Get a boarding pass, steal someone's identity
Steven M. Bellovin
smb at cs.columbia.edu
Mon May 8 10:01:13 EDT 2006
On Sun, 07 May 2006 12:53:41 -0400, "Perry E. Metzger"
<perry at piermont.com> wrote:
>
> I got this pointer off of Paul Hoffman's blog. Basically, a reporter
> uses information on a discarded boarding pass to find out far too much
> about the person who threw it away....
>
> http://www.guardian.co.uk/idcards/story/0,,1766266,00.html
>
> The story may be exaggerated but it feels quite real. Certainly I've
> found similar issues in the past.
>
> These days, I shred practically anything with my name on it before
> throwing it out. Perhaps I'm paranoid, but then again...
I read the article. What bothers me is the focus on CAPS II, Secure
Flight, and all the other US government-mandated initiatives. I saw
nothing in it that seemed in any way related to security. Every one of
those database entries could have been there -- and probably were there --
for the convenience of airline passengers. In particular, I'm referring
to the ability to check in online and print your own boarding pass. For
business travelers who use only carry-on baggage, it's a *major*
timesaver. I've been on flights where I had to wait 45-60 minutes (or
more) just to get my boarding pass, independent of any security screening.
Passport numbers? I've always had to present my passport when checking in
for an international flight; the difference now is that I see what's
happening. (Yes, US immigration is fussier about passport and customs
inspections than most other countries I've visited -- but in my personal
experience, that dates back to 1971. It's also less fussy about
emigration -- I remember having to listen to fundamentalist religious
preaching from an Australian emigration officer some years ago.)
The real point here is carelessness with access controls. *That's* what
we have to fight. It's certainly better if databases don't exist; as I
said, I think that these exist because of customer demand, not government
mandates.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list