The next time you’re thinking of throwing away a used boarding pass with a barcode on it, consider tossing the boarding pass into a document shredder instead. Two-dimensional barcodes and QR codes can hold a great deal of information, and the codes printed on airline boarding passes may allow someone to discover more about you, your future travel plans, and your frequent flyer account.
Earlier this year, I heard from a longtime KrebsOnSecurity reader named Cory who said he began to get curious about the data stored inside a boarding pass barcode after a friend put a picture of his boarding pass up on Facebook. Cory took a screen shot of the boarding pass, enlarged it, and quickly found a site online that could read the data.
“I found a website that could decode the data and instantly had lots of info about his trip,” Cory said, showing this author step-by-step exactly how he was able to find this information.
“Besides his name, frequent flyer number and other [personally identifiable information], I was able to get his record locator (a.k.a. “record key” for the Lufthansa flight he was taking that day,” Cory said. “I then proceeded to Lufthansa’s website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance.”
The information contained in the boarding pass could make it easier for an attacker to reset the PIN number used to secure his friend’s Star Alliance frequent flyer account. For example, that information gets you past the early process of resetting a Star Alliance account PIN at United Airline’s “forgot PIN” Web site.
More Stuff for the shredder!
Hackers broke into a server and made off with names, driver license numbers, and other personal information belonging to more than 15 million US consumers who applied for cellular service from T-Mobile.
The breach was the result of an attack on a database maintained by credit-reporting service Experian, which was contracted to process credit applications for T-Mobile customers, T-Mobile CEO John Legere said in a statement posted online. The investigation into the hack has yet to be completed, but so far the compromise is known to affect people who applied for T-Mobile service from September 1, 2013 through September 16 of this year. It’s at least the third data breach to affect Experian disclosed since March 2013.
“Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected,” Legere wrote. “I take our customer and prospective customer privacy VERY seriously. This is no small issue for us. I do want to assure our customers that neither T-Mobile’s systems nor network were part of this intrusion and this did not involve any payment card numbers or bank account information.”
I am not sure where to file this: perhaps Cyber Hypocrisy? Wow, if the Credit Card companies do not take cyber seriously, then we are all in deep do do.
Seems like yes, despite assertions that it is not.
“We collect a limited amount of information to help us provide a secure and reliable experience. This includes data like an anonymous device ID, device type, and application crash data which Microsoft and our developer partners use to continuously improve application reliability,” Myerson wrote. “This doesn’t include any of your content or files, and we take several steps to avoid collecting any information that directly identifies you, such as your name, email address or account ID.”
Moving right along, Myerson confirmed that Microsoft would love to collect words and phrases that you type – something we’ve known about since the first Windows 10 Technical Preview shipped – but explained that it’s not about advertising. Rather, it’s about being able to “deliver a delightful and personalized Windows experience to you.”
The Windows 10 Privacy Statement gives examples of data that Redmond might collect, including “name, email address, preferences and interests; location, browsing, search and file history; phone call and SMS data.”
So basically, use Windows 10 and your life is an open book to Microsoft and their partners. No thanks!
A network of infected Linux computers that’s flooding gaming and education sites with as much as 150 gigabits per second of malicious traffic—enough in some cases to take the targets completely offline.
The XOR DDoS or Xor.DDoS botnet, as the distributed denial-of-service network has been dubbed, targets as many as 20 sites each day, according to an advisory published Tuesday by content delivery network Akamai Technologies. About 90 percent of the targets are located in Asia. In some cases, the IP address of the participating bot is spoofed in a way that makes the compromised machines appear to be part of the network being targeted. That technique can make it harder for defenders to stop the attack.
As you may know, starting in October the credit card companies are changing the rules on credit card liability for transactions where the credit card is present at the location of the purchase. The idea is to encourage merchants and financial institutions to adopt the “EMV” (Europay/MasterCard/Visa) “chip” credit cards.
The EMV cards are generally considered to be more secure, because the chip creates a unique transaction code for each transaction, whereas if someone manages to read the magnetic stripe on a traditional credit card (and acquires the 3 digit verification number), there is nothing to stop repeated use of that credit card.
However, readers should be aware that there is a downside to the EMV chip technology. While magnetic strips can be easily read (say, after theft of a card, or by a physically compromised ATM), magnetic strips cannot be read remotely. On the other hand, the card chips can be accessed remotely. Thus information on these new EMV cards can be read from a few inches away, even while the card is in your wallet or purse, by anyone passing near to you. While some cards do not reveal account numbers this way (American Express claims to be in this group), others have been shown to do so.
So, what can be done to protect your new EMV credit and debit cards? The answer is to protect them by blocking radio frequencies (RF) from reaching the card when it is not in use. One suggestion is to wrap them in aluminum foil. While this is 100% effective (providing what is known as a Faraday cage around the card), it is bulky and inconvenient. A less bulky and more convenient alternative is to place the cards in an RFID shield sleeve. These sleeves, available from retailers (Amazon, REI and many others), are inexpensive, and do not take up appreciable space in your purse or wallet, and should also serve as a reasonably effective Faraday cage to protect your cards – not only credit cards, but any card that uses this kind of chip technology, which might include educational institution cards, company security access cards, driver licenses and others.