Shostack + Friends Blog Archive


Boarding Passes, Privacy, and Threat Models

flight-coupon.jpgThere’s a great article in the Guardian, “Q. What could a boarding pass tell an identity fraudster about you? A. Way too much:”

This is the story of a piece of paper no bigger than a credit card, thrown away in a dustbin on the Heathrow Express to Paddington station. It was nestling among chewing gum wrappers and baggage tags, cast off by some weary traveller, when I first laid eyes on it just over a month ago.

The traveller’s name was Mark Broer. I know this because the paper – actually a flimsy piece of card – was a discarded British Airways boarding-pass stub, the small section of the pass displaying your name and seat number. The stub you probably throw away as soon as you leave your flight.

If the expert was right, this stub would enable me to access Broer’s personal information, including his passport number, date of birth and nationality. It would provide the building blocks for stealing his identity, ruining his future travel plans – and even allow me to fake his passport.

The story is fascinating, and contains great analysis by Adam Laurie on why the risks have shaken out as they have. The key trick that makes the attack work is, don’t attack the frequent flyer site, buy a ticket. The airline didn’t realize that brought you to all the data they have on their customer.

Even if the risk externalities that Adam L. outlines were not present, this would have been hard to detect and prevent. What security process should the airline have engaged in? A detailed threat modeling process might have discovered the stored procedure that pulls the data out. A good data flow diagram might have called attention to the additional information flow.

These are hard, unusual processes. Is it fair to expect British Airways to have threat modeling experts on hand? I don’t know.

Anyway, thanks to N. for the pointer to the story.