Fraud Management & Cybercrime , Fraud Risk Management , Governance & Risk Management
Researcher Describes Risks Posed by Posting Boarding Passes
Former Australian PM's Instagram Shot Led to Personal DataAn Instagram post by one of Australia’s former prime ministers led to a security researcher finding his passport and phone number due to a coding error in a widely used airline ticketing system.
See Also: Tracking and Mitigating Emerging Threats in Third-Party Risk Management
On Wednesday, an Australian computer security researcher who goes by the name Alex posted a humorous yarn about how a friend pointed out that Tony Abbott had posted a photo online of his business-class boarding pass and baggage receipt for a Qantas flight from Tokyo to Sydney on March 21.
Alex writes on his blog that his friend said: “Can you hack this, man?” Alex took the challenge.
“People post their boarding passes all the time because it’s not clear that they’re meant to be secret,” Alex writes.
Inspecting Code
Experts have pointed out that bar codes and other data on a boarding pass can lead to information leaks and have advised against posting the data. But it still happens frequently, and as Alex notes, puts people at risk of identity theft schemes.
The bar code on Abbott’s photo was blurry, but the booking reference was readable. Usually, a booking reference and a last name is enough to go to an airline’s website and view the booking.
Alex tells ISMG that airlines don’t force customers to have an account to fly with them “so they can't do the usual email/password/2FA login. They use the booking reference instead, which is basically emailing/texting you your password. I understand that the airlines move really fast and so don’t want to slow down for increased security.”
Alex writes that he could see the former prime minister’s name, flight times and frequent flyer number on the airline's website. The flight had already occurred, so he couldn’t change anything. But Alex decided to take a look at the web page’s code using the “inspect element” feature in Chrome.
“I scrolled around the page’s HTML, not really knowing what it meant, furiously trying to find anything that looked out of place or secret,” Alex writes. “I eventually realized that manually reading HTML with my eyes was not an efficient way of defending my country, and Ctrl + F’d the HTML for ‘passport’.”
Sure enough, Abbott’s passport number was there, as well as his phone number.
Bug in Amadeus Booking System
Alex was rightfully nervous about whether what he had done could have violated the law, but apparently it did not. He emailed the Australian Signals Directorate, which is part of the Defense Department, and Qantas, and described his findings.
Alex writes that Qantas told him the bug would be fixed by Amadeus, the Madrid-based company that develops software for e-ticketing and booking. Qantas eventually told him the bug was fixed in July. Alex tells IMSG it’s unclear if the bug just affected Qantas or other airlines as well.
Qantas advised him that its “standard advice to customers is not to post pictures of the boarding pass, or to at least obscure the key personal information if they do, because of the detail it contains.”
Still, Alex says he couldn’t find any kind of advice like that on Qantas’ website, and boarding passes don’t have warnings not to post photos of the documents on social media.
Abbott: A Gracious Call
The security researcher eventually contacted Abbott’s staff, and he was somewhat surprised to learned that Abbott was “quite keen” to talk to him. Alex eventually spoke with Abbott on the phone.
“Mostly, he [Abbott] wanted to check whether his understanding of how I’d found his passport number was correct (it was). He also wanted to ask me how to learn about ‘the IT’,” Alex writes. “He asked some intelligent questions, like ‘How much information is in a boarding pass, and what do people like me need to know to be safe?’ and ‘Why can you get a passport number from a boarding pass, but not from a bus ticket?’”
Abbott also didn’t have a problem with Alex blogging about the incident. Abbott’s staff and Qantas reviewed Alex’s blog post on Tuesday before it was published.
“At the end of the call, he [Abbott] said ‘If there’s ever anything you think I need to know, give us a shout’,” Alex writes. “Look, you gotta hand it to him. That’s exactly the right way to respond when someone tells you about a security problem.”