:D!

My shortened name is quite common, and I was the first person to register it with a popular email provider, so I frequently receive emails for people all around the world. When I was a teenager I did manage to cancel someone's flight and hotel; apparently they got a full refund to their card. I feel bad about that now, but maybe they learned a lesson.

I currently receive the monthly security rota for a small airport in Asia, the receipt of an American paying his car finance each month and confirmation of doctor's appointments for a Malaysian man who seems to have multiple ailments (which I know from merely reading the subject lines - I don't open the actual emails) amongst others though most of are automatically directed into my spam box. I can't be bothered to notify people any more, if there even is a way to reply to the emails, as my messages were mostly ignored.

eqeqeqx

I'm sure things get more complicated once one thinks through the whole thing, but letting the items that are on the BP be enough to let anyone view, or even modify, a booking, seems to me a complete security failure and a rather dumb idea.

Why does the name need to be on the BP at all? Is there anyone you need to show the BP pass to who would not be able to scan the BP to see the name registered if needed? Removing the full name from the BP would have prevented the OP, and most else, from doing what he did. Removing it would not make one iota of difference to the BP owner however, who one can normally expect to know his own name. Some minor inconvenience may be when multiple people (couple, family) travel together and BPs get mixed up unless they take care not to do that, but even that is only a possible problem if the group splits up, and is easily solved by not printing the full name on the BP, but just enough for the owners to be able to see which BP belongs to who.

PUCCI GALORE

Frankly my view is that of Tant pis for the Premier who was so slovenly and careless. Beware to the Op for coming on here and telling the world about what is no better than snooping and prying and which I would have done myself. The difference is that I would not have told Flyertlak. Discretion is the better part of valour.

rockflyertalk

A blue or non-exec member in First eating McDonald’s is often far more interesting or colourful than any Prem or daddy’s-money-privileged-flyer soul!

DYKWIA

Posh won't be happy...

1Aturnleft

It's not just prems leaving their old boarding pass behind in rental cars, it's anyone who disgards their boarding pass in seat pockets. Its anyone who posts a picture of their boarding pass on social media (it's even happened in this thread over the years). In years gone by it was people who put their home address on their suitcase label when travelling outbound on holiday. People need to be aware of their personal data and what they're throwing away or making available for perhaps less scrupulous people to find. I found a boarding in the seat pocket a few years ago when returning to the UK left by the passenger on the outbound flight. I made a similar search of MMB when I got home and had the travellers email address, mobile number and return travel date. Within 10/20 minutes of further searching I had the passengers UK full home address and Facebook which was completely unrestricted for all to see. All from legitimate web searching. Im not the most tech savvy person but if I could get all this information starting from an innocently disgarded boarding pass, then what's a criminal going to do with it? People need to be more self aware of the information they're disgarding and dispose of it securely.
​​​​

golfmad

Seriously, who are you people who do this?
THIS IS NOT LEGITIMATE WEB SEARCHING.

PS. There is no ‘g’ in ‘discard’.

1Aturnleft

Clearly someone with too much time on their hands!!!

The point I was making being if you don't want me or anyone else looking at your personal data then don't leave it laying about to be found poking out from a seat-back pocket in the first place and be aware how something like a boarding pass holds so much information. Clearly if it was a wallet or a purse then I would obviously hand that in as that would be a misplaced item. I've generally got not time for litter droppers (I've been known to stuff McDonald's wrappers thrown from parked cars back through their windows in the past) and I constitute anyone who places so little respect on their personal info that they feel it's ok to throw so much away in plain view for others to find as asking for trouble. It's not against the law to web search in the UK as far as I'm aware. Your opinion over what constitutes a legitimate web search is purely that. How you then use that information would definitely be up for scrutiny however.

PS: Thanks for the spelling correction, much appreciated

jerry a. laska

It has been rather enlightening (or unenlightening) to read this thread and what has been done.
https://www.cps.gov.uk/legal-guidanc...ter-misuse-act

1Aturnleft

And what hasn't been done.
On reflection indeed a learning curve for me!

