Post a boarding pass on Facebook, get your account stolen

And this is also why I almost never give my real birth date when registering on websites (except on financial websites or websites where I&#x27;m legally obligated to) and I never ever give real answers to the security question..<p>My typical answer for a security question is something like &quot;39arsrc uyrsrsaulsr8832r&quot; and that&#x27;s saved in a password manager<p>Security questions weakens the security of an account, they are easily found information that people can just guess.

It&#x27;s not just posting photos that can cause this kind of trouble. I get a lot of email intended for other Doug Webbs sent to my gmail account, with variations on the presence&#x2F;location of periods, or CC&#x27;d with another gmail account that&#x27;s the same but with numbers on the end. For a while I was getting boarding passes from a major airline for a Doug that was frequently flying up and down the US west coast. Those emails gave me the confirmation number, and a link directly to the page that would let me make changes to the reservation, with no security barrier at all.<p>Granted, this most likely was caused by that other Doug providing my email address to the airline, but the airline is at fault too for assuming that access to a given email address is proof of identity. That&#x27;s a <i>very</i> common mistake, often made intentionally to provide a more &quot;user-friendly&quot; experience. Had I been malicious, I could have caused that other Doug a lot of un-friendly grief.<p>I was not able to see any contact information on the reservation, and I didn&#x27;t have full access to his account. (I don&#x27;t know if a &quot;Forgot Password&quot; request would have given me that, though it probably would have.) I contacted the airline customer support to tell them they had the wrong email address on the reservation and they should contact their customer through some other means if they could. I think I got a form-letter thank you and never heard from them again, but I did get a few more boarding passes for a while.<p>I also get a lot of online shopping order&#x2F;shipment confirmations, and plenty of personal correspondence. I try to tell the senders to fix their address books, and when I get a CC with the real address I contact the other Dougs too, but most of the time there&#x27;s no response. I&#x27;ve had to set up a filter that puts all email with TO addresses that aren&#x27;t the one I use into an &quot;Other Dougs&quot; folder, which I treat like spam.

33c3 talk related to this topic: <a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=n8WVo-YLyAg" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=n8WVo-YLyAg</a> - &quot;Where in the World Is Carmen Sandiego?&quot;

Just to clarify in case someone assumes the same thing I did from the headline: it isn&#x27;t the Facebook account that gets stolen, but the airline website account.

It would also help if tickets had a &quot;No photography&quot; icon on them and a note about them having private information.

Recently saw a viral tweet with a picture of a political mailing posted on twitter with the address blacked out, but the USPS bar code (<a href="https:&#x2F;&#x2F;en.m.wikipedia.org&#x2F;wiki&#x2F;Intelligent_Mail_barcode" rel="nofollow">https:&#x2F;&#x2F;en.m.wikipedia.org&#x2F;wiki&#x2F;Intelligent_Mail_barcode</a>) showing (looks like a comb with broken teeth).<p>They obviously didn&#x27;t know the barcode contained the precise house address of the recipient (presumably the user&#x27;s home address). Anonymization is hard!

It&#x27;s amazing that with the algorithmic power Facebook brings to bear on every photo you upload, finding faces etc., that they can&#x27;t spare a few cycles for security.<p>It would be simple to run barcode detection over any post and blur the result (maybe prompt the user just in case they actually wanted to post one?).<p>Almost any barcode is assumed to be private information, even a barcode on a store receipt can be used for return fraud in certain circumstances.<p>Saying &#x27;don&#x27;t post barcodes online&#x27; is all well and good, but that message will never reach the general public.

Not the first time airlines have had poor security with boarding passes:<p><a href="https:&#x2F;&#x2F;medium.com&#x2F;@da&#x2F;need-a-last-minute-flight-45af88ec8df3" rel="nofollow">https:&#x2F;&#x2F;medium.com&#x2F;@da&#x2F;need-a-last-minute-flight-45af88ec8df...</a> <a href="https:&#x2F;&#x2F;www.wired.com&#x2F;2016&#x2F;08&#x2F;fake-boarding-pass-app-gets-hacker-fancy-airline-lounges&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.wired.com&#x2F;2016&#x2F;08&#x2F;fake-boarding-pass-app-gets-ha...</a> <a href="https:&#x2F;&#x2F;puckinflight.wordpress.com&#x2F;2012&#x2F;10&#x2F;19&#x2F;security-flaws-in-the-tsa-pre-check-system-and-the-boarding-pass-check-system&#x2F;" rel="nofollow">https:&#x2F;&#x2F;puckinflight.wordpress.com&#x2F;2012&#x2F;10&#x2F;19&#x2F;security-flaws...</a> <a href="http:&#x2F;&#x2F;www.washingtonpost.com&#x2F;national&#x2F;experts-warn-about-security-flaws-in-airline-boarding-passes&#x2F;2012&#x2F;10&#x2F;23&#x2F;ed408c80-1d3c-11e2-b647-bb1668e64058_story.html" rel="nofollow">http:&#x2F;&#x2F;www.washingtonpost.com&#x2F;national&#x2F;experts-warn-about-se...</a><p>And what the OP article is basically copying: <a href="https:&#x2F;&#x2F;www.theverge.com&#x2F;2017&#x2F;1&#x2F;10&#x2F;14226034&#x2F;instagram-boarding-pass-security-problem-bad-idea" rel="nofollow">https:&#x2F;&#x2F;www.theverge.com&#x2F;2017&#x2F;1&#x2F;10&#x2F;14226034&#x2F;instagram-boardi...</a><p>I don&#x27;t see this changing anytime soon (although there are some tests to move towards facial recognition).

