Identity Theft From Tossed Airline Boarding Pass?

crush writes "The Guardian newspaper has a great story about how the gathering of information for 'anti-terrorist' passenger screening databases allowed a reporter and security guru Adam Laurie to lay the groundwork for stealing the identity of a business traveller by using his discarded boarding-pass stub." From the article: "We logged on to the BA website, bought a ticket in Broer's name and then, using the frequent flyer number on his boarding pass stub, without typing in a password, were given full access to all his personal details - including his passport number, the date it expired, his nationality (he is Dutch, living in the UK) and his date of birth. The system even allowed us to change the information."

Boycott

[The+Snowman]

Ever since 9/11, I refuse to travel by air. Not because of the scary terrorists, but because of my scary government. While the article talks about a UK program with bad security, the author is clear that this is all because of pressure from the United States.

I sent an email to the TSA a while ago telling them that I despise their spying programs and I am boycotting the airline industry. I don't want to be treated like a second-class citizen, spyed on, and my rights violated. Sure, the majority of airline passengers don't have a problem, but there are a significant quantity that do hit security snags on a daily basis. What has this increased illusion of security bought us? Pork. We haven't caught terrorists because of spending on ineffective security programs. Each alleged terrorist since 9/11 was caught because of people. People who thought something was wrong -- the shoe bomber who had trouble with his bomb, and passengers and flight attendants handled the situation. Not computers, not databases. People.

As far as I'm concerned, the airline industry can rot in hell for giving in to government pressure. They know these security programs do nothing more than waste money on pork and make certain politicians feel smug, earning brownie points with their constituents. Until the government gets a clue, I will not fly. If the airlines suffer, so be it. Money is what drives this country. Maybe when the government realizes that the airlines aren't making money, someone, somewhere, will get a clue and start implementing good security that does not violate our privacy.

Re:Boycott

[Whiney+Mac+Fanboy]

Wow. Dutch citiczen. UK government. Still US's fault.

Maybe you should have read the article before commenting:

[the boarding pass] would also serve as the perfect tool for demonstrating the chaotic collection, storage and security of personal information gathered as a result of America's near-fanatical desire to collect data on travellers flying to the US....

Re:Boycott

[MyLongNickName]

Maybe you shouldn't automatically suck down everything a news article tells you. I did RTFA. However, the US is allowed to make lawas about who can come into their country. Other countries have to respect those rules. If those countries choose to allow insecure systems like this to come into place, then that is THEIR problem, not ours.

Our problem is that we have elected people who put moronic rules into place.

Re:Boycott

[Jedi+Alec]

However, the US is allowed to make lawas about who can come into their country.

Indeed they are. Good thing the rest of us are allowed to take a hint and decide we're not welcome. Guess we'll just go somewhere else with our business.

Re:Boycott

[mgblst]

I flew from Sydney to Vancouver, and the plane happened to stop in Honolulu for refueling. Since Honolulu is in the US, every single person had to get off the plane, have their picture taken, and be finger printed. Then we all got back on, and flew the rest of the way to Canada. It took 2 hours, for nothing. Nobody was staying in Honolulu, we only wanted some fuel. Thanks US.

And surprisingly, they didn't catch any terrorists that day, either.

Shenanigans

[eldavojohn]

The system even allowed us to change the information....

That's right, (*snicker*) Broer is now a 38 year old pregnant mother of four from Belgrade with a passport that expired in 1983. Let's see how long it takes him to figure out he's the victim of identity mod!

I doubt "Mrs." Broer will ever throw away her airplane ticket stub again!

Halal == potential terrorist?

[Whiney+Mac+Fanboy]

"The problem is that if the system doesn't have a lot of information on you, or you have ordered a halal meal, or have a name similar to a known terrorist, or even if you are a foreigner, you'll most likely be flagged amber and held back to be asked for further details" [emph mine]

WTF? I didn't think the US did racial profiling - this is quite sad for Muslims (as well as people like me, who just order different 'special' [I like kosher] meals at random). Not only that, it's not going to help fight terrorists, just irritate the law-abiding.

