Get a boarding pass, steal someone's identity
John R. Black
John.Black at Colorado.EDU
Wed May 10 11:58:07 EDT 2006
Perhaps the worst security hole I know of is with United Airlines EasyCheckIn
machines at the airport: you swipe a credit card and it does a fuzzy match
to find flyers that day whose name is close to yours.
My name is John Black. I often get a menu to choose from: "are you flying to
Dulles? To Frankfurt? To Houston?" That's because there are several John
Black's flying that day from that airport. It would be easy to mess with
other John Black reservations.
Worse, when I check in too early it can't find my reservation and comes up
with the closest thing: "Tanya Blockwell" came up recently in Indianapolis.
Once you pull up Tanya's itinerary, you have free rein over her travel plans:
you can change her seats, upgrade her (with her upgrade instruments), put
her on another flight, or cancel her reservation altogether.
I doubt United has any computer security people on their 65,000-person staff.
Not good.
john//
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list