A Cautionary Security tale
#16
Join Date: Sep 2012
Location: NW London and NW Sydney
Programs: BA Diamond, Hilton Bronze, A3 Diamond, IHG *G
Posts: 6,343
My shortened name is quite common, and I was the first person to register it with a popular email provider, so I frequently receive emails for people all around the world. When I was a teenager I did manage to cancel someone's flight and hotel; apparently they got a full refund to their card. I feel bad about that now, but maybe they learned a lesson.
I currently receive the monthly security rota for a small airport in Asia, the receipt of an American paying his car finance each month and confirmation of doctor's appointments for a Malaysian man who seems to have multiple ailments (which I know from merely reading the subject lines - I don't open the actual emails) amongst others though most of are automatically directed into my spam box. I can't be bothered to notify people any more, if there even is a way to reply to the emails, as my messages were mostly ignored.
I currently receive the monthly security rota for a small airport in Asia, the receipt of an American paying his car finance each month and confirmation of doctor's appointments for a Malaysian man who seems to have multiple ailments (which I know from merely reading the subject lines - I don't open the actual emails) amongst others though most of are automatically directed into my spam box. I can't be bothered to notify people any more, if there even is a way to reply to the emails, as my messages were mostly ignored.
#17
Join Date: Jan 2019
Posts: 204
Let's rewind for a second here. A Boarding Pass' purpose is to enable a passenger to be identified and boarded by the airline. As such, it has to contain specific information. Both readable by humans and machines, and the contents are coded by IATA (for those airlines who are part of it). If you check out the riveting document that is IATA's Bar Coded Boarding Pass Implementation Guide, you'll see that a barcode can contain name, surname, PNR and e-ticket number of up to four flights (and more!) for a normal 2D barcode, and those can be read by a relatively cheap barcode scanner that you or I can buy on Amazon.
Why does the name need to be on the BP at all? Is there anyone you need to show the BP pass to who would not be able to scan the BP to see the name registered if needed? Removing the full name from the BP would have prevented the OP, and most else, from doing what he did. Removing it would not make one iota of difference to the BP owner however, who one can normally expect to know his own name. Some minor inconvenience may be when multiple people (couple, family) travel together and BPs get mixed up unless they take care not to do that, but even that is only a possible problem if the group splits up, and is easily solved by not printing the full name on the BP, but just enough for the owners to be able to see which BP belongs to who.
#18
Fontaine d'honneur du Flyertalk
Join Date: Jul 2001
Location: Morbihan, France
Programs: Reine des Muccis de Pucci; Foreign Elitist (according to others)
Posts: 19,167
Frankly my view is that of Tant pis for the Premier who was so slovenly and careless. Beware to the Op for coming on here and telling the world about what is no better than snooping and prying and which I would have done myself. The difference is that I would not have told Flyertlak. Discretion is the better part of valour.
#21
Join Date: Dec 2007
Posts: 3,579
It's not just prems leaving their old boarding pass behind in rental cars, it's anyone who disgards their boarding pass in seat pockets. Its anyone who posts a picture of their boarding pass on social media (it's even happened in this thread over the years). In years gone by it was people who put their home address on their suitcase label when travelling outbound on holiday. People need to be aware of their personal data and what they're throwing away or making available for perhaps less scrupulous people to find. I found a boarding in the seat pocket a few years ago when returning to the UK left by the passenger on the outbound flight. I made a similar search of MMB when I got home and had the travellers email address, mobile number and return travel date. Within 10/20 minutes of further searching I had the passengers UK full home address and Facebook which was completely unrestricted for all to see. All from legitimate web searching. Im not the most tech savvy person but if I could get all this information starting from an innocently disgarded boarding pass, then what's a criminal going to do with it? People need to be more self aware of the information they're disgarding and dispose of it securely.
#22
Moderator: British Airways Executive Club
Join Date: Nov 2010
Location: TPA/ABZ
Programs: BA Lifetime Gold. GGL/CCR.
Posts: 13,243
I found a boarding in the seat pocket a few years ago when returning to the UK left by the passenger on the outbound flight. I made a similar search of MMB when I got home and had the travellers email address, mobile number and return travel date. Within 10/20 minutes of further searching I had the passengers UK full home address and Facebook which was completely unrestricted for all to see. All from legitimate web searching..
THIS IS NOT LEGITIMATE WEB SEARCHING.
PS. There is no ‘g’ in ‘discard’.