Re:Halal == potential terrorist?

[AgentPaper]

To add insult to injury, if your name even remotely resembles the name of a known or suspected "evildoer," you get flagged. My entire family now suffers an extra 45 minutes of screening at the airport, every single time we fly, because my dad's name matches that of some IRA gunman who was last active in the early 80's. (Before you go thinking this might be a valid concern, consider that we're talking about an extremely common name. "John Murphy" isn't exactly "Zaccarias Moussaoui.") And of course, all this color-coded rigmarole does not make us one bit safer, just more vulnerable to the constant fear-mongering coming out of Washington.

Re:Halal == potential terrorist?

[Phisbut]

I didn't think the US did racial profiling - this is quite sad for Muslims

Sometimes it's not on purpose, they just freak out when they hear or see certain things... a guy over here started taking the required action to have his name legally changed a couple of years ago... his first name being Jihad, you can guess the reaction he gets in airports when they ask his name.

So yeah, some people are flagged just based on their name.

Modern Living Lesson One: Shred Everything

[digitaldc]

I even shred my scratch pad, sticky notes and code written on napkins.

Anyone ever heard of a

[dedeman]

Shredder? I really don't know if this is common knowledge/thought/attitude, but keep everything with your name and and identifying number on it until you have access to a shredder.

Shred anything with more then one piece of identifying information on it. Examples: Name and address (junk mail), Name andSSN (should know this by now), Name and phone# (yeah, it's in phone book, but don't let it float around). There are tons of combinations. I'd go so far as to shred directions from and to a destination, or even ATM receipts.

You'd be suprised how much seemingly worthless information can be compiled to gain terrific insight into people.

At the expense of sounding paranoid, I even shred my baggage check tickets (Name+flight#+someID#).

Passport Required!!!!

[hughk]

I am curious as to how the person got so far through the BA website without a password or PIN. Last time I looked, you needed this. Perhaps Mr Broer hadn't registered one. Otherwise did they compromise BA's website?

The important thing is that you will not be allowed on an international flight without showing a valid passport. BA boarding procedures mandate a check of the passport against the ticket at the gate. This is kind of necessary now that outbound passengers from the UK are very rarely checked by immigration. True, an airline is unlikely to even have a UV light let alone a scanner there so it may be possible to get through with a forged passport.

Real ID act

[guisar]

Yesterday I was stopped by a cop in the Concord, MA national park because the muffler on my old vw bus was a bit loud. I handed him my Vermont driver's license, which is a bit of paper with no SSN, only a coded address and no photo. His response- "What's this". "My driver's license" I replied. "Well how do they hope to stop terrorists with this?"

Being an opponent of the current craze for every more comprehensive and intrusive IDs and ID checks here in the US, I hope some proponents of the Real ID act will pay heed to unintended consequences of this absurdity.

Re:Real ID act

[CortoMaltese]

A friend told me she'd tried to buy some beer at a liquor store, and when asked for an ID, she'd used her passport. "Don't you have a driver's license?" the person behind the counter had asked, "Anyone can get a passport." So I guess the driver's license is the "real" ID in the US...

Security scans

[RafaelGCPP]

On 2004 I travelled a lot to USA.

This don't seem to be much, but I was "selected" for manual scanning of my handbag in almost every USA airport.

Common sense and good diplomatics told me to accept that and never question authorities when you are a foreign citizen, but on the last scan, at MIA airport, though I created the guts to ask the nice TSA security agent why I was being scanned over and over. The answer shocked me: "It is all that electronics you carry. Makes very difficult to see what you have". I always carried my cellphone, myPDA, my digital camera and my CD player with me, on the same bag, and it really looked a mess.

The funny thing: I felt safer, because they were really looking at the x-ray. The only time I got stopped by airport security where I live, was because I told the guys my cellphone never made those portals beep... THAT DAY, it beeped!!!

