Identity Theft From Tossed Airline Boarding Pass?

crush writes "The Guardian newspaper has a great story about how the gathering of information for 'anti-terrorist' passenger screening databases allowed a reporter and security guru Adam Laurie to lay the groundwork for stealing the identity of a business traveller by using his discarded boarding-pass stub." From the article: "We logged on to the BA website, bought a ticket in Broer's name and then, using the frequent flyer number on his boarding pass stub, without typing in a password, were given full access to all his personal details - including his passport number, the date it expired, his nationality (he is Dutch, living in the UK) and his date of birth. The system even allowed us to change the information."

Boycott

[The Snowman]

Ever since 9/11, I refuse to travel by air. Not because of the scary terrorists, but because of my scary government. While the article talks about a UK program with bad security, the author is clear that this is all because of pressure from the United States.

I sent an email to the TSA a while ago telling them that I despise their spying programs and I am boycotting the airline industry. I don't want to be treated like a second-class citizen, spyed on, and my rights violated. Sure, the majority of airline passengers don't have a problem, but there are a significant quantity that do hit security snags on a daily basis. What has this increased illusion of security bought us? Pork. We haven't caught terrorists because of spending on ineffective security programs. Each alleged terrorist since 9/11 was caught because of people. People who thought something was wrong -- the shoe bomber who had trouble with his bomb, and passengers and flight attendants handled the situation. Not computers, not databases. People.

As far as I'm concerned, the airline industry can rot in hell for giving in to government pressure. They know these security programs do nothing more than waste money on pork and make certain politicians feel smug, earning brownie points with their constituents. Until the government gets a clue, I will not fly. If the airlines suffer, so be it. Money is what drives this country. Maybe when the government realizes that the airlines aren't making money, someone, somewhere, will get a clue and start implementing good security that does not violate our privacy.

Halal == potential terrorist?

[Whiney Mac Fanboy]

"The problem is that if the system doesn't have a lot of information on you, or you have ordered a halal meal, or have a name similar to a known terrorist, or even if you are a foreigner, you'll most likely be flagged amber and held back to be asked for further details" [emph mine]

WTF? I didn't think the US did racial profiling - this is quite sad for Muslims (as well as people like me, who just order different 'special' [I like kosher] meals at random). Not only that, it's not going to help fight terrorists, just irritate the law-abiding.

Re:Boycott

[MyLongNickName]

Wow. Dutch citiczen. UK government. Still US's fault.

No, I am not a fan on the war on freedom^H^H^H^H^H^H^Hterrorism. But get over it. Both countries are capable of putting together a more secure system. Quit blaming the US for all the world's problems.

This assumes the guardian is reporting a true story. They have been know to be free with the truth.

Anyone ever heard of a

[dedeman]

Shredder? I really don't know if this is common knowledge/thought/attitude, but keep everything with your name and and identifying number on it until you have access to a shredder.

Shred anything with more then one piece of identifying information on it. Examples: Name and address (junk mail), Name andSSN (should know this by now), Name and phone# (yeah, it's in phone book, but don't let it float around). There are tons of combinations. I'd go so far as to shred directions from and to a destination, or even ATM receipts.

You'd be suprised how much seemingly worthless information can be compiled to gain terrific insight into people.

At the expense of sounding paranoid, I even shred my baggage check tickets (Name+flight#+someID#).

Re:Boycott

[Whiney Mac Fanboy]

Wow. Dutch citiczen. UK government. Still US's fault.

Maybe you should have read the article before commenting:

[the boarding pass] would also serve as the perfect tool for demonstrating the chaotic collection, storage and security of personal information gathered as a result of America's near-fanatical desire to collect data on travellers flying to the US....

Re:Boycott

[MyLongNickName]

Maybe you shouldn't automatically suck down everything a news article tells you. I did RTFA. However, the US is allowed to make lawas about who can come into their country. Other countries have to respect those rules. If those countries choose to allow insecure systems like this to come into place, then that is THEIR problem, not ours.

Our problem is that we have elected people who put moronic rules into place.

Re:Boycott

[chiskop]

This assumes the guardian is reporting a true story. They have been know to be free with the truth.

Reference, please.

Re:Boycott

[Jedi Alec]

However, the US is allowed to make lawas about who can come into their country.

Indeed they are. Good thing the rest of us are allowed to take a hint and decide we're not welcome. Guess we'll just go somewhere else with our business.

Re:Anyone ever heard of a

[Chris Pimlott]

You know, you can enjoy an interesting, enriching life and shred your ATM receipts.

And you don't know half of the absurdity of it!

[Anonymous Coward]

First about the BP stubs. Info on the BP stubs, is in plain sight for the TRAVELER information. If the traveller then drop it it is a stupidity concern, not a security concern. For example, Would you throw out a bank receipt with your account sold, bank account, bank name, signature and all the tralala out ? This is the same problem here.

Now the fact they could buy a document in the name of the pax on an unsecurised web site IS a concern.

As for APIS, having worked on the implementation on a main frame for a big airline, we used to joke a LOT about US version of security.

Pay Cash ? You automatically get flagged as suspectful. Pay with CC ? This is seen as OK. Be a frequent traveller ? You are automatically flagged as safe. Take only a one way ticket ? Be preparred for the "glove" search... Knowing the rule it would be blantantly easy to bypass this check (take a round trip, on a frequent flyer, using a CC, do it 10 times, then afterward you are a "safe" traveller...). We always laughed at the stupidity of that. I left shortly afterward so I dunno if the US kept that security concept today.

