Airlines, Travel Sites Hand Over Your Full Booking Credit Card, IP Info To Feds, Who Keep It Stored With No Encryption

from the incredible dept

Ars Technica's Cyrus Farivar filed a FOIA request for the Passenger Name Records (PNRs) that had been stored by the federal government concerning his own travel history. PNRs are created by travel companies (airlines, hotels, cruise lines) whenever you book a reservation, and are then handed over to the government. After an appeal, Customs and Border Patrol turned over the records, showing that airlines (1) record a ton of information about you every time you book a flight and (2) hand over all that information to the government. Bizarrely, this includes the credit card number and IP address you used to book your travel, and it appears that the airlines and the US government are ignoring the most basic of cybersecurity protections in that they store the credit card info in the clear.
The fourth line in the record above is Farivar's (long-expired and changed) full credit card. While it may not seem like a huge surprise that the government is basically snooping on everything you tell the airlines (including seat changes, food preferences, any special assistance you might need, etc.), it's stunning that they're passing around and storing credit card info in the clear.
Fred Cate, a law professor at Indiana University, said that my story raises a lot of questions about what the government is doing.

“Why isn’t the government complying with even the most basic cybersecurity standards?” Cate said. “Storing and transmitting credit card numbers without encryption has been found by the Federal Trade Commission to be so obviously dangerous as to be ‘unfair’ to the public. Why do transportation security officials not comply with even these most basic standards?”
Farivar also notes that the CBP publicly states that the info is kept for five years, but his own records go back to March of 2005 -- suggesting that the CBP is hanging onto all this info for a lot longer. Of course, as we've seen in the past, if there's one government agency that appears to be able to get away with anything with absolutely no oversight at all, it's Customs and Border Patrol. However, this seems like a fairly serious problem. Beyond the 4th Amendment questions it raises about why they're getting all this information on Americans, it seems like they're creating a much bigger security risk in storing (and passing around) all such info in the clear.

Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    Richard (profile), Jul 21st, 2014 @ 7:59am

    Good Guys

    Why do transportation security officials not comply with even these most basic standards?”

    Because "we're the good guys, so it's all fine"

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, Jul 21st, 2014 @ 8:16am

    Why do transportation security officials not comply with even these most basic standards?”

    Because fuck the public, that's why.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Jul 21st, 2014 @ 8:16am

    i decided a long time ago that buying anything over the 'net is a bad idea.  that impression continues to get stronger and stronger.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    David, Jul 21st, 2014 @ 8:17am

    Re: Good Guys

    If you outlaw privacy violations, only criminals get to violate your privacy.
    -- National Snooping Association

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Jul 21st, 2014 @ 8:21am

    Re: Good Guys

    I think it is something international where the old politicians have lacked understanding for security matters since "the good dollars" told them it was all fine. Security is hard to convince someone about the importance of untill they see a reason for it (after the accident etc.). Also: So far the reasons against prioritizing security (NSA!) has weighed heavier than the reasons for.

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    Geno0wl (profile), Jul 21st, 2014 @ 8:36am

    Re:

    They would keep this exact same information about you if you bought this over the phone.
    So unless you want to go in person and only buy in cash for everything...good luck.
    Hell the act of doing that itself in 20 years will likely raise flags itself.

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    Whatever (profile), Jul 21st, 2014 @ 8:43am

    Two quick questions: Is the information actually stored on computer as digital data or as a scanned page?

    More importantly, outside of the FOI request, is this data actually available via an online system, or is it in a private, non-connected system?

    Just wondering.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Jul 21st, 2014 @ 8:48am

    We're from the government, and we're here to help you.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Jul 21st, 2014 @ 9:05am

    Re:

    Answer to both questions:-
    It does not matter, as either a computer hack, a lost DVD, or malicious copy to a thumb drive can put the data into a criminals hands.

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    Rikuo (profile), Jul 21st, 2014 @ 9:08am

    Re:

    If stored as a page, then it doesn't matter whether or not it's available via some online-system or in a non-connected system. It means that anyone could have looked up this dude's credit card details with no problem whatsoever.
    Besides, since he booked online, it would have had to be stored digitally to begin with.