#23
Join Date: Dec 2007
Posts: 3,579
The point I was making being if you don't want me or anyone else looking at your personal data then don't leave it laying about to be found poking out from a seat-back pocket in the first place and be aware how something like a boarding pass holds so much information. Clearly if it was a wallet or a purse then I would obviously hand that in as that would be a misplaced item. I've generally got not time for litter droppers (I've been known to stuff McDonald's wrappers thrown from parked cars back through their windows in the past) and I constitute anyone who places so little respect on their personal info that they feel it's ok to throw so much away in plain view for others to find as asking for trouble. It's not against the law to web search in the UK as far as I'm aware. Your opinion over what constitutes a legitimate web search is purely that. How you then use that information would definitely be up for scrutiny however.
PS: Thanks for the spelling correction, much appreciated
Last edited by 1Aturnleft; Sep 10, 2021 at 9:42 pm
#24
FlyerTalk Evangelist
Join Date: Oct 1999
Location: Juneau, Alaska.
Programs: AS 75K;BA Silver;AA G;HH Dia;HY Glob
Posts: 15,797
It has been rather enlightening (or unenlightening) to read this thread and what has been done.
https://www.cps.gov.uk/legal-guidanc...ter-misuse-act
https://www.cps.gov.uk/legal-guidanc...ter-misuse-act
#25
Join Date: Dec 2007
Posts: 3,579
It has been rather enlightening (or unenlightening) to read this thread and what has been done.
https://www.cps.gov.uk/legal-guidanc...ter-misuse-act
https://www.cps.gov.uk/legal-guidanc...ter-misuse-act
On reflection indeed a learning curve for me!
#26
Join Date: May 2014
Posts: 7,218
I'm sure things get more complicated once one thinks through the whole thing, but letting the items that are on the BP be enough to let anyone view, or even modify, a booking, seems to me a complete security failure and a rather dumb idea.
Why does the name need to be on the BP at all? Is there anyone you need to show the BP pass to who would not be able to scan the BP to see the name registered if needed? Removing the full name from the BP would have prevented the OP, and most else, from doing what he did. Removing it would not make one iota of difference to the BP owner however, who one can normally expect to know his own name. Some minor inconvenience may be when multiple people (couple, family) travel together and BPs get mixed up unless they take care not to do that, but even that is only a possible problem if the group splits up, and is easily solved by not printing the full name on the BP, but just enough for the owners to be able to see which BP belongs to who.
Why does the name need to be on the BP at all? Is there anyone you need to show the BP pass to who would not be able to scan the BP to see the name registered if needed? Removing the full name from the BP would have prevented the OP, and most else, from doing what he did. Removing it would not make one iota of difference to the BP owner however, who one can normally expect to know his own name. Some minor inconvenience may be when multiple people (couple, family) travel together and BPs get mixed up unless they take care not to do that, but even that is only a possible problem if the group splits up, and is easily solved by not printing the full name on the BP, but just enough for the owners to be able to see which BP belongs to who.
#27
Moderator: British Airways Executive Club
Join Date: Nov 2010
Location: TPA/ABZ
Programs: BA Lifetime Gold. GGL/CCR.
Posts: 13,243
?
I'm not the one spending time stalking people (pursuing with stealth)
Quite the opposite. The Computer Misuse Act (1990) provides protection by making it illegal for people to gain unauthorized access to computer material. The maximum penalty is imprisonment and/or a fine and that's just for accessing it (Section 1) never mind doing anything with the information.
I'm not the one spending time stalking people (pursuing with stealth)
The point I was making being if you don't want me or anyone else looking at your personal data then don't leave it laying about to be found poking out from a seat-back pocket in the first place and be aware how something like a boarding pass holds so much information. It's not against the law to web search in the UK as far as I'm aware. Your opinion over what constitutes a legitimate web search is purely that.
#28
Join Date: Aug 2014
Location: UK
Programs: BAEC Gold, IHG Spire Ambassador
Posts: 42
Don't shoot the messenger
The bad guys are fully aware of the weaknesses in the systems we all use, and will take advantage if it suits their purpose. The general public may not be aware, so drawing attention to an issue is a public service. People who look out for security vulnerabilities and report them to the authorities are call White Hats, and are welcomed by most companies and even rewarded with bounties.
Of course there have been some idiots that have invoked Computer Misuse Acts to try to punish upstanding citizens, but courts usually throw these cases out unless malice or material damage can be shown.
