ID Theft by Boarding Pass - article
May 6, 2006 | 6:45 am
#16
Join Date: Sep 2005
Location: Lafayette, CO, USA
Programs: SPG Lifetime Plat, AA Gold, UA Gold, DL Silver, HH Gold, Vail Epic
Posts: 9,096
Originally Posted by adamak
But isn't that for future flights only (assume people pick up your BP after the flight)? Once the flight is done, PNR won't show anymore on CO.com. But even if it did, I thought you'll just get the flight info. Your passport / credit card is still locked. How can you get that w/o logging in?
Once the whole itinerary is done, that is probably true. But if you have a roundtrip ticket, the PNR is still active after the outbound flight.
I'm very careful not to leave my BP's behind. I also prefer luggage tags that must be opened to see my name. All of my luggage tags have my office address and my cell phone number rather than my home address and phone. When I travel, why would I want to advertise the location of my vacant home (any more than I already have to)?
Security within smaller government agencies are also a major concern. Around the time of the last presidential election, I contacted our state election commission to alert them of security holes in their system that allowed registered voters to look up their precinct information and view online ballot information. Most of the information was technically public record, but I still don't think that it should be so easily accessible. Of greatest concern, I could get to SSNs with some effort. Of lesser concern (though still very significant), I could get exact addresses for voters. (I quickly learned the addresses of several celebreties and politicians, and I could have had their SSNs with just a few more minutes of work. Their birthdates were most easily available on fan sites.)
An excerpt from my letter to the state election commission:
I am extremely concerned about security for the <name withheld>'s
online ballot status page. 1) It is too easy for anyone to access the voter
registration info for someone else. I am most concerned about this for
people such as battered women who have left their husband. Once registered
to vote at a new address, the husband can easily access her voter
registration record that reveals her new address. 2) Once at an
individual's main voter registration info page, the site allows the user to
look for absentee ballot status information by entering the last four digits
of their SSN, but there are several problems with this feature. The numbers
are not masked when entered, so someone standing behind a user can see the numbers as they are entered. If the numbers are incorrect, then the system tells the user so. Unless there is a method in place to prevent multiple
guesses for a user, then a simple program can be written to try each number
until the correct one is found. Once a malicious hacker has these last four
digits, it is not difficult to retrieve the rest of the SSN from other
sources. This is a major risk for identity theft from anywhere in the
world.
online ballot status page. 1) It is too easy for anyone to access the voter
registration info for someone else. I am most concerned about this for
people such as battered women who have left their husband. Once registered
to vote at a new address, the husband can easily access her voter
registration record that reveals her new address. 2) Once at an
individual's main voter registration info page, the site allows the user to
look for absentee ballot status information by entering the last four digits
of their SSN, but there are several problems with this feature. The numbers
are not masked when entered, so someone standing behind a user can see the numbers as they are entered. If the numbers are incorrect, then the system tells the user so. Unless there is a method in place to prevent multiple
guesses for a user, then a simple program can be written to try each number
until the correct one is found. Once a malicious hacker has these last four
digits, it is not difficult to retrieve the rest of the SSN from other
sources. This is a major risk for identity theft from anywhere in the
world.
Last edited by sc flier; May 6, 2006 at 7:00 am
May 7, 2006 | 6:12 pm
#17
Join Date: Jun 2004
Location: DTW
Posts: 77
This article seems pretty poorly written to me. It takes a bunch of unrelated information and tries to imply that there is a relationship.
The article was a rant against US security measures (not that I agree with them) based on a security hole in the BA web site. Why didn't the article go into more detail about the BA web site problem? From what I can tell, a password is required.
I love the part that states "Using this information and surfing publicly available databases..." and then goes on to state "This is terrible," he said. "It just shows what happens when governments begin demanding more and more of our personal information and then entrust it to companies simply not geared up for collecting or securing it as it gets shared around more and more people. It doesn't enhance our security; it undermines it."
Where is the realtionship between data stored on publicly available databases and governments? Where is it proven that these databases exist because of governmental demands? These databases problem exist because of commercial rather than governmental demands.
The article was a rant against US security measures (not that I agree with them) based on a security hole in the BA web site. Why didn't the article go into more detail about the BA web site problem? From what I can tell, a password is required.
I love the part that states "Using this information and surfing publicly available databases..." and then goes on to state "This is terrible," he said. "It just shows what happens when governments begin demanding more and more of our personal information and then entrust it to companies simply not geared up for collecting or securing it as it gets shared around more and more people. It doesn't enhance our security; it undermines it."
Where is the realtionship between data stored on publicly available databases and governments? Where is it proven that these databases exist because of governmental demands? These databases problem exist because of commercial rather than governmental demands.
May 9, 2006 | 7:22 pm
#18
Join Date: Oct 2001
Location: Pennsylvania
Programs: UA Gold, Hyatt Explorist, IHG Platinum, Choice Privileges Gold
Posts: 2,088
Agree that this article is flawed. I can't say I like all that the government is doing by collecting so much info; however, there's no way you ought to be able to enter someone's account using just the info on a BP. If that's really true, BA is in the stone ages for computer security.