Schneier on Security
A blog covering security and security technology.
« The Ultimate Terrorist Threat: Flying Robot Drones |
| When "Off" Doesn't Mean Off »
May 9, 2006
Security Risks of Airline Passenger Data
Reporter finds an old British Airways boarding pass, and proceeds to use it to find everything else about the person:
We logged on to the BA website, bought a ticket in Broer's name and then, using the frequent flyer number on his boarding pass stub, without typing in a password, were given full access to all his personal details - including his passport number, the date it expired, his nationality (he is Dutch, living in the UK) and his date of birth. The system even allowed us to change the information.
Using this information and surfing publicly available databases, we were able - within 15 minutes - to find out where Broer lived, who lived there with him, where he worked, which universities he had attended and even how much his house was worth when he bought it two years ago. (This was particularly easy given his unusual name, but it would have been possible even if his name had been John Smith. We now had his date of birth and passport number, so we would have known exactly which John Smith.)
Notice the economic pressures:
"The problem here is that a commercial organisation is being given the task of collecting data on behalf of a foreign government, for which it gets no financial reward, and which offers no business benefit in return," says Laurie. "Naturally, in such a case, they will seek to minimise their costs, which they do by handing the problem off to the passengers themselves. This has the neat side-effect of also handing off liability for data errors."
Posted on May 9, 2006 at 1:17 PM
• 27 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I'm not surprised. Last time I flew, my entire credit card number _and_ expiration date was on my boarding card...
I have no brief to defend TSA, CAPPS, Secure Flight, or any of the rest of our newly-emergent surveillance society.
I note, however, that much of the hyperventilating in this article is kind of silly. The sensitive information divulged about Mr. Broer -- his passport number -- was not used to obtain all that other personal information about him from the "publicly available databases" queried to spice up the article. All that stuff about where he lives, where he works etc. was available anyway, irrespective of BA's leaky passenger databases.
I'm guessing the real payload of the article is the stuff about the UK National ID at the end, which the Guardian would like to shoot down. As laudable an objective as that might be, their credibility doesn't benefit from lacing their stories with cheap, manufactured horror thrills.
In the US, the reporter would now be arrested for illegally breaking into the airline's computer system.
so who is the winner of the April plot contest ?
I'm very interested in what do you think about this: [soft targets]
Terrorism's Soft Targets
By Clark Kent Ervin
Sunday, May 7, 2006; B04
The good news stops there. The bad news is that the hardening of these targets has increased the appeal of shopping malls, sports arenas, hotels, restaurants, bars, nightclubs, movie theaters, housing complexes and other "soft" targets that remain relatively unprotected against terrorist attacks.
The upshot is a deadly double irony. The very fact that there hasn't been an attack on a soft target in the United States increases the danger of one. And, the harder we harden hard targets, the more likely an attack on a soft target becomes.
Clark Kent Ervin is director of the Homeland Security Initiative at the Aspen Institute and former inspector general of the Department of Homeland Security. Excerpted from "Open Target: Where America is Vulnerable to Attack" (Palgrave Macmillan).
The hyperventalating is ridiculous. the first problem is BA's stupid handling of frequent flyer info: you should require a password to log in. I know American does.
Externalities strike again!
On most sites your need to type in a PIN which accuired by signup to make use of the frequent flyer account. I looked on google and indeed a few boarding passes show the frequent flyer number on it. And with some luck "in this case just luck" the reporter was able to get into the account. Yeah, very stupid.
I hate to say it, maybe I am not seeing the obivious, but...
What difference does it make?
"...a few boarding passes show the frequent flyer number on it."
I think most of them do. Off the top of my head, I can remember that AA, NW, UA, AK all show the frequent flier number on the boarding pass.
The ones i looked up with google image source.
most i found did not have them on it, or showed just a few chars of it. Total i could find 2 on 44 pageresults. Or else i looked the wrong way.
"I have no brief to defend TSA, CAPPS, Secure Flight, or any of the rest of our newly-emergent surveillance society."
Same with me. While I strongly oppose the collection and storage of passenger information by the US government, private companies are collecting lots of data without being forced to by government, and they are and should be held responsible for the security and privacy of the data they are storing. This is mandated very clearly in European privacy laws. They just need to be enforced.
Well, clearly if there weren't wide-open trash bins/cans laying around in the airport then passengers wouldn't be tossing sensitive data into them for reporters to turn into a story.
Should passengers know that their "club" numbers are sensitive, or is it reasonable to expect public trash bins to be secure? Either way one would think the UK, of all places, would have banned unattended trash bins in airports by now.
If you can't reduce the threat adequately, remove the vulnerability, right?
Oh, I guess it was a "dustbin on the Heathrow Express to Paddington station".
If they can't/won't remove the dustbins, for whatever reason, then they could at least be made uni-directional -- people could throw things into them, but they couldn't pull things back out. Reminds me of post-office boxes. Would it be news if a reporter stuck his hand into a post-box and pulled out credit card numbers and other sensitive data?
Not to distract from the issue of securing personal information at the back-end, but I see some rather big issues with the front as well that are still part of the equation.
A few days ago I registered info online for a cruise I'd previously booked. Passengers are required to do this two weeks pior to boarding (although they can also fill it in on paper and fax it). I just went back to the registration site and knowing the name of another passenger and guessing their ticket number (most of the 8 digit number was the same as mine) I was able to pull their passport number. My guess is that once I'm onboad and I get to know the names of other passengers I'd be able to pull all their passport numbers. I'm so not amused.
Someone armed with the used ticket, which I imagine many will casually trash, would get the personal information very easily.
I think that removing bins from airports would create a whole new problem--one of waste. Where food is served, there must be rubbish bins in which to put that refuse. I think it rather reasonable to have these unattended bins.
