In January of this year I reported to British Airways that it was
possible to recover arbitrary passengers' confidential information,
including Date Of Birth and passport details, by simply matching a
frequent flyer number to a surname when purchasing a ticket via their
website. Since this information is printed on every boarding pass, any
discarded passes can potentially provide an attacker with the
information he needs to access the data via the website.
The problem exists because of the US Goverment's requirement for
airlines to provide Advance Passenger Information for all passengers
destined for their shores. It is left to the airlines themselves to
administer the data collection systems, and, therefore, to make their
own mistakes in the security systems that control access to that data.
The more airlines that implement these systems, the more potential
security holes will exist.
Full story here:
http://www.guardian.co.uk/g2/story/0,,1766138,00.html
cheers,
Adam
--
Adam Laurie Tel: +44 (0) 1304 814800
The Bunker Secure Hosting Ltd. Fax: +44 (0) 1304 814899
Ash Radar Station http://www.thebunker.net
Marshborough Road
Sandwich mailto:adam_at_thebunker.net
Kent
CT13 0PL
UNITED KINGDOM PGP key on keyservers
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Received on May 03 2006
Intro
