Get a boarding pass, steal someone's identity

Steven M. Bellovin smb at cs.columbia.edu
Mon May 8 10:01:13 EDT 2006 

On Sun, 07 May 2006 12:53:41 -0400, "Perry E. Metzger"
<perry at piermont.com> wrote:

> 
> I got this pointer off of Paul Hoffman's blog. Basically, a reporter
> uses information on a discarded boarding pass to find out far too much
> about the person who threw it away....
> 
>   http://www.guardian.co.uk/idcards/story/0,,1766266,00.html
> 
> The story may be exaggerated but it feels quite real. Certainly I've
> found similar issues in the past.
> 
> These days, I shred practically anything with my name on it before
> throwing it out. Perhaps I'm paranoid, but then again...

I read the article.  What bothers me is the focus on CAPS II, Secure
Flight, and all the other US government-mandated initiatives.  I saw
nothing in it that seemed in any way related to security.  Every one of
those database entries could have been there -- and probably were there --
for the convenience of airline passengers.  In particular, I'm referring
to the ability to check in online and print your own boarding pass.  For
business travelers who use only carry-on baggage, it's a *major*
timesaver.  I've been on flights where I had to wait 45-60 minutes (or
more) just to get my boarding pass, independent of any security screening.
Passport numbers?  I've always had to present my passport when checking in
for an international flight; the difference now is that I see what's
happening.  (Yes, US immigration is fussier about passport and customs
inspections than most other countries I've visited -- but in my personal
experience, that dates back to 1971.  It's also less fussy about
emigration -- I remember having to listen to fundamentalist religious
preaching from an Australian emigration officer some years ago.)

The real point here is carelessness with access controls.  *That's* what
we have to fight.  It's certainly better if databases don't exist; as I
said, I think that these exist because of customer demand, not government
mandates.

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list