Shouldn't come as a surprise

[slusich]

The fact that the information was on the stub and was easily retreivable shouldn't come as a surprise to anyone. Companies are way too free with where they put such information. Companies need to be held accountable for such things. Casinos actually do things the right way in this case. Loyalty cards and cash out tickets are usually encoded only with an ID number and no more. PINs, address information and such are almost never included.

Dumbest thing I've ever read

[terjeber]

the author is clear that this is all because of pressure from the United States.

I am a Norwegian, and I am saddened by the new religion that has Europe in it's grips. There are various sects in this religion, but they all have one thing in common, the big "Satan" is the US of effing A. Anything bad that goes on in the world is the fault of the US. This article, and the response to it, is an example of how fanatics suffering from this religion think.

The system they hacked was the BA frequent flyer system. This system has nothing to do with passenger security or US national security. This is a convenience system made so that BA passengers easily can buy tickets, earn miles, buy upgrades etc. This system shouldn't have information such as the passport number. The fact that it does is an internal matter for BA and has absolutely nothing to do with the USA.

I travel a lot for business and I am a member of most of the frequent flyer systems in Europe and the US, but not BA since I am already a member of one of their co-shares. None of the airlines have my passport number stored on the frequent flyer site. Not one of them.

This is an internal BA problem, BA should never have had the passport number stored on the FF site, they should never allow this to be accessed without a password etc.

Blaming the US for this is ridiculous in the extreme. The US has nothing to do with how an airline designs its Frequent Flyer website, and no, the US does not require that your passport number of other personal information is stored on the FF site or anywhere else for that matter. They only require the information be sent before you board the plane.

Sadly, the new European religion requires full frontal lobotomy prior to joining, something that has not reduced the number of Europeans who sign on.

Re:I call bullshit

[ISoldMyLowIdOnEbay]

From TFA

"BA has now closed its security loophole after being contacted by the Guardian in March"

So I wouldn't expect it to work now...

Re:I call bullshit

[rfunches]

Okay, I'll bite.

From TFA, the guy is a business traveller. Now look what happens if you "need help" logging in to BA's website:

As a member of the British Airways Executive Club, On Business or as a registered customer with britishairways.com, you can now log in to manage your account and access our exclusive online services. You log in by entering your details in the boxes at the top right hand corner of the screen.

Login ID Your login ID is either your: > Executive Club membership number or > On Business membership number or > Username

PIN/Password When logging in with the following: > Executive Club membership number, use your 4-digit PIN or > On Business use your login id and password or > username, use your password

Executive Club members If you need a PIN or have forgotten your PIN, then please click here to apply for one >>

On Business members If you have forgotten your password or login id click here for more information >>

Forgotten your password? Enter your username in both the Login ID and the PIN/Password boxes to receive your password prompt.

From what I can tell, if the reporter is in fact not lying, if the "victim" was an Executive Club member, you need the following if you need a PIN, or have forgotten your PIN:

• Membership number
• First name
• Family/Last name

Hmm. This is printed on the boarding pass already. Oh, and if he's an On Business member, you only need the username to retrieve the password, and the website tells you that it's "2 characters 6 digits"; what's the chance of that being the membership number printed on the boarding pass?

I wouldn't call this complete and utter bullshit yet. There are reasonable explanations for how this was accomplished.

Re:That story scares me.

[innot]

No, an airport is national territory. And by convention an airplane becomes part of the national territory the moments the doors open (with doors closed different regulations apply (Warsaw Convention, Montreal Convention))

Most International Airports have designated transit area for passengers transiting a country to save them from the hassle of immigration and emigration - Except for the US, where most international airports do not have real transit areas, thus requiring all transiting passengers to enter the US and leave it a few minutes later (wasting 2-3 hours for the whole process, no to mention the humiliating finger-printing and picture taking)

It seems to me, that the US officals think that everyone setting foot on US soil only wants to enter the country (as a potential terrorist).

I work at an airline and we used to have flights to the US with continuing services to other destinations in middle america and the caribbean.
We had to stop this because of the enourmous hassles our transit passengers had to endure on transit (including sometimes refusal of transit). We now go via Havanna, which has its own problems, but at least the passengers have no problems on the transit.