Airlines, Travel Sites Hand Over Your Full Booking Credit Card, IP Info To Feds, Who Keep It Stored With No Encryption
from the incredible dept
Ars Technica’s Cyrus Farivar filed a FOIA request for the Passenger Name Records (PNRs) that had been stored by the federal government concerning his own travel history. PNRs are created by travel companies (airlines, hotels, cruise lines) whenever you book a reservation, and are then handed over to the government. After an appeal, Customs and Border Patrol turned over the records, showing that airlines (1) record a ton of information about you every time you book a flight and (2) hand over all that information to the government. Bizarrely, this includes the credit card number and IP address you used to book your travel, and it appears that the airlines and the US government are ignoring the most basic of cybersecurity protections in that they store the credit card info in the clear.
Fred Cate, a law professor at Indiana University, said that my story raises a lot of questions about what the government is doing.
?Why isn?t the government complying with even the most basic cybersecurity standards?? Cate said. ?Storing and transmitting credit card numbers without encryption has been found by the Federal Trade Commission to be so obviously dangerous as to be ?unfair? to the public. Why do transportation security officials not comply with even these most basic standards??
Farivar also notes that the CBP publicly states that the info is kept for five years, but his own records go back to March of 2005 — suggesting that the CBP is hanging onto all this info for a lot longer. Of course, as we’ve seen in the past, if there’s one government agency that appears to be able to get away with anything with absolutely no oversight at all, it’s Customs and Border Patrol. However, this seems like a fairly serious problem. Beyond the 4th Amendment questions it raises about why they’re getting all this information on Americans, it seems like they’re creating a much bigger security risk in storing (and passing around) all such info in the clear.
Filed Under: credit cards, customs and border patrol, cyrus farivar, dhs, foia, homeland security, passenger name records, pnr, travel, unencrypted
Comments on “Airlines, Travel Sites Hand Over Your Full Booking Credit Card, IP Info To Feds, Who Keep It Stored With No Encryption”
Good Guys
Why do transportation security officials not comply with even these most basic standards?”
Because “we’re the good guys, so it’s all fine”
Re: Good Guys
If you outlaw privacy violations, only criminals get to violate your privacy.
— National Snooping Association
Re: Re: Good Guys
How could you possibly mess that up!
“If you outlaw privacy violations, then only criminals violate your privacy.” is how this should have went! Like the “If you outlaw guns, then only criminals will have them!” saying.
They don’t “get to” anything. Outlawing something gives the police tools to bring people to justice with. Well supposed to be used for justice anyways…
But it is clear that the government has become a criminal organization right in front of our faces.
Re: Good Guys
I think it is something international where the old politicians have lacked understanding for security matters since “the good dollars” told them it was all fine. Security is hard to convince someone about the importance of untill they see a reason for it (after the accident etc.). Also: So far the reasons against prioritizing security (NSA!) has weighed heavier than the reasons for.
Why do transportation security officials not comply with even these most basic standards?”
Because fuck the public, that’s why.
i decided a long time ago that buying anything over the ‘net is a bad idea. that impression continues to get stronger and stronger.
Re: Re:
They would keep this exact same information about you if you bought this over the phone.
So unless you want to go in person and only buy in cash for everything…good luck.
Hell the act of doing that itself in 20 years will likely raise flags itself.
Re: Re: Re:
Buying plane tickets today in cash will raise flags, and that’s been true for probably a decade.
Re: Re: Re:
So unless you want to go in person and only buy in cash for everything…good luck.
Hell the act of doing that itself in 20 years will likely raise flags itself.
It already does…
Re: Re: Re: Re:
paying cash and travelling one way is pretty much all that they need to set off flags.
Two quick questions: Is the information actually stored on computer as digital data or as a scanned page?
More importantly, outside of the FOI request, is this data actually available via an online system, or is it in a private, non-connected system?
Just wondering.
Re: Re:
Answer to both questions:-
It does not matter, as either a computer hack, a lost DVD, or malicious copy to a thumb drive can put the data into a criminals hands.
Re: Re:
If stored as a page, then it doesn’t matter whether or not it’s available via some online-system or in a non-connected system. It means that anyone could have looked up this dude’s credit card details with no problem whatsoever.
Besides, since he booked online, it would have had to be stored digitally to begin with.
Even though it is his credit card, it should have at the very least, been redacted to some degree. For example, just this minute, I’ve checked my credit card details on Amazon. Despite the fact that I just authenticated who I am with them by entering my user name and password, the image that is given to me only shows the last four digits of my credit cards.
Re: Re: Re:
the image that is given to me only shows the last four digits of my credit cards.
I would expect so, because anyone could have hacked your account. I don’t think that anyone could have hacked a FOI request, could they?
It means that anyone could have looked up this dude’s credit card details with no problem whatsoever.
How, exactly? What I am trying to figure out is if this is in a non-connected system, and the information is stored as scanned pages rather than straight digital information, then where exactly are the big risk factors? Hackers would hate stuff like this, it’s way too much work.