13901

The name is there to be cross-checked with the passport records in the event of an offline boarding. In many locations this isn't just a BCP, it's the actual way to do it (certain gates in Lima for instance).

golfmad

?
I'm not the one spending time stalking people (pursuing with stealth)

Quite the opposite. The Computer Misuse Act (1990) provides protection by making it illegal for people to gain unauthorized access to computer material. The maximum penalty is imprisonment and/or a fine and that's just for accessing it (Section 1) never mind doing anything with the information.

Aliksander

The bad guys are fully aware of the weaknesses in the systems we all use, and will take advantage if it suits their purpose. The general public may not be aware, so drawing attention to an issue is a public service. People who look out for security vulnerabilities and report them to the authorities are call White Hats, and are welcomed by most companies and even rewarded with bounties.

Of course there have been some idiots that have invoked Computer Misuse Acts to try to punish upstanding citizens, but courts usually throw these cases out unless malice or material damage can be shown.

In the words of an (admittedly inane) UK travel security campaign "See it, say it, sort it!!"

abligh

That's a bit of a circular argument. For instance, the BP could contain:

• The name (on the basis that is convenient for the holder if travelling with companions)
• An opaque identifier which the airline's internal systems know how to translate into a PNR; this would be no use to someone without access to those systems

What you are saying is that IATA mandates that the BP contains the PNR. I'm sure it does. But that sounds like a defect in the IATA specification.

An alternative would be to not let people manage bookings with the PNR and name alone. I suspect that would be a larger and more complex change.

13901

I haven't said that, I think. I wrote that some sort of personal identifiers (name) are needed on the BP to enable the boarding pass to do its job, i.e. boarding passengers. Airlines need to have means to prove that Mr Joe Bloggs is indeed Mr Joe Bloggs and that's including not just the departing airline, but connecting carriers too.

Just to be on the safe side, with regards to the barcodes, this is what IATA recommends (mandate is a strong word, IATA has no means of coercion at the end of the day) to be contained in the barcode as a minimum:

And this is what is optional:

These are two recommended layouts for BP's:

or




https://web.archive.org/web/20111107...P%20layout.pdf

Now, I would argue that there is a fundamental need from an airline operations point of view for having visibility of a passenger's name, flight numbers, e-ticket number and/or PNR. Name for the reason I mentioned above. Flight number because, well, you need to. PNR and/or e-ticket is needed especially for transfers and interlines. The IATCI mechanism for airline messaging is notoriously flaky; it's based on very old standards (EDIFACT if memory doesn't deceive me) and it will fail for a great many reasons, such as the receiving airline doing some work on the flight the passenger is transferring to, known bugs between departure control systems (Sabre-to-Amadeus is often messy) and I've even heard that abnormal solar activity causes problems, though I've never seen anyone actually proving it. I had lots of cases, back when I worked in the terminals and I happened to be at "Ready to Die Fly", of people arriving at the desk with AA-stock papers and no trace of them whatsoever in BA's. Back in the PRS days about 10% of IATCI had some errors; with 1A for BA the numbers have fallen but I think they're still high-ish. An AA-specific PNR cover doesn't work. You must then have a translation key, and that translation key must be transmitted/available to the other airline (or airlines), and if one airline can see it then any weekend hacker with an app can do the same too.

Again, let's rewind for a second and let's look at the chain of events that have led to this discussion of basically re-hauling a worldwide system that is extremely difficult to re-haul:
1. The Prem on this flight has been particularly careless with his/her BP;
2. The rental car company has failed pretty spectacularly on their promise to clean the car between users
3. The OP has found the BP
4. The OP, rather than doing what's normal and discarding the BP, has decided to go tabloid journalist on the Prem

Frankly that seems to me to be a rather fringe case.

However, if we want to increase security around personal data, why doesn't BA introduce two-factor authentication in the Executive Club homepage, or sends alerts when somebody connects from a non-trusted device, such as the OP's phone/laptop? Both are the industry standard for a number of applications, from Amazon to Facebook, and both are enormously easier/faster to implement rather than changing an entire industry (and let us not forget that IATA works by unanimous consent...)