
Post a boarding pass on Facebook, get your account stolen - flux_w42
https://www.michalspacek.com/post-a-boarding-pass-on-facebook-get-your-account-stolen
======
sersi
And this is also why I almost never give my real birth date when registering
on websites (except on financial websites or websites where I'm legally
obligated to) and I never ever give real answers to the security question..

My typical answer for a security question is something like "39arsrc
uyrsrsaulsr8832r" and that's saved in a password manager

Security questions weakens the security of an account, they are easily found
information that people can just guess.

~~~
JupiterMoon
> My typical answer for a security question is something like "39arsrc
> uyrsrsaulsr8832r" and that's saved in a password manager

The problem with this is that the "security" question will often be asked over
the phone. At this point an answer of "Oh I just mash the keyboard for those"
is probably going to get an attacker access to your account..

~~~
JumpCrisscross
> _The problem with this is that the "security" question will often be asked
> over the phone. At this point an answer of "Oh I just mash the keyboard for
> those" is probably going to get an attacker access to your account_

I used to do this and then lost my password file. Fast forward to a call with
AT&T. I told them I forgot my secret answers. They offered that it was "a
super weird answer," which let me use the "mashed keyboard" line and got in.
TL; DR I think this system is less safe than just making up cars, cities, _et
cetera_.

~~~
ohazi
correct horse battery staple?

~~~
alphast0rm
This is a reference to the XKCD comic, Password Strength [1].

[1] [https://xkcd.com/936/](https://xkcd.com/936/)

~~~
isostatic
And for those who think the reference is so well known it doesn't need citing:
[https://xkcd.com/1053/](https://xkcd.com/1053/)

~~~
Chris2048
Quite Frankly - bad math. You judge people based on how old they are..

------
DougWebb
It's not just posting photos that can cause this kind of trouble. I get a lot
of email intended for other Doug Webbs sent to my gmail account, with
variations on the presence/location of periods, or CC'd with another gmail
account that's the same but with numbers on the end. For a while I was getting
boarding passes from a major airline for a Doug that was frequently flying up
and down the US west coast. Those emails gave me the confirmation number, and
a link directly to the page that would let me make changes to the reservation,
with no security barrier at all.

Granted, this most likely was caused by that other Doug providing my email
address to the airline, but the airline is at fault too for assuming that
access to a given email address is proof of identity. That's a _very_ common
mistake, often made intentionally to provide a more "user-friendly"
experience. Had I been malicious, I could have caused that other Doug a lot of
un-friendly grief.

I was not able to see any contact information on the reservation, and I didn't
have full access to his account. (I don't know if a "Forgot Password" request
would have given me that, though it probably would have.) I contacted the
airline customer support to tell them they had the wrong email address on the
reservation and they should contact their customer through some other means if
they could. I think I got a form-letter thank you and never heard from them
again, but I did get a few more boarding passes for a while.

I also get a lot of online shopping order/shipment confirmations, and plenty
of personal correspondence. I try to tell the senders to fix their address
books, and when I get a CC with the real address I contact the other Dougs
too, but most of the time there's no response. I've had to set up a filter
that puts all email with TO addresses that aren't the one I use into an "Other
Dougs" folder, which I treat like spam.

~~~
DougWebb
Ha... I just checked my Other Dougs folder. On Aug 4, I got an email from
myidentityassist.com saying that "I" reported a case of identity theft, and
that "my" Royal Bank of Canada credit card has been blocked from further use.
Then on Aug 5 I got an email confirming an order from a Pizza Hut in Kingston
ON, Canada, using the same variation on my email address.

This is one of my repeat-offenders. I see a lot of email out of Kingston with
this same variation on my email address, and I've tried many times to reply
and get people to tell him he's using the wrong email address, but to no
avail. This has been going on for years.

~~~
uiri
Have you tried calling him up?
[http://www.canada411.ca/search/?stype=si&what=Doug+Webb&wher...](http://www.canada411.ca/search/?stype=si&what=Doug+Webb&where=Kingston%2C+ON)

~~~
DougWebb
Wow, an official, functional, online phonebook with addresses? I didn't know
those still existed. Crazy Canadians. Thanks, I may give that a try.

------
sebcat
33c3 talk related to this topic: [https://www.youtube.com/watch?v=n8WVo-
YLyAg](https://www.youtube.com/watch?v=n8WVo-YLyAg) \- "Where in the World Is
Carmen Sandiego?"

