Re: Get a boarding pass, steal someone's identity
Perhaps the worst security hole I know of is with United Airlines EasyCheckIn machines at the airport: you swipe a credit card and it does a fuzzy match to find flyers that day whose name is close to yours. My name is John Black. I often get a menu to choose from: "are you flying to Dulles? To Frankfurt? To Houston?" That's because there are several John Black's flying that day from that airport. It would be easy to mess with other John Black reservations. Worse, when I check in too early it can't find my reservation and comes up with the closest thing: "Tanya Blockwell" came up recently in Indianapolis. Once you pull up Tanya's itinerary, you have free rein over her travel plans: you can change her seats, upgrade her (with her upgrade instruments), put her on another flight, or cancel her reservation altogether. I doubt United has any computer security people on their 65,000-person staff. Not good. john// - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Get a boarding pass, steal someone's identity
> - Original Message - > From: "Steven M. Bellovin" <[EMAIL PROTECTED]> > To: "Perry E. Metzger" <[EMAIL PROTECTED]> > Subject: Re: Get a boarding pass, steal someone's identity > Date: Mon, 8 May 2006 11:15:56 -0400 > > > On Mon, 08 May 2006 10:38:38 -0400, "Perry E. Metzger" > <[EMAIL PROTECTED]> wrote: > > > > > The person who sent this asked that I forward it anonymously. > > > > From: > > Subject: Re: Get a boarding pass, steal someone's identity > > To: "Perry E. Metzger" <[EMAIL PROTECTED]> > > > > (If you want to post this, please make it anonymous. Thanks.) > > > > Have you noticed that airline tickets are once again de-facto > > transferable? If you print your own boarding pass at home, you > > can digitally change the name on it before you print. If you > > have no bags to check, then the person who checks your ID at the > > security checkpoint has no way to read the bar code, and the > > person who reads the bar code at the gate does not check your ID. > > > This is hardly either news or sensitive. Schneier described it in > CRYPTOGRAM almost 3 years ago > (http://www.schneier.com/crypto-gram-0308.html#6), as did Eric Rescorla > (http://www.rtfm.com/movabletype/archives/2003_10.html#000546); it's also > been in Slate (http://www.slate.com/id/2113157/fr/rss/). > > What's even more hilarious is the "random" body searches depend on a code (my tickets use "SS") printed on the boarding pass. To prevent you from erasing the code via the Paint program or similar they make you go to a kiosk to print it out. But, if you fly regularly, you will know that whenever they block you from printing a ticket via the web that this indicates you will be body searched. So take an old electronic ticket (if you fly regularly) without the code, change the dates, etc., print it out and use it to get through security without a body search. - Alex - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Get a boarding pass, steal someone's identity
On Mon, 08 May 2006 10:38:38 -0400, "Perry E. Metzger" <[EMAIL PROTECTED]> wrote: > > The person who sent this asked that I forward it anonymously. > > From: > Subject: Re: Get a boarding pass, steal someone's identity > To: "Perry E. Metzger" <[EMAIL PROTECTED]> > > (If you want to post this, please make it anonymous. Thanks.) > > Have you noticed that airline tickets are once again de-facto > transferable? If you print your own boarding pass at home, you can > digitally change the name on it before you print. If you have no > bags to check, then the person who checks your ID at the security > checkpoint has no way to read the bar code, and the person who reads > the bar code at the gate does not check your ID. > This is hardly either news or sensitive. Schneier described it in CRYPTOGRAM almost 3 years ago (http://www.schneier.com/crypto-gram-0308.html#6), as did Eric Rescorla (http://www.rtfm.com/movabletype/archives/2003_10.html#000546); it's also been in Slate (http://www.slate.com/id/2113157/fr/rss/). --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Get a boarding pass, steal someone's identity
>Have you noticed that airline tickets are once again de-facto >transferable? If you print your own boarding pass at home, you can >digitally change the name on it before you print. Lots of us have noticed that, print one version for the person at security with a name that matches the ID, print another version for the person at the gate with a name that matches the reservation and the bar code. But actually, you don't even have to do that. When I travel with my wife and daughter, whose names are completely unlike mine, I always put the boarding passes in a stack with one of theirs on top and hand the person my ID. I would say at least half the time they don't even bother to look and see if one of the other passes has a name that matches the ID. R's, John - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Get a boarding pass, steal someone's identity
The person who sent this asked that I forward it anonymously. From: Subject: Re: Get a boarding pass, steal someone's identity To: "Perry E. Metzger" <[EMAIL PROTECTED]> (If you want to post this, please make it anonymous. Thanks.) Have you noticed that airline tickets are once again de-facto transferable? If you print your own boarding pass at home, you can digitally change the name on it before you print. If you have no bags to check, then the person who checks your ID at the security checkpoint has no way to read the bar code, and the person who reads the bar code at the gate does not check your ID. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Get a boarding pass, steal someone's identity