Remind me of my ex-gf I had on my Facebook for a while. She liked to be show off, which I think nowadays is not that big of as deal. But she would literally invite crime to her house! On her public Facebook profile she didn&#x27;t post her address, BUT she had bunch of photos: her with the Living Complex sign, her next to her doors (with apartment number on it), photos of her inside house with beautiful 85&quot; TV and other equipment including expensive bikes, then finally her photo with the car showing license plate (revealing her state name).<p>I told her numerous times its not a good idea but she never listened! Then I told her publicly on her car photo that she should at least wipe out the plate number, which created a long trail of comments where basically all her friends thought I&#x27;m weird and creepy and why would I be warning her (perhaps I want to commit some crime??). No amount of explaining helped. Even telling cops will tell her the same thing got me bunch of her &quot;friends&quot; answering &quot;you ain&#x27;t a cop, bro&quot;. And then one fine Friday I saw her posting they leaving for another state to visit family. Boy it was a discovery when they come back Monday morning their house was cleaned out from every possible valuable belongings. And thieves must have came with a large enough truck to fit that 85&quot; TV screen.<p>Not long after she removed me from her FB even though I never told her &quot;told you so&quot;.<p>The bottom line is I don&#x27;t believe people will learn not to give a clues online and I think in these days of age it should be an hour mandatory lesson at the school what NOT to post online.

Why do Facebook and Twitter and etc. permit posting of airline QR codes and credit card photos <i>without</i> a safety warning and an option to safely blur out the sensitive bits?

the risk digest: <a href="http:&#x2F;&#x2F;catless.ncl.ac.uk&#x2F;Risks&#x2F;" rel="nofollow">http:&#x2F;&#x2F;catless.ncl.ac.uk&#x2F;Risks&#x2F;</a> is also pretty cool resource for these kind of things :)

I don&#x27;t know if it&#x27;s the case elsewhere but starting 2019 all invoice payments in Switzerland will use mandatory QR codes. <a href="https:&#x2F;&#x2F;www.paymentstandards.ch&#x2F;en&#x2F;home&#x2F;softwarepartner&#x2F;qr-bill.html" rel="nofollow">https:&#x2F;&#x2F;www.paymentstandards.ch&#x2F;en&#x2F;home&#x2F;softwarepartner&#x2F;qr-b...</a> That promises to be challenging too in terms of publication of sensitive data.

I get it, be aware of what you post on facebook, but does this not rub anyone else the wrong way?<p>Imagine you break into your friend&#x27;s car, and rewrire the stereo system so the left speaker doesn&#x27;t work. Then, you say, &quot;yo, I broke into your car and rewired things. The locks on this car are faulty, better let the car manufacturer know. I should contact them myself and collect my bug bounty.&quot; And when your friend, a decent chap, thinks you&#x27;re joking, and finds out you&#x27;re not kidding, is his response supposed to be, <i>&quot;Oh shit, you&#x27;re right. You could have just [rewired my speaker system]. This is crazy.&quot;</i> or instead, would he no longer be your friend, and probably report you to the police?

I wonder just how much of the barcode should be obscured to render it unscannable? Is it enough to cover the check digit? (If indeed that symbology has a check digit verification). e.g. With QR Codes, is 25% obscuration enough, etc.?

Fun alternative: create a honeypot website that looks semi-legit and publish QR codes to social networks to analyze the traffic to those.<p>For big-name corps, do the same to catch IPs of script kiddos who don&#x27;t know&#x2F;bother to mask those.

Something I also do which guards against social engineering attacks is that I have a set of fake answers for common &quot;secret questions&quot;. These exist nowhere but in my head. I figure it&#x27;s a extra obfuscation step and could very well be a blocker if anyone <i>was</i> trying to get into any of my accounts.

do the barcodes in the authors examples, which they did not bother to fuzz and anonymize, do they also convey the details they did anonymize? I&#x27;m curious

To help increase security through action, whenever friends send me their flight details that include a PNR I logon to the airline website and book them a middle seat and special meal choice &#x27;bland meal&#x27;. Just doing my part.