~~~
fahrradflucht
Or in a lot of different formats and also for download on media.ccc.de:

[https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carme...](https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carmen_sandiego)

------
babuskov
Just to clarify in case someone assumes the same thing I did from the
headline: it isn't the Facebook account that gets stolen, but the airline
website account.

~~~
exodust
And really this has nothing to do with Facebook at all, it's not a good title.

~~~
macintux
Eh, Instagram is owned by Facebook, so I gave that a pass.

~~~
exodust
I thought the point was about the risks of posting images of boarding passes
on the internet. Where they happen to be posted seems irrelevant to me, but
whatever.

------
henadzit
It would also help if tickets had a "No photography" icon on them and a note
about them having private information.

~~~
Natanael_L
I think somebody should develop a standardized and open auto redaction
flagging scheme for anything printed, where cameras and any software meant to
share photos can offer the user to redact every sensitive field in a secure
manner.

Something like a Qr code saying "this stuff in that position relative to this
code is sensitive", giving the user a prompt saying "this was redacted; undo?"

~~~
YokoZar
And then camera-shy people will print it on their clothes.

~~~
Natanael_L
That's a feature

------
chockablock
Recently saw a viral tweet with a picture of a political mailing posted on
twitter with the address blacked out, but the USPS bar code
([https://en.m.wikipedia.org/wiki/Intelligent_Mail_barcode](https://en.m.wikipedia.org/wiki/Intelligent_Mail_barcode))
showing (looks like a comb with broken teeth).

They obviously didn't know the barcode contained the precise house address of
the recipient (presumably the user's home address). Anonymization is hard!

~~~
jsymolon
Like SSNs (with a defined purpose), IMbs "use" is to help the USPS sort and
deliver the mail without manual handling.

Large mailers (billions of pieces per year) get a postage discount by applying
such barcode to all the pieces. (edit: any mailer can get the discount. it
just adds up for the larger mailers) Those pieces are delivered to USPS
facilities, dumped into the auto-sorters and end up at the local post office
with no human handling.

It should not be used for anything else except handling mail.

------
fredley
It's amazing that with the algorithmic power Facebook brings to bear on every
photo you upload, finding faces etc., that they can't spare a few cycles for
security.

It would be simple to run barcode detection over any post and blur the result
(maybe prompt the user just in case they actually wanted to post one?).

Almost any barcode is assumed to be private information, even a barcode on a
store receipt can be used for return fraud in certain circumstances.

Saying 'don't post barcodes online' is all well and good, but that message
will never reach the general public.

~~~
tinus_hn
The problem is not barcodes and it is not Facebook. The problem is airlines
with security systems that went out of style in the 90’s.

You don’t print a paper with all the information you need to hijack accounts.
You don’t use ‘secret questions’. You don’t treat birthdays as secrets. You
don’t use a number as a secret if it’s on the ticket.

~~~
csomar
I was traveling with a friend and we could benefit from changing flights. So
my friend went to the counter to just ask about the possibility. He had my
boarding pass but not my passport. He returned 20 minutes later with both
boarding passes changed. The counter stuff just took his "word" for "he is my
friend".

Edit: An hour later driving and thinking about it, I think it is the right
move from the airline. The risk is small because identity theft and
authentication hacking is not possible in this case. The Airport is a highly
controlled environment and thus someone pulling this will have a higher chance
of getting arrested. On contrast, you can't just take anonymous IPs on the
Internet for their words. You have to carefully authenticate them and even
then you can still have issues.

~~~
kossae
This is the case I've seen the most. It also really speaks to what is the
ultimate security hole which is human error and social engineering. Granted
your friend was not being malicious, the fact that it was that easy is scary.

~~~
pmontra
Maybe this is not intentional social engineering but a former customer working
in the micro credit market once told me that the people who's most difficult
to get money back are friends, not strangers. Maybe he had an agenda (send
your friends to me) but it matches my experience.

------
dawnerd
Not the first time airlines have had poor security with boarding passes:

[https://medium.com/@da/need-a-last-minute-
flight-45af88ec8df...](https://medium.com/@da/need-a-last-minute-
flight-45af88ec8df3) [https://www.wired.com/2016/08/fake-boarding-pass-app-
gets-ha...](https://www.wired.com/2016/08/fake-boarding-pass-app-gets-hacker-
fancy-airline-lounges/)
[https://puckinflight.wordpress.com/2012/10/19/security-
flaws...](https://puckinflight.wordpress.com/2012/10/19/security-flaws-in-the-
tsa-pre-check-system-and-the-boarding-pass-check-system/)
[http://www.washingtonpost.com/national/experts-warn-about-
se...](http://www.washingtonpost.com/national/experts-warn-about-security-
flaws-in-airline-boarding-
passes/2012/10/23/ed408c80-1d3c-11e2-b647-bb1668e64058_story.html)

And what the OP article is basically copying:
[https://www.theverge.com/2017/1/10/14226034/instagram-
boardi...](https://www.theverge.com/2017/1/10/14226034/instagram-boarding-
pass-security-problem-bad-idea)

I don't see this changing anytime soon (although there are some tests to move
towards facial recognition).

