Just in case you missed it on my photostream or in the last podcast. There's a few comments on Flickr and comments on the last entry.
Day: 6 May 2006
BA site compromised, again?
From Slashdot yesterday, Identity Theft from Tossed Airline Boarding pass?
The Guardian newspaper has a great story about how the gathering of information for anti-terrorist passenger screening databases allowed a reporter and security guru Adam Laurie to lay the groundwork for stealing the identity of a business traveller by using his discarded boarding-pass stub. From the article: We logged on to the BA website, bought a ticket in Broers name and then, using the frequent flyer number on his boarding pass stub, without typing in a password, were given full access to all his personal details – including his passport number, the date it expired, his nationality (he is Dutch, living in the UK) and his date of birth. The system even allowed us to change the information.
So my take on it is, maybe this story is not quite what its cracked up to be. According to many Slashdotters there calling bullshit. But in the past I've also seen how easy it is to exploit BA's online system. I'm actually sure I've emailed BA over 2 years ago and maybe blogged it a while ago. See the problem I had was that my password timed out and I needed to get a eticket for the return journey. So I logged in as Sarah who had a different account then changed a few things in the URL and bingo I was able to see my account details including address, passport number, etc. Now from what I remember I couldn't get the password, but I could change it (which I did). I do remember the membership number, firstname, lastname and email address was all I needed to change the account.
I remember being so shocked at the lack of security and privicy that I tried to delete my account once I got back to the UK. I know for sure I told quite a few people about this flaw but can't quite remember exactly who. Honestly the problem seems to be when your already logged in accessing someone elses account other than your own. Anyway, I guess I should go and see if I can get my old details without a password… Hopefully some mainstream attention like this will force BA to recheck there site and maybe solve the flaw I identified all that time ago.