Airlines, Travel Sites Hand Over Your Full Booking Credit Card, IP Info To Feds, Who Keep It Stored With No Encryption

from the incredible dept

Ars Technica’s Cyrus Farivar filed a FOIA request for the Passenger Name Records (PNRs) that had been stored by the federal government concerning his own travel history. PNRs are created by travel companies (airlines, hotels, cruise lines) whenever you book a reservation, and are then handed over to the government. After an appeal, Customs and Border Patrol turned over the records, showing that airlines (1) record a ton of information about you every time you book a flight and (2) hand over all that information to the government. Bizarrely, this includes the credit card number and IP address you used to book your travel, and it appears that the airlines and the US government are ignoring the most basic of cybersecurity protections in that they store the credit card info in the clear.

The fourth line in the record above is Farivar’s (long-expired and changed) full credit card. While it may not seem like a huge surprise that the government is basically snooping on everything you tell the airlines (including seat changes, food preferences, any special assistance you might need, etc.), it’s stunning that they’re passing around and storing credit card info in the clear.

Fred Cate, a law professor at Indiana University, said that my story raises a lot of questions about what the government is doing.

?Why isn?t the government complying with even the most basic cybersecurity standards?? Cate said. ?Storing and transmitting credit card numbers without encryption has been found by the Federal Trade Commission to be so obviously dangerous as to be ?unfair? to the public. Why do transportation security officials not comply with even these most basic standards??

Farivar also notes that the CBP publicly states that the info is kept for five years, but his own records go back to March of 2005 — suggesting that the CBP is hanging onto all this info for a lot longer. Of course, as we’ve seen in the past, if there’s one government agency that appears to be able to get away with anything with absolutely no oversight at all, it’s Customs and Border Patrol. However, this seems like a fairly serious problem. Beyond the 4th Amendment questions it raises about why they’re getting all this information on Americans, it seems like they’re creating a much bigger security risk in storing (and passing around) all such info in the clear.

Filed Under: , , , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Airlines, Travel Sites Hand Over Your Full Booking Credit Card, IP Info To Feds, Who Keep It Stored With No Encryption”

Subscribe: RSS Leave a comment
28 Comments
Anonymous Coward says:

Re: Re: Good Guys

How could you possibly mess that up!

“If you outlaw privacy violations, then only criminals violate your privacy.” is how this should have went! Like the “If you outlaw guns, then only criminals will have them!” saying.

They don’t “get to” anything. Outlawing something gives the police tools to bring people to justice with. Well supposed to be used for justice anyways…

But it is clear that the government has become a criminal organization right in front of our faces.

Anonymous Coward says:

Re: Good Guys

I think it is something international where the old politicians have lacked understanding for security matters since “the good dollars” told them it was all fine. Security is hard to convince someone about the importance of untill they see a reason for it (after the accident etc.). Also: So far the reasons against prioritizing security (NSA!) has weighed heavier than the reasons for.

Rikuo (profile) says:

Re: Re:

If stored as a page, then it doesn’t matter whether or not it’s available via some online-system or in a non-connected system. It means that anyone could have looked up this dude’s credit card details with no problem whatsoever.
Besides, since he booked online, it would have had to be stored digitally to begin with.

Even though it is his credit card, it should have at the very least, been redacted to some degree. For example, just this minute, I’ve checked my credit card details on Amazon. Despite the fact that I just authenticated who I am with them by entering my user name and password, the image that is given to me only shows the last four digits of my credit cards.

Whatever (profile) says:

Re: Re: Re:

the image that is given to me only shows the last four digits of my credit cards.

I would expect so, because anyone could have hacked your account. I don’t think that anyone could have hacked a FOI request, could they?

It means that anyone could have looked up this dude’s credit card details with no problem whatsoever.

How, exactly? What I am trying to figure out is if this is in a non-connected system, and the information is stored as scanned pages rather than straight digital information, then where exactly are the big risk factors? Hackers would hate stuff like this, it’s way too much work.

I understand the security risks, but I am trying to figure out if this is non-connected system (no outside access) which would pretty much mitigate most of those risks.