    Even though it is his credit card, it should have at the very least, been redacted to some degree. For example, just this minute, I've checked my credit card details on Amazon. Despite the fact that I just authenticated who I am with them by entering my user name and password, the image that is given to me only shows the last four digits of my credit cards.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Rich Kulawiec, Jul 21st, 2014 @ 9:11am

    A few observations

    1. For those who engage in periodic travel, this is a security problem: anyone examining the records will quickly be able to deduce that, for example, they spend every fourth week out of the country.

    2. Since credit cards numbers are stored in the clear in this database, what reason do we have to believe that they were transmitted to this database in encrypted form?

    3. What access controls and what auditing exists to control and log user access to this data? Are they any better than the NSA's? If not, then what stops a rogue employee from downloading 40,000 records and selling the data to carders?

    4. Is this data being shared with any foreign government? If so, which? Why?

    5. If this data isn't being shared with any foreign government (deliberately) then how do we know it's not being "shared" because they've helped themselves to it?

    6. Did it occur to anyone involved in the design and construction of this database that they were building the motherlode for kidnappers, extortionists, terrorists and others? (After all: knowing that someone flies to a certain country regularly, books a first-class ticket, pays for it with an AmEx card, orders a gourmet meal, etc., will be of great help in identifying a wealthy person whose company/family will be willing to pay a sizable ransom.)

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Coward, Jul 21st, 2014 @ 9:16am

    I don't like that they store such detailed records, but I'm glad that they're ignoring even basic cybersecurity practises in its storage. Storing it insecurely makes it easier to characterize them as having a blatant disregard for the negative consequences they inflict on other people.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Jul 21st, 2014 @ 9:35am

    This illustrates an aspect of the NSA data collection I find the deeply troubling. I'm not particularly worried about the NSA coming after me, but I don't trust them to keep their data about me secure. Heck, these guys have an incentive to make systems less secure in general. What incentive do they have to keep my data safe? Congressional "ovesight?". This CBP data only confirms my fears.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Jul 21st, 2014 @ 9:40am

    Re: Re: Good Guys

    How could you possibly mess that up!

    "If you outlaw privacy violations, then only criminals violate your privacy." is how this should have went! Like the "If you outlaw guns, then only criminals will have them!" saying.

    They don't "get to" anything. Outlawing something gives the police tools to bring people to justice with. Well supposed to be used for justice anyways...

    But it is clear that the government has become a criminal organization right in front of our faces.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Jul 21st, 2014 @ 9:45am

    Re: Re:

    Buying plane tickets today in cash will raise flags, and that's been true for probably a decade.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Anonymous Coward, Jul 21st, 2014 @ 9:49am

    Re: A few observations

    Strange but true:

    For a brief period in the late 60s/early 70s, newspaper society pages in Los Angeles would publish passenger lists of cruises and whatnot.

    And while the elite were away having a romp, legitimate-looking crews would show up at their houses and remove their lawns.

    Sod was at a premium in those days.

     

    reply to this | link to this | view in thread ]

  17.  
    icon
    Mason Wheeler (profile), Jul 21st, 2014 @ 10:58am

    A couple years back, LinkedIn got hacked, and due to lax data security, personal details of 6.5 million users got stolen. This resulted in a $5M class-action lawsuit for negligence.

    How many US citizens have traveled by plane since March of 2005? I bet it's a lot more than 6.5 million!

     

    reply to this | link to this | view in thread ]

  18.  
    At this rate, all members of the Free Software Foundation will start traveling abroad on foot.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Anonymous Coward, Jul 21st, 2014 @ 1:12pm

    Just to be picky: CBP = Customs and Border Protection, not Patrol...

     

    reply to this | link to this | view in thread ]

  20.  
    icon
    Uriel-238 (profile), Jul 21st, 2014 @ 4:45pm

    All your data are belong to...everybody.

    Isn't the CBP just a bunch of mooks for the RIAA and MPAA?

    This is one of the big issues that surfaced with the NSA which Snowden keeps validating, is that the people who run these intelligence agencies seem to still believe we're in the 1960s.

    If the NSA has collected all your data, you are not just endangered by the feds taking issue with you, but also the attention of every other corporate or national interest who has a low-level mole in the NSA.

    The problem is going to be ten times worse in an organization like the CBP who has no awareness of the need for data security, given its just a bunch of mooks for the RIAA and MPAA.