~~~
keganunderwood
The real problem is that once again someone treated what should simply be an
identifier to look up data as something more. Why not store all this
information on the server that an authorized person can see when they scan a
uuid on the boarding pass? Would they allow boarding of the network was down?

~~~
germanier
There are procedures in place in case the network is down. I have flown with
hand-written boarding passes multiple times in the past (they even had special
cards for that situation laying around). On the other hand there were flights
that were grounded as there was some network malfunction. I guess it depends
on the specific problem they have.

------
joering2
Remind me of my ex-gf I had on my Facebook for a while. She liked to be show
off, which I think nowadays is not that big of as deal. But she would
literally invite crime to her house! On her public Facebook profile she didn't
post her address, BUT she had bunch of photos: her with the Living Complex
sign, her next to her doors (with apartment number on it), photos of her
inside house with beautiful 85" TV and other equipment including expensive
bikes, then finally her photo with the car showing license plate (revealing
her state name).

I told her numerous times its not a good idea but she never listened! Then I
told her publicly on her car photo that she should at least wipe out the plate
number, which created a long trail of comments where basically all her friends
thought I'm weird and creepy and why would I be warning her (perhaps I want to
commit some crime??). No amount of explaining helped. Even telling cops will
tell her the same thing got me bunch of her "friends" answering "you ain't a
cop, bro". And then one fine Friday I saw her posting they leaving for another
state to visit family. Boy it was a discovery when they come back Monday
morning their house was cleaned out from every possible valuable belongings.
And thieves must have came with a large enough truck to fit that 85" TV
screen.

Not long after she removed me from her FB even though I never told her "told
you so".

The bottom line is I don't believe people will learn not to give a clues
online and I think in these days of age it should be an hour mandatory lesson
at the school what NOT to post online.

~~~
meric
It might be you remind her of her failure to listen to your advice - it's
about her and not you.

------
floatingatoll
Why do Facebook and Twitter and etc. permit posting of airline QR codes and
credit card photos _without_ a safety warning and an option to safely blur out
the sensitive bits?

~~~
beambot
Why do they permit it...? Because they aren't our parents and shouldn't be
responsible for all the stupid shit that users _could_ do.

The real question: Perhaps we can politely convince these services to display
safety warnings & blur the sensitive bits? Want to be proactive about it: Help
develop a plug & play library for services to use to accomplish this feat.

~~~
jsymolon
> aren't our parents ...

Doesn't seem to stop them from trying to find naughty photos and block them.

[https://www.geek.com/apps/is-it-nude-algorithm-wants-to-
find...](https://www.geek.com/apps/is-it-nude-algorithm-wants-to-find-out-
whos-naked-on-the-net-1626678/)

------
signa11
the risk digest:
[http://catless.ncl.ac.uk/Risks/](http://catless.ncl.ac.uk/Risks/) is also
pretty cool resource for these kind of things :)

------
kerouanton
I don't know if it's the case elsewhere but starting 2019 all invoice payments
in Switzerland will use mandatory QR codes.
[https://www.paymentstandards.ch/en/home/softwarepartner/qr-b...](https://www.paymentstandards.ch/en/home/softwarepartner/qr-
bill.html) That promises to be challenging too in terms of publication of
sensitive data.

~~~
s3nnyy
I can't see exactly where it says that it is mandatory?

------
noobermin
I get it, be aware of what you post on facebook, but does this not rub anyone
else the wrong way?

Imagine you break into your friend's car, and rewrire the stereo system so the
left speaker doesn't work. Then, you say, "yo, I broke into your car and
rewired things. The locks on this car are faulty, better let the car
manufacturer know. I should contact them myself and collect my bug bounty."
And when your friend, a decent chap, thinks you're joking, and finds out
you're not kidding, is his response supposed to be, _" Oh shit, you're right.
You could have just [rewired my speaker system]. This is crazy."_ or instead,
would he no longer be your friend, and probably report you to the police?