In the words of an (admittedly inane) UK travel security campaign "See it, say it, sort it!!"
Quite the opposite. The Computer Misuse Act (1990) provides protection by making it illegal for people to gain unauthorized access to computer material. The maximum penalty is imprisonment and/or a fine and that's just for accessing it (Section 1) never mind doing anything with the information.
In the words of an (admittedly inane) UK travel security campaign "See it, say it, sort it!!"
#29
Join Date: Feb 2016
Programs: BAEC GGL
Posts: 843
Let's rewind for a second here. A Boarding Pass' purpose is to enable a passenger to be identified and boarded by the airline. As such, it has to contain specific information. Both readable by humans and machines, and the contents are coded by IATA (for those airlines who are part of it). If you check out the riveting document that is IATA's Bar Coded Boarding Pass Implementation Guide, you'll see that a barcode can contain name, surname, PNR and e-ticket number of up to four flights (and more!) for a normal 2D barcode, and those can be read by a relatively cheap barcode scanner that you or I can buy on Amazon.
- The name (on the basis that is convenient for the holder if travelling with companions)
- An opaque identifier which the airline's internal systems know how to translate into a PNR; this would be no use to someone without access to those systems
An alternative would be to not let people manage bookings with the PNR and name alone. I suspect that would be a larger and more complex change.
#30
Join Date: May 2014
Posts: 7,218
Just to be on the safe side, with regards to the barcodes, this is what IATA recommends (mandate is a strong word, IATA has no means of coercion at the end of the day) to be contained in the barcode as a minimum:
Ê Passenger Name
Ê Date of flight (DD/MMM)
Ê Marketing carrier
Ê Flight number (marketing carrier)
Ê Schedule Departure Time
Ê Cabin or Class of travel
Ê From City
Ê To City
Ê Seat number
Ê Ticket type identifier (paper or electronic)
Ê Terminal/Gate number
Ê Operated by
Ê Date of flight (DD/MMM)
Ê Marketing carrier
Ê Flight number (marketing carrier)
Ê Schedule Departure Time
Ê Cabin or Class of travel
Ê From City
Ê To City
Ê Seat number
Ê Ticket type identifier (paper or electronic)
Ê Terminal/Gate number
Ê Operated by
Ê Sequence number
Ê Booking reference
Ê E-ticket number
Ê Operating airline
Ê Agent type (e.g. Web)
Ê Gate close time
Ê Frequent flyer Tier and Number
Ê Remarks (e.g. wheelchair)
Ê Other travel information (e.g where to drop a bag)
Ê Booking reference
Ê E-ticket number
Ê Operating airline
Ê Agent type (e.g. Web)
Ê Gate close time
Ê Frequent flyer Tier and Number
Ê Remarks (e.g. wheelchair)
Ê Other travel information (e.g where to drop a bag)
or
https://web.archive.org/web/20111107...P%20layout.pdf
Now, I would argue that there is a fundamental need from an airline operations point of view for having visibility of a passenger's name, flight numbers, e-ticket number and/or PNR. Name for the reason I mentioned above. Flight number because, well, you need to. PNR and/or e-ticket is needed especially for transfers and interlines. The IATCI mechanism for airline messaging is notoriously flaky; it's based on very old standards (EDIFACT if memory doesn't deceive me) and it will fail for a great many reasons, such as the receiving airline doing some work on the flight the passenger is transferring to, known bugs between departure control systems (Sabre-to-Amadeus is often messy) and I've even heard that abnormal solar activity causes problems, though I've never seen anyone actually proving it. I had lots of cases, back when I worked in the terminals and I happened to be at "Ready to
Again, let's rewind for a second and let's look at the chain of events that have led to this discussion of basically re-hauling a worldwide system that is extremely difficult to re-haul:
1. The Prem on this flight has been particularly careless with his/her BP;
2. The rental car company has failed pretty spectacularly on their promise to clean the car between users
3. The OP has found the BP
4. The OP, rather than doing what's normal and discarding the BP, has decided to go tabloid journalist on the Prem
Frankly that seems to me to be a rather fringe case.
However, if we want to increase security around personal data, why doesn't BA introduce two-factor authentication in the Executive Club homepage, or sends alerts when somebody connects from a non-trusted device, such as the OP's phone/laptop? Both are the industry standard for a number of applications, from Amazon to Facebook, and both are enormously easier/faster to implement rather than changing an entire industry (and let us not forget that IATA works by unanimous consent...)