     

    reply to this | link to this | view in thread ]

  21.  
    icon
    Whatever (profile), Jul 21st, 2014 @ 5:11pm

    Re: Re:

    the image that is given to me only shows the last four digits of my credit cards.

    I would expect so, because anyone could have hacked your account. I don't think that anyone could have hacked a FOI request, could they?

    It means that anyone could have looked up this dude's credit card details with no problem whatsoever.

    How, exactly? What I am trying to figure out is if this is in a non-connected system, and the information is stored as scanned pages rather than straight digital information, then where exactly are the big risk factors? Hackers would hate stuff like this, it's way too much work.

    I understand the security risks, but I am trying to figure out if this is non-connected system (no outside access) which would pretty much mitigate most of those risks.

    Remember, that information does have to be provided because customs is looking to see who pays for air travel as well as who travels.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Rekrul, Jul 21st, 2014 @ 8:06pm

    Re: Re:

    So unless you want to go in person and only buy in cash for everything...good luck.
    Hell the act of doing that itself in 20 years will likely raise flags itself.


    It already does...

     

    reply to this | link to this | view in thread ]

  23.  
    icon
    Coyne Tibbets (profile), Jul 21st, 2014 @ 10:47pm

    Omission

    You forgot to include: After your strip search, they also hand over your underwear.

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    derp, Jul 21st, 2014 @ 11:27pm

    Re: Re: Re:

    paying cash and travelling one way is pretty much all that they need to set off flags.

     

    reply to this | link to this | view in thread ]

  25.  
    icon
    PaulT (profile), Jul 22nd, 2014 @ 12:47am

    Re:

    "Is the information actually stored on computer as digital data or as a scanned page?"

    ...and that matters when someone accesses the datastore anyway... how? You do realise that a "scanned page" is still stored digitally and therefore a security risk, right, even if you don't consider the fact that decent OCR would make the difference between actual plain text and, say, a PDF rather trivial once access is gained? Even manually reading the scanned pages would be a massive breach if someone manages to gain access.

    "is this data actually available via an online system, or is it in a private, non-connected system?"

    Or, is the system designed poorly enough so that a direct connection to the internet doesn't matter?

    For example: Target's security breach last year affected systems that were not online, but an attack on a 3rd party HVAC supplier enabled a potential 110 million credit cards to be compromised. (example article http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/ - there's a lot more online if you actually wish to educate yourself).

    Perhaps instead of rejecting every possible criticism again, and "wondering" about ways to not admit that articles and comments may have a point you might wish to think this through for 2 minutes? Some criticism is valid, but you're yet to provide it.

     

    reply to this | link to this | view in thread ]

  26.  
    icon
    Sheogorath (profile), Jul 22nd, 2014 @ 7:44am

    Wow!

    Now I'mma go on an online spending spree, then report my debit card as stolen. When I'm asked how the thieves possibly got hold of my details in order to spend so much, I'll just link them to this article. Thanks!

     

    reply to this | link to this | view in thread ]

  27.  
    icon
    John Fenderson (profile), Jul 22nd, 2014 @ 9:36am

    Re: Re: Re:

    "Hackers would hate stuff like this, it's way too much work."

    Script kiddies hate this stuff. Professional hackers love this stuff: it's why they get paid the big bucks.

    "I understand the security risks, but I am trying to figure out if this is non-connected system (no outside access) which would pretty much mitigate most of those risks"

    But a nonconnected system doesn't mitigate the greatest security risks. Most serious security breaches do not come from the outside, they come from employees of the company holding the data (disgruntled, bribed, whatever employees). Keeping a system disconnected from the internet doesn't affect those attack vectors at all.

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    robert spano, Jul 22nd, 2014 @ 9:46am

    gov't storing credit card #'s

    They are using the credit cards to fund their covert operations and to buy cocaine which they use in incredible amounts. Why else would they be so paranoid?

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
Advertisement
Essential Reading
Techdirt Deals
Techdirt Insider Chat
Techdirt Reading List
Advertisement
Recent Stories
Advertisement
Support Techdirt - Get Great Stuff!

Close

Email This

This feature is only available to registered users. Register or sign in to use it.