I call bullshit

[rfunches]

Okay, I'll bite.

From TFA, the guy is a business traveller. Now look what happens if you "need help" logging in [britishairways.com] to BA's website:

As a member of the British Airways Executive Club, On Business or as a registered customer with britishairways.com, you can now log in to manage your account and access our exclusive online services. You log in by entering your details in the boxes at the top right hand corner of the screen.

Login ID Your login ID is either your: > Executive Club membership number or > On Business membership number or > Username

PIN/Password When logging in with the following: > Executive Club membership number, use your 4-digit PIN or > On Business use your login id and password or > username, use your password

Executive Club members If you need a PIN or have forgotten your PIN, then please click here to apply for one >>

On Business members If you have forgotten your password or login id click here for more information >>

Forgotten your password? Enter your username in both the Login ID and the PIN/Password boxes to receive your password prompt.

From what I can tell, if the reporter is in fact not lying, if the "victim" was an Executive Club member, you need the following if you need a PIN, or have forgotten your PIN:

• Membership number
• First name
• Family/Last name

Hmm. This is printed on the boarding pass already. Oh, and if he's an On Business member, you only need the username to retrieve the password, and the website tells you that it's "2 characters 6 digits"; what's the chance of that being the membership number printed on the boarding pass?

I wouldn't call this complete and utter bullshit yet. There are reasonable explanations for how this was accomplished.

Re:Real ID act

[Anonymous Coward]

It depends on the state's alcoholic regulating body. Texas Alcoholic Beverage Commission specifically states a passport is not a sufficient ID. An operator of an establishment has the right to refuse you service if you do you not have a state issued ID. Texas offers, for a fee, a driving license and an ID card to all residents. As far as I know, it has been this way since TABC used to be known as the Liquor Control Board (pre-70's?). When they were known as the LCB, they were known to be a no bullshit organization and had no problems beating you into compliance.

Re:Passport Required!!!!

[Mark Hood]

It's not about getting on to a flight with false ID, it's about getting identifying information from nothing more than a boarding pass.

As I understand it, the chain of events is this...

If you're a member of the BA loyalty club, you didn't used to have to go through the web site... probably still don't have to.

You could sign up by one of the handouts at airports, get your card and give the number (along with all the stuff the USA wants) to your travel agent, and never visit BA's website.

BA print the loyalty card number on your boarding pass, each time you check in.

So they took a discarded boarding pass stub, with the name and number on it, went to the BA site and said 'sign me up for online check in' - provided the identifying details and pretended to be him (incidentally buying a ticket with his name on). This should not have been possible without, say, confirming his address, or some other security measure. This is the 'hole' in BA's security that the article says is now fixed. From memory (and I am a little hazy on the details) when I signed up online they populated all the fields they could with the information from my loyalty card record.

I know this is the case, because I got a card without signing up online, many years ago - and then went to tie that number to an online account.

Once they were online, they could see all the stuff he'd previously told BA - address, passport number, etc - from there, they went to get his house price, phone number and a lot more information.

The moral of the story is (as many have said) - if it's information you wouldn't print on a t-shirt or tell a random stranger, don't throw it away.

Mark

Re:What is halal?

[DavidTC]

Muslims just find it harder to find halal food than Jews finding kosker food, so 'fake it' more often. In reality, neither of them is 'acceptable' to the orthadox followers, in that they aren't certified as following the correct preparation. I know kosker is supposed to have a rabbi check out the process, and halal has much the same thing, although I forget the exact rule.

However, neither has pork, or shellfish, or a few other things. And hence if someone doesn't care about having their food 'certified', they just don't want to take a big bite of pork, the 'other' kind of food is fine.

And the GP is right, Jewish and Arab traditions are very very close in many ways, because they originally were the same, and because they have always lived in the same part of the world. Any similarities between Islam and Judism is almost always because Islam was almost entirely an Arab religion at the start. I.e., Semitic to Arab to Muslim, and Semitic to Jewish people to Jewish religion.

Whereas Christianity wandered off to Europe, and the European 'pagan' people within 100 years, so sucked up all those traditions. While Islam and Judism are single religions that came out of the same sets of people, Christianity is almost that same thing, out of the same people, applied to an entirely different set of people.

Re:That story scares me.

[innot]

No, an airport is national territory. And by convention an airplane becomes part of the national territory the moments the doors open (with doors closed different regulations apply (Warsaw Convention, Montreal Convention))

Most International Airports have designated transit area for passengers transiting a country to save them from the hassle of immigration and emigration - Except for the US, where most international airports do not have real transit areas, thus requiring all transiting passengers to enter the US and leave it a few minutes later (wasting 2-3 hours for the whole process, no to mention the humiliating finger-printing and picture taking)

It seems to me, that the US officals think that everyone setting foot on US soil only wants to enter the country (as a potential terrorist).

I work at an airline and we used to have flights to the US with continuing services to other destinations in middle america and the caribbean.
We had to stop this because of the enourmous hassles our transit passengers had to endure on transit (including sometimes refusal of transit). We now go via Havanna, which has its own problems, but at least the passengers have no problems on the transit.