Remember, that information does have to be provided because customs is looking to see who pays for air travel as well as who travels.

John Fenderson (profile) says:

Re: Re: Re: Re:

“Hackers would hate stuff like this, it’s way too much work.”

Script kiddies hate this stuff. Professional hackers love this stuff: it’s why they get paid the big bucks.

“I understand the security risks, but I am trying to figure out if this is non-connected system (no outside access) which would pretty much mitigate most of those risks”

But a nonconnected system doesn’t mitigate the greatest security risks. Most serious security breaches do not come from the outside, they come from employees of the company holding the data (disgruntled, bribed, whatever employees). Keeping a system disconnected from the internet doesn’t affect those attack vectors at all.

PaulT (profile) says:

Re: Re:

“Is the information actually stored on computer as digital data or as a scanned page?”

…and that matters when someone accesses the datastore anyway… how? You do realise that a “scanned page” is still stored digitally and therefore a security risk, right, even if you don’t consider the fact that decent OCR would make the difference between actual plain text and, say, a PDF rather trivial once access is gained? Even manually reading the scanned pages would be a massive breach if someone manages to gain access.

“is this data actually available via an online system, or is it in a private, non-connected system?”

Or, is the system designed poorly enough so that a direct connection to the internet doesn’t matter?

For example: Target’s security breach last year affected systems that were not online, but an attack on a 3rd party HVAC supplier enabled a potential 110 million credit cards to be compromised. (example article http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/ – there’s a lot more online if you actually wish to educate yourself).

Perhaps instead of rejecting every possible criticism again, and “wondering” about ways to not admit that articles and comments may have a point you might wish to think this through for 2 minutes? Some criticism is valid, but you’re yet to provide it.

Rich Kulawiec (profile) says:

A few observations

1. For those who engage in periodic travel, this is a security problem: anyone examining the records will quickly be able to deduce that, for example, they spend every fourth week out of the country.

2. Since credit cards numbers are stored in the clear in this database, what reason do we have to believe that they were transmitted to this database in encrypted form?

3. What access controls and what auditing exists to control and log user access to this data? Are they any better than the NSA’s? If not, then what stops a rogue employee from downloading 40,000 records and selling the data to carders?

4. Is this data being shared with any foreign government? If so, which? Why?

5. If this data isn’t being shared with any foreign government (deliberately) then how do we know it’s not being “shared” because they’ve helped themselves to it?

6. Did it occur to anyone involved in the design and construction of this database that they were building the motherlode for kidnappers, extortionists, terrorists and others? (After all: knowing that someone flies to a certain country regularly, books a first-class ticket, pays for it with an AmEx card, orders a gourmet meal, etc., will be of great help in identifying a wealthy person whose company/family will be willing to pay a sizable ransom.)

Anonymous Coward says:

Re: A few observations

Strange but true:

For a brief period in the late 60s/early 70s, newspaper society pages in Los Angeles would publish passenger lists of cruises and whatnot.

And while the elite were away having a romp, legitimate-looking crews would show up at their houses and remove their lawns.

Sod was at a premium in those days.

Anonymous Coward says:

This illustrates an aspect of the NSA data collection I find the deeply troubling. I’m not particularly worried about the NSA coming after me, but I don’t trust them to keep their data about me secure. Heck, these guys have an incentive to make systems less secure in general. What incentive do they have to keep my data safe? Congressional “ovesight?”. This CBP data only confirms my fears.

Uriel-238 (profile) says:

All your data are belong to...everybody.

Isn’t the CBP just a bunch of mooks for the RIAA and MPAA?

This is one of the big issues that surfaced with the NSA which Snowden keeps validating, is that the people who run these intelligence agencies seem to still believe we’re in the 1960s.

If the NSA has collected all your data, you are not just endangered by the feds taking issue with you, but also the attention of every other corporate or national interest who has a low-level mole in the NSA.

The problem is going to be ten times worse in an organization like the CBP who has no awareness of the need for data security, given its just a bunch of mooks for the RIAA and MPAA.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...