As for your suggestion that the bins be made "one-way" such that trash can be dropped inside and not taken out--excusing the impracticality of doing so considering the wide size range of refuse (versus something flat like mail)--that trash ultimately must end up somewhere, be it taken to an external landfill or elsewhere. It is unlikely that the airports would go to the extent to implement a total-content-destroying system for its trash as it would be impractical and cost prohibitive, when it would be far easier to either
1) ignore the problem, or
2) ask the airlines to simply not print unnecessary information onto tickets, or
3) ask that they secure the information, requiring at very least a password to access the database.
Although the context of the airport makes digging through the trash for these stubs more productive than looking for ticket stubs in, say, a curbside refuse bin at a residence, removing the bins only hides the problem; the discarded ticket nonetheless could be "stolen" from the residence refuse or landfill--if one were so inclined to dig for these things--and used just the same, albeit requiring a bit more digging and luck. The problem isn't the openess of the bins located at the airports; it's the amount of information printed onto them and the ease of accessing further information. That there are refuse bins and these tickets are tossed into them seems the lesser of the issues here.
Yes, dumpster diving is still an effective tool for uncovering sensitive information. In this case, it seems cheaper to convince passengers that their "club" numbers are sensitive than it does to secure every bin in and around the airport.
When I visited London, the Heathrow Express and Paddington station, I noticed that there was not a single trashcan to be found anywhere. Locals told me this was a result of IRA bombings, not sure if that's true.
Well, while I might agree with you on the current state of things (e.g. that many westerners are accustomed to having a handy bin for their excessively wasteful habits and shouldn't be expected to just stop leaving their trash all over the place) this IS England we're talking about here. I don't know if you're familiar, but they have been extremely sensitive about public waste bins for decades due to the risk of bombs. It is unusual to find a bin in many public places. But don't take my word for it, here's the BBC:
"Rubbish bins have been put back on the London Underground (LU) for the first time since the 7 July bomb attacks."
Of course if someone throws their ticket stub on the floor in absence of a bin, then this part of the risk equation is moot.
That's just one number, and you have to admit most people didn't even realize that it was sensitive. The attack vector is the bins, so you effectively have to stop all the sensitive data from going in them (reduce valuable assets) stop people from diving in them, or make them dive-proof. You aren't well served by adressing only one of the three issues. For example, who can keep track of and convince passengers of what data is sensitive? The press?
@ UK Tourist
Correct. For what it's worth the military often has explosives experts who train on using and diffusing random cans and barrels they find in urban environments. In fact, the simplicity of their own terror-causing capabilities probably scare them as much as anything they've actually encountered. On the flip side, there is a growing industry of expensive "bomb-proof" bin technology:
And that just makes me wonder, if you're going to spend $5000 a bin to make it bomb-proof, isn't there a less expensive way to manage public waste that doesn't involve a primary component for making/concealing explosives? Maybe our whole concept of public waste management is fundamentally flawed, eh? Do we really need these bins? Remember ash trays in every arm-rest?
Regarding rubbish bins in the UK, they're all over the place, I work in Manchester city centre, from the entrance to the building I'm sat in I can see three within a 100 yards. There may have been a time when we were supposed to worry about bins but without them you end up with town centres full of rubbish. Most people worry about the more likely dangers, getting run down crossing the road etc rather than the miniscule chance of being too close to a bomb.
@UK Tourist, @Davi
Bins were removed because of IRA bombing. In particular, in Warrington a mall was bombed, with bombs also placed in bins, timed to catch the people fleeing the first bombs.
In Warrington, the bins were decorative cast iron items, which made the problem of bombs far worse, with fragments of the bins acting as shrapnel.
Now, large city bins are usually a sheet-metal liner insider either an epoxy/fiberglass composite which fragments into very large pieces only and offers some protection against nails and/or ballbearings, or a thermoplastic outer (polythene or polypropelene). Or bins are very small.
This is Britain, and We don't need rubbish bins, because We have a God-given right to cast our waste wherever We see fit. That's why Her Magesty's Kingdom often looks like your local tip. Mind you, We have cleaned up our collective acts considerably in the last 20 years or so, and We certainly don't need you foreign chappies' funny ideas about litter. Jolly dashed colonials, get back at heel before we take a birch to you ...
@Davi, UK Tourist et al
FWIW, there are some small trash bins in Heathrow Express, between some of the back-to-back seats. Quite easy to overlook - I noticed them for the first time a couple of weeks back when I had some snack remnants that I wanted to get rid of without having to take them into Terminal 4 airside. None in T4 groundside or Paddington railway station that I've seen, for the IRA-related security reasons already mentioned.
I didn't notice if the HX bins were emptied at T4 during the quick staff walk-through security security check that's done while the train is waiting there.
Anyway, I remember finding a recent ticket stub in a second-hand book..
BA has, for some time, required a 4-digit PIN to log on to a frequent flyer account. Not as good as a strong password, but better then nothing. The Guardian story says "BA has now closed its security loophole" but doesn't say when.
@JakeS: BA has two methods to login
1. BA membership number & pin
2. login name & password
In order to use method 2 you have to find the "hidden" registration page (it is NOT easy to find, it took me more than 10 minutes right now to find it!). You can reach it via "Special offers: Sign up for offers" and "Register Now". The email address is used as login name and you can use a real password. That has changed on March 23rd, 2006. Before that you could create any nickname.
After registration you can associate your BA membership number with your account. Your login name is NOT printed on any receipt or boarding pass.
But from what I understand from the Guardian's article this would have been no help in that case. The loophole was caused because you were able to book a flight and give a membership number as additional booking information. After that, you could access and change the membership information WITHOUT the question for a PIN or password.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.