Shouldn't come as a surprise

[slusich]

The fact that the information was on the stub and was easily retreivable shouldn't come as a surprise to anyone. Companies are way too free with where they put such information. Companies need to be held accountable for such things. Casinos actually do things the right way in this case. Loyalty cards and cash out tickets are usually encoded only with an ID number and no more. PINs, address information and such are almost never included.

Dumbest thing I've ever read

[terjeber]

the author is clear that this is all because of pressure from the United States.

I am a Norwegian, and I am saddened by the new religion that has Europe in it's grips. There are various sects in this religion, but they all have one thing in common, the big "Satan" is the US of effing A. Anything bad that goes on in the world is the fault of the US. This article, and the response to it, is an example of how fanatics suffering from this religion think.

The system they hacked was the BA frequent flyer system. This system has nothing to do with passenger security or US national security. This is a convenience system made so that BA passengers easily can buy tickets, earn miles, buy upgrades etc. This system shouldn't have information such as the passport number. The fact that it does is an internal matter for BA and has absolutely nothing to do with the USA.

I travel a lot for business and I am a member of most of the frequent flyer systems in Europe and the US, but not BA since I am already a member of one of their co-shares. None of the airlines have my passport number stored on the frequent flyer site. Not one of them.

This is an internal BA problem, BA should never have had the passport number stored on the FF site, they should never allow this to be accessed without a password etc.

Blaming the US for this is ridiculous in the extreme. The US has nothing to do with how an airline designs its Frequent Flyer website, and no, the US does not require that your passport number of other personal information is stored on the FF site or anywhere else for that matter. They only require the information be sent before you board the plane.

Sadly, the new European religion requires full frontal lobotomy prior to joining, something that has not reduced the number of Europeans who sign on.

Re:Run that one by me again.

[The Snowman]

Correct me if I am wrong, but didn't the 9/11 bombers use US internal airlines because the security was so poor?

By internal I take it you mean using U.S. airlines to attack the U.S. Duh? This place isn't like Europe with a bunch of little countries next to each other. If they didn't use U.S. airlines taking off from U.S. airports, what would they have used?

Anyway, the problem wasn't security. The hijackers had clean records, were in this country legally, and had authentic identification. There was no way we would have caught them because they blended in so well with the surroundings. We (airlines, TSA, and regular people on those flights) had no suspicions.

The real fault was the FBI who was sitting on documented evidence of a plot, including some of the names. If they had connected the dots instead of being lazy, they would have had enough evidence to demand the FAA ground all airplanes that day while they went after the hijackers. Yes, we'd still have knee-jerk reactions to security, but at least the specific events of that day would not have happened. It would have been a success overall, because the system (law enforcement) would have worked.

Re:Boycott

[DavidTC]

That's not why the rules are in place, that's why the rules are claimed to be in place.

The rules are actually in place for two different reasons:

One, because security theatre is the sole thing our current Administration has ever been efficent at. The actual stopping of threats, or responding to disasters after the fact, or acting in the political stage to put pressure on said threats, it doesn't quite understand that yet. Nor does it, apparently, understand how to invade a county.(1) But it sure has 'running around looking like it's doing something' down pat.

The UK, sad to say, appears to be one of the few countries to actually either fall for this, or be willing to play along. (I don't know UK politics well enough to know which.) I've lost almost as much respect for the UK as for the US for putting up with their government.

Two, because the airline industry is a confusopoly, and hence is threatened by the large amount of information available online. If this keeps up, it won't be able to sell some tickets for six times as much as other tickets in the same class on the same flight. A large part of fighting this is assuring that tickets cannot be resold under any circumstances, which is what many of these 'security' measures are designed to prevent.

1) I say 'apparently' because, hey, I don't either. But, then again, I haven't tried to invade two of them, and I'm not gearing up to do it a third time.

Re:Run that one by me again.

[AGMW]

Could you please elaborate on which parts are necessary and which parts aren't if, as you claim, the security is pointless.

I'd suggest that if someone really wanted to hijack another plane in the US, or wherever, it would still be possible, even with the extra security. A number of scenarios spring to mind, but forgive me if I don't suggest them out loud! You're all clever people and I don't doubt for a second you could all come up with a number of feasible plans. The current security might make some of them fail, but if you kept trying (ie the scumbags who send out the suicide jockeys "keep trying"!) you will inevitably succeed.

So, if it is still possible, the extra security is perhaps pointless. I'd suggest a level of security that makes it "difficult" for potential bad guys, but doesn't piss off the general public too much.

I'd say the biggest problem any hijacker would have now is the bit where they stand up and say "do as you are told and you won't get hurt". Since the World Trade Center was hit, there aren't many passengers who are going to calmly sit back and let anyone hijack a 'plane, and probably even fewer crew. This could be the lasting legacy of the 9/11 bombers - they made hijacking a plane more difficult, because the passengers and crew are unlikely to give up so easily!

So security just has to make it difficult to get "serious" weapons on the plane, and let the passengers and crew do the rest!

Re:Boycott

[Moofie]

"The laws were put into effect to keep those who would like to destroy our freedoms out."

Nonsense. This will do nothing to prevent terrorism.

"it's about security."

No. It's about creating an illusion of security, to mask a power grab.

"it's a privilege, not a right."

You seem to think that the founding documents of the United States are a list of things humans are allowed to do. You need to read them again.