On Sun, 07 May 2006 12:53:41 -0400, "Perry E. Metzger" <[EMAIL PROTECTED]> wrote: > > I got this pointer off of Paul Hoffman's blog. Basically, a reporter > uses information on a discarded boarding pass to find out far too much > about the person who threw it away > > http://www.guardian.co.uk/idcards/story/0,,1766266,00.html > > The story may be exaggerated but it feels quite real. Certainly I've > found similar issues in the past. > > These days, I shred practically anything with my name on it before > throwing it out. Perhaps I'm paranoid, but then again... I read the article. What bothers me is the focus on CAPS II, Secure Flight, and all the other US government-mandated initiatives. I saw nothing in it that seemed in any way related to security. Every one of those database entries could have been there -- and probably were there -- for the convenience of airline passengers. In particular, I'm referring to the ability to check in online and print your own boarding pass. For business travelers who use only carry-on baggage, it's a *major* timesaver. I've been on flights where I had to wait 45-60 minutes (or more) just to get my boarding pass, independent of any security screening. Passport numbers? I've always had to present my passport when checking in for an international flight; the difference now is that I see what's happening. (Yes, US immigration is fussier about passport and customs inspections than most other countries I've visited -- but in my personal experience, that dates back to 1971. It's also less fussy about emigration -- I remember having to listen to fundamentalist religious preaching from an Australian emigration officer some years ago.) The real point here is carelessness with access controls. *That's* what we have to fight. It's certainly better if databases don't exist; as I said, I think that these exist because of customer demand, not government mandates. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Get a boarding pass, steal someone's identity
| I got this pointer off of Paul Hoffman's blog. Basically, a reporter | uses information on a discarded boarding pass to find out far too much | about the person who threw it away | | http://www.guardian.co.uk/idcards/story/0,,1766266,00.html | | The story may be exaggerated but it feels quite real. Certainly I've | found similar issues in the past. | | These days, I shred practically anything with my name on it before | throwing it out. Perhaps I'm paranoid, but then again... I've actually gone in the opposite direction: I shred less than I used to. Grabbing this kind of information off stray pieces of paper in a garbage can is buying retail. It's so much easier these days to buy wholesale, stealing hundreds of thousands to tens of millions of on-line records in one shot. It would be useful to get some idea of the chances one takes in throwing identifying material out. Everything in security is cost vs. benefit, and the cost of shredding, while it appears low on a single-item basis, adds up in annoyance. And all too many of the companies I deal with seem to make it ever harder. Just yesterday, I threw out a couple of letters having to do with incidental matters (e.g., an incorrect charge) from a credit card provider. Every one of them had my full card number on it. Some of them looked like the routine junk you get every month and don't even look at twice before discarding. Meanwhile, my statements contain my credit card number, in small but easily readable numbers, *vertically* on the page - next to what appears to be a bar code with the same information. Even a cross-cut shredder probably isn't sufficient to render that unreadable. The entire infrastructure we've built based on a shared pseudo-secrets is one of the walking dead. For credit cards, the responsibility for loss is on the card companies, where it belongs - and I let it stay there. I take basic reasonable care, but I'm unwilling to go any further, since it can't possibly help me and I'm paying indirectly for all the costs the credit card companies assume anyway (since they push them off on the vendors, who then raise their prices). As far as identity theft as a general issue: What little evidence there is as to the way the identity thieves work today implies that nothing I'm likely to do - absent obvious dumb moves - will change my odds of being successfully hit by very much. -- Jerry - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Get a boarding pass, steal someone's identity
> http://www.guardian.co.uk/idcards/story/0,,1766266,00.html > >The story may be exaggerated but it feels quite real. Certainly I've >found similar issues in the past. It sounds real to me, with an airline whose security is slightly but not greatly worse than typical. I buy a lot of online tickets in the US and I believe that although I can enter whatever frequent flyer number I want when I buy a ticket, I always have to provide a PIN to get access to any history or account info. But I don't lose my PINs (being a bad user I use the same PIN many places) so I haven't looked to see how hard it would be to fake out the various password recovery schemes. R's, John - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Get a boarding pass, steal someone's identity
I got this pointer off of Paul Hoffman's blog. Basically, a reporter uses information on a discarded boarding pass to find out far too much about the person who threw it away http://www.guardian.co.uk/idcards/story/0,,1766266,00.html The story may be exaggerated but it feels quite real. Certainly I've found similar issues in the past. These days, I shred practically anything with my name on it before throwing it out. Perhaps I'm paranoid, but then again... -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