I understand the security risks, but I am trying to figure out if this is non-connected system (no outside access) which would pretty much mitigate most of those risks.
Remember, that information does have to be provided because customs is looking to see who pays for air travel as well as who travels.
Re: Re: Re: Re:
“Hackers would hate stuff like this, it’s way too much work.”
Script kiddies hate this stuff. Professional hackers love this stuff: it’s why they get paid the big bucks.
“I understand the security risks, but I am trying to figure out if this is non-connected system (no outside access) which would pretty much mitigate most of those risks”
But a nonconnected system doesn’t mitigate the greatest security risks. Most serious security breaches do not come from the outside, they come from employees of the company holding the data (disgruntled, bribed, whatever employees). Keeping a system disconnected from the internet doesn’t affect those attack vectors at all.
Re: Re:
“Is the information actually stored on computer as digital data or as a scanned page?”
…and that matters when someone accesses the datastore anyway… how? You do realise that a “scanned page” is still stored digitally and therefore a security risk, right, even if you don’t consider the fact that decent OCR would make the difference between actual plain text and, say, a PDF rather trivial once access is gained? Even manually reading the scanned pages would be a massive breach if someone manages to gain access.
“is this data actually available via an online system, or is it in a private, non-connected system?”
Or, is the system designed poorly enough so that a direct connection to the internet doesn’t matter?
For example: Target’s security breach last year affected systems that were not online, but an attack on a 3rd party HVAC supplier enabled a potential 110 million credit cards to be compromised. (example article http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/ – there’s a lot more online if you actually wish to educate yourself).
Perhaps instead of rejecting every possible criticism again, and “wondering” about ways to not admit that articles and comments may have a point you might wish to think this through for 2 minutes? Some criticism is valid, but you’re yet to provide it.
We’re from the government, and we’re here to help you.
A few observations
1. For those who engage in periodic travel, this is a security problem: anyone examining the records will quickly be able to deduce that, for example, they spend every fourth week out of the country.
2. Since credit cards numbers are stored in the clear in this database, what reason do we have to believe that they were transmitted to this database in encrypted form?
3. What access controls and what auditing exists to control and log user access to this data? Are they any better than the NSA’s? If not, then what stops a rogue employee from downloading 40,000 records and selling the data to carders?
4. Is this data being shared with any foreign government? If so, which? Why?
5. If this data isn’t being shared with any foreign government (deliberately) then how do we know it’s not being “shared” because they’ve helped themselves to it?
6. Did it occur to anyone involved in the design and construction of this database that they were building the motherlode for kidnappers, extortionists, terrorists and others? (After all: knowing that someone flies to a certain country regularly, books a first-class ticket, pays for it with an AmEx card, orders a gourmet meal, etc., will be of great help in identifying a wealthy person whose company/family will be willing to pay a sizable ransom.)
Re: A few observations
Strange but true:
For a brief period in the late 60s/early 70s, newspaper society pages in Los Angeles would publish passenger lists of cruises and whatnot.
And while the elite were away having a romp, legitimate-looking crews would show up at their houses and remove their lawns.
Sod was at a premium in those days.
I don’t like that they store such detailed records, but I’m glad that they’re ignoring even basic cybersecurity practises in its storage. Storing it insecurely makes it easier to characterize them as having a blatant disregard for the negative consequences they inflict on other people.
This illustrates an aspect of the NSA data collection I find the deeply troubling. I’m not particularly worried about the NSA coming after me, but I don’t trust them to keep their data about me secure. Heck, these guys have an incentive to make systems less secure in general. What incentive do they have to keep my data safe? Congressional “ovesight?”. This CBP data only confirms my fears.
A couple years back, LinkedIn got hacked, and due to lax data security, personal details of 6.5 million users got stolen. This resulted in a $5M class-action lawsuit for negligence.
How many US citizens have traveled by plane since March of 2005? I bet it’s a lot more than 6.5 million!
At this rate, all members of the Free Software Foundation will start traveling abroad on foot.
Just to be picky: CBP = Customs and Border Protection, not Patrol…
All your data are belong to...everybody.
Isn’t the CBP just a bunch of mooks for the RIAA and MPAA?
This is one of the big issues that surfaced with the NSA which Snowden keeps validating, is that the people who run these intelligence agencies seem to still believe we’re in the 1960s.
If the NSA has collected all your data, you are not just endangered by the feds taking issue with you, but also the attention of every other corporate or national interest who has a low-level mole in the NSA.
The problem is going to be ten times worse in an organization like the CBP who has no awareness of the need for data security, given its just a bunch of mooks for the RIAA and MPAA.
Omission
You forgot to include: After your strip search, they also hand over your underwear.
Wow!
Now I’mma go on an online spending spree, then report my debit card as stolen. When I’m asked how the thieves possibly got hold of my details in order to spend so much, I’ll just link them to this article. Thanks!
gov't storing credit card #'s
They are using the credit cards to fund their covert operations and to buy cocaine which they use in incredible amounts. Why else would they be so paranoid?