Interesting People mailing list archives
more on Get a boarding pass, steal someone's identity
From: David Farber <dave () farber net>
Date: Mon, 8 May 2006 12:07:00 -0400
Begin forwarded message: From: "Steven M. Bellovin" <smb () cs columbia edu> Date: May 8, 2006 10:01:13 AM EDT To: "Perry E. Metzger" <perry () piermont com> Cc: cryptography () metzdowd com Subject: Re: Get a boarding pass, steal someone's identity On Sun, 07 May 2006 12:53:41 -0400, "Perry E. Metzger" <perry () piermont com> wrote:
I got this pointer off of Paul Hoffman's blog. Basically, a reporter uses information on a discarded boarding pass to find out far too much about the person who threw it away.... http://www.guardian.co.uk/idcards/story/0,,1766266,00.html The story may be exaggerated but it feels quite real. Certainly I've found similar issues in the past. These days, I shred practically anything with my name on it before throwing it out. Perhaps I'm paranoid, but then again...
I read the article. What bothers me is the focus on CAPS II, Secure Flight, and all the other US government-mandated initiatives. I saw nothing in it that seemed in any way related to security. Every one ofthose database entries could have been there -- and probably were there --
for the convenience of airline passengers. In particular, I'm referring to the ability to check in online and print your own boarding pass. For business travelers who use only carry-on baggage, it's a *major* timesaver. I've been on flights where I had to wait 45-60 minutes (ormore) just to get my boarding pass, independent of any security screening. Passport numbers? I've always had to present my passport when checking in
for an international flight; the difference now is that I see what's happening. (Yes, US immigration is fussier about passport and customs inspections than most other countries I've visited -- but in my personal experience, that dates back to 1971. It's also less fussy about emigration -- I remember having to listen to fundamentalist religious preaching from an Australian emigration officer some years ago.) The real point here is carelessness with access controls. *That's* what we have to fight. It's certainly better if databases don't exist; as Isaid, I think that these exist because of customer demand, not government
mandates. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb --------------------------------------------------------------------- The Cryptography Mailing ListUnsubscribe by sending "unsubscribe cryptography" to majordomo () metzdowd com
------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- more on Get a boarding pass, steal someone's identity David Farber (May 08)