~~~
Kudos
Analogies almost always make for tedious discussions.

~~~
noobermin
I grant you that. I am trying to make a general point about whether you should
do 'x' just because you can or to prove a point.

------
cyberferret
I wonder just how much of the barcode should be obscured to render it
unscannable? Is it enough to cover the check digit? (If indeed that symbology
has a check digit verification). e.g. With QR Codes, is 25% obscuration
enough, etc.?

------
franciscop
Fun alternative: create a honeypot website that looks semi-legit and publish
QR codes to social networks to analyze the traffic to those.

For big-name corps, do the same to catch IPs of script kiddos who don't
know/bother to mask those.

------
jamiethompson
Something I also do which guards against social engineering attacks is that I
have a set of fake answers for common "secret questions". These exist nowhere
but in my head. I figure it's a extra obfuscation step and could very well be
a blocker if anyone _was_ trying to get into any of my accounts.

------
cyphunk
do the barcodes in the authors examples, which they did not bother to fuzz and
anonymize, do they also convey the details they did anonymize? I'm curious

~~~
bonzini
The blurring was done by the person who posted (not by the authors).

------
sitepodmatt
To help increase security through action, whenever friends send me their
flight details that include a PNR I logon to the airline website and book them
a middle seat and special meal choice 'bland meal'. Just doing my part.

~~~
kobeya
“friends”

------
nanreh
How about this: never post anything on Facebook. Just stop using it. Facebook
causes cancer. You're better off without it.

------
vectorEQ
how about just don't post stuff like boarding pass online >.> don't need to
share every detail on the PUBLIC INTERWEBZ. dm someone if u want to tell them.
saves hastle of getting your shit stolen by some 12 year old. in holland we
say 'voorkomen is beter dan genezen' -> to prevent is better than to cure. We
all know these kind of weakeneses exist everywhere, yet we post our boarding
pass on a public page on the internet... bit silly. you can say 'shit should
be secure' but thats being said since the dawn of the interwebz and it never
has been... so dont bank on it ever being secure is better than to assume it
is and point fingers once you're a victim.

------
magoon
Could you imagine a neighbor going around checking everybody’s window and door
locks?

~~~
meric
No but your mum might pick your phone off your pocket to remind you to be
careful when it's hanging out while you two are travelling in a country
overseas in a danger area.

------
nine_k
Do a thoroughly stupid thing, reap the consequences. Post publicly a bunch of
private info, like your complete contact details, get your account (or more of
your identity) stolen.

There is nothing surprising about that, nothing hard to understand.

What is hard is actually thinking about what you are doing. Maybe, well,
showing off your sophisticated and aesthetically perfect password is not such
a good idea due to other considerations.

------
hsnewman
If you post personally identifiable information online you can get your
account stolen. Something new, no.

~~~
bhldr
What's the purpose of your cynicism?

------
eridius
There's no such thing as an iWatch. Why do people just make up product names
like that?

------
Spooky23
Why would you do such a thing?

~~~
TomMarius
Because he's an information security expert.

~~~
Spooky23
I mean the "post a boarding pass on Facebook" part.

~~~
artursapek
They were showing off their nice apple hardware and international plane
tickets. It's the standard "my life is perfect" instagram user.

~~~
Spooky23
What’s the bigger security threat in this scenario?

------
mulmen
Up next: post your bank statements online and lose your money!

------
proksoup
It's unfortunate that we must be this paranoid.

------
qrbLPHiKpiux
The weakest link in infosec has fingers and thumbs that uses a device.

This is nothing short of yelling sensitive information through a megaphone.
USERFAIL

------
bogomipz
>"I've known Petr Mára for few years now, he's a nice guy. He's a speaker,
trainer, video blogger, and deploys iOS & macOS wherever possible."

Why are any of these facts relevant? He deploys macOS? What? What does this
have to do with anything?

And then author makes the reference to his friend Petr a link to his personal
website? Seriously?

Incidentally, Petr's webiste is really entertaining as there are no less than
5 pictures of him that take up the entire background. Clicking on the Petr
link, is the most entertaining part of the article.

~~~
distances
> He deploys macOS? What? What does this have to do with anything?