How about this: never post anything on Facebook. Just stop using it. Facebook causes cancer. You&#x27;re better off without it.

how about just don&#x27;t post stuff like boarding pass online &gt;.&gt; don&#x27;t need to share every detail on the PUBLIC INTERWEBZ. dm someone if u want to tell them. saves hastle of getting your shit stolen by some 12 year old. in holland we say &#x27;voorkomen is beter dan genezen&#x27; -&gt; to prevent is better than to cure. We all know these kind of weakeneses exist everywhere, yet we post our boarding pass on a public page on the internet... bit silly. you can say &#x27;shit should be secure&#x27; but thats being said since the dawn of the interwebz and it never has been... so dont bank on it ever being secure is better than to assume it is and point fingers once you&#x27;re a victim.

Could you imagine a neighbor going around checking everybody’s window and door locks?

Do a thoroughly stupid thing, reap the consequences. Post publicly a bunch of private info, like your complete contact details, get your account (or more of your identity) stolen.<p>There is nothing surprising about that, nothing hard to understand.<p>What is hard is actually thinking about what you are doing. Maybe, well, showing off your sophisticated and aesthetically perfect password is not such a good idea due to other considerations.

If you post personally identifiable information online you can get your account stolen. Something new, no.

There&#x27;s no such thing as an iWatch. Why do people just make up product names like that?

Why would you do such a thing?

Up next: post your bank statements online and lose your money!

It&#x27;s unfortunate that we must be this paranoid.

The weakest link in infosec has fingers and thumbs that uses a device.<p>This is nothing short of yelling sensitive information through a megaphone. USERFAIL

&gt;&quot;I&#x27;ve known Petr Mára for few years now, he&#x27;s a nice guy. He&#x27;s a speaker, trainer, video blogger, and deploys iOS &amp; macOS wherever possible.&quot;<p>Why are any of these facts relevant? He deploys macOS? What? What does this have to do with anything?<p>And then author makes the reference to his friend Petr a link to his personal website? Seriously?<p>Incidentally, Petr&#x27;s webiste is really entertaining as there are no less than 5 pictures of him that take up the entire background. Clicking on the Petr link, is the most entertaining part of the article.

The author needs to learn some responsibility himself.

And still people make excuses to use Facebook.

I am not a lawyer, but I think most of the author&#x27;s actions would be considered illegal in the US. While he didn&#x27;t do any harm, his actions were still probably a violation of at least the CFAA.<p>Anyhow, Aztec code? It looks, the one on the watch, pretty much like a QR Code. I&#x27;ve never seen the Aztec code before today. It makes me wonder how many of these barcode things we really need. A quick Google didn&#x27;t reveal any information demonstrating why this Aztec code is any better than the other options out there.<p>It does make me grateful that I don&#x27;t have to work on implementing all these things or, really, even deal with them. I know a bunch of you are developers and I hope you&#x27;re not the ones stuck with dealing with all these different &#x27;standards,&#x27;

&gt;&quot;When you want to brag about your final destination, be careful of what you post on Facebook and Instagram. Leave your boarding passes (and other barcodes) for yourself (and get a shredder).&quot;<p>It&#x27;s funny that for a piece intended to warn other&#x27;s on identity security the author had no problem reproducing the the unredacted boarding pass picture in question, which incidentally also tells us that he is a member of the One World Club with Saphire status. They also go onto let us know their nationality and profession.<p>The author also has no problem publishing his friend&#x27;s full name and linking to their personal website which features 5 large high resolution pictures available of his friend&#x27;s face as well as well as detailing exactly which Apple certifications they posses.

The most notable information here is the dumpster diving at airports .. and what it can get you. Namely - people discarding their airline passes at airports. &quot;Barcodes can also be found on “forgotten” boarding passes in aircraft or other locations.&quot; ... holy shit, I never thought about that ... wow.

Real deal - DEFCON part about this. The research is deep for sure. <a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=qnq0UfOUTlM" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=qnq0UfOUTlM</a>

Bad server request. Maintaining your own server for personal blog is geeky as long you can manage to keep it up.

post a boarding pass on facebook, get your account stolen?<p>there&#x27;s an alternate title for this one.<p>post about commandeering accounts on your blog, get the CFAA thrown at you and go to jail.<p>this is anything but responsible.

&gt;&quot;Users often publish data that they don&#x27;t know what they mean. Because at first sight, it&#x27;s not possible to see what&#x27;s the data, or what the data is for&quot;<p>No its more like people are so obsessed with curating their &quot;fabulous&quot; lifestyle for social media that they don&#x27;t care.<p>The boarding passes are a carefully arranged prop in that picture, intended to reinforce the fact to social media that &quot;yes I lead a fabulous life.&quot;<p>If their intention had only been to communicate to others that they were going on vacation, an &quot;On our way to ____&quot; message would have sufficed.