And what does that even mean? That he buys Apple stuff? Indeed the weirdest
endorsement I've heard in a while.

~~~
TomMarius
To be fair, Petr himself uses these exact words (on his website) to describe
him.

------
ff7c11
The author needs to learn some responsibility himself.

------
logingone
And still people make excuses to use Facebook.

------
KGIII
I am not a lawyer, but I think most of the author's actions would be
considered illegal in the US. While he didn't do any harm, his actions were
still probably a violation of at least the CFAA.

Anyhow, Aztec code? It looks, the one on the watch, pretty much like a QR
Code. I've never seen the Aztec code before today. It makes me wonder how many
of these barcode things we really need. A quick Google didn't reveal any
information demonstrating why this Aztec code is any better than the other
options out there.

It does make me grateful that I don't have to work on implementing all these
things or, really, even deal with them. I know a bunch of you are developers
and I hope you're not the ones stuck with dealing with all these different
'standards,'

~~~
littlehood
Aztec is more compact than QR - does not need margin and because it's
optimised for lowercase letters (used a lot for urls). Also has tunable error
correction.

~~~
masklinn
> because it's optimised for lowercase letters (used a lot for urls).

Case does not matter for URLs, HTTP://NEWS.YCOMBINATOR.COM will work
perfectly, and can be encoded using qrcode's alphanumeric mode.

Aztec is slightly more efficient regardless, but not by much: qr alpha is 5.5
bits symbol, Aztec is 5 bits per symbol.

~~~
buckminster
Case doesn't matter for the protocol or domain name but it does matter for the
rest of the URL.

~~~
O_H_E
Oh you already commented that. (Deleting my comment)

------
bogomipz
>"When you want to brag about your final destination, be careful of what you
post on Facebook and Instagram. Leave your boarding passes (and other
barcodes) for yourself (and get a shredder)."

It's funny that for a piece intended to warn other's on identity security the
author had no problem reproducing the the unredacted boarding pass picture in
question, which incidentally also tells us that he is a member of the One
World Club with Saphire status. They also go onto let us know their
nationality and profession.

The author also has no problem publishing his friend's full name and linking
to their personal website which features 5 large high resolution pictures
available of his friend's face as well as well as detailing exactly which
Apple certifications they posses.

~~~
stephen_g
There isn’t a Oneworld club.

With Oneworld you can only join individual airline’s loyalty program (I think
he’s in the BA one judging by the BASILV). Then all the airline programs in
the Oneworld alliance have a mapping between their tiers and the Oneworld set,
so you can work out the equilivalence between airlines. So a Qantas Gold teir
maps to BA’s silver tier and get the same perks on each other’s airlines (BA
has Blue, Bronze, Silver, Gold and Qantas has Bronze to Platinum, hence the
difference).

‘Club World’ is what BA call their business class.

But your point still stands, be definitely should have at least obscured his
frequent flyer membership number...

~~~
bogomipz
Sorry yes I meant alliance not club at any rate the ticket says Saphire for
One World which lets you know their frequent flyer status:

[https://www.oneworld.com/ffp/my-oneworld-tier-
status/-/tiers...](https://www.oneworld.com/ffp/my-oneworld-tier-
status/-/tierstatus/british-airways/executive-club-silver)

------
jackemupguy2
The most notable information here is the dumpster diving at airports .. and
what it can get you. Namely - people discarding their airline passes at
airports. "Barcodes can also be found on “forgotten” boarding passes in
aircraft or other locations." ... holy shit, I never thought about that ...
wow.

------
jackemupguy2
Real deal - DEFCON part about this. The research is deep for sure.
[https://www.youtube.com/watch?v=qnq0UfOUTlM](https://www.youtube.com/watch?v=qnq0UfOUTlM)

------
kumarm
Bad server request. Maintaining your own server for personal blog is geeky as
long you can manage to keep it up.

~~~
woof
It's currently at AWS, where was it 42 minutes ago?

------
tribby
post a boarding pass on facebook, get your account stolen?

there's an alternate title for this one.

post about commandeering accounts on your blog, get the CFAA thrown at you and
go to jail.

this is anything but responsible.

~~~
literallycancer
Presumably he's not located in the US.

------
bogomipz
>"Users often publish data that they don't know what they mean. Because at
first sight, it's not possible to see what's the data, or what the data is
for"

No its more like people are so obsessed with curating their "fabulous"
lifestyle for social media that they don't care.

The boarding passes are a carefully arranged prop in that picture, intended to
reinforce the fact to social media that "yes I lead a fabulous life."

If their intention had only been to communicate to others that they were going
on vacation, an "On our way to ____" message would have sufficed.

