The great boarding pass/duty free con

Post Reply
Message
Author
Capetonian

The great boarding pass/duty free con

#1 Post by Capetonian » Sun Feb 14, 2016 12:00 pm

I rarely buy 'duty free' goods as they are generally of little value, but passing frequently through many airports, I often buy a newspaper, packet of sweets, book, or similar small items.

The great boarding pass con recently had a great deal of exposure in the UK press, and it was proved beyond doubt that there is no reason for salespeople in airside shops to ask for boarding passes where non-dutiable goods are concerned. That restricts it to items such as alcohol, tobacco, perfume and girly stuff, and some electronics where there is differential pricing EU/non EU.

I have long been refusing to let them scan my boarding pass, although I would let them see it, when not necessary, (i.e. when travelling within the EU and/or when buying non-dutiable items) and got really pissed off when buying a newspaper and a chocolate at the pointless and intrusive request to 'scan your boarding pass sir'. I generally used to say 'not unless you can show me proof of a legal requirement for me to do so' which they never could. Sometimes they'd bluff, sometimes they'd carry on and ring up the goods, sometimes they'd refuse to sell it, and in one extreme case the stupid cow at World Duty Free, the worst offenders, the most arrogant barefaced liars as they were exposed to be, said : "If you refuse to let me scan your boarding pass I'll have to call security .........." and I told her to go ahead, and she did!

What many people don't realise is that the boarding pass often contains (apart from the obvious) not just the passenger's full names and passport number, but also the airline's booking locator.
That on its own does not present a great risk, but in the hands of an accomplice with the wrong intent and access to an airline reservation system, and such a person would not be hard to find at an airport, the record locator could give access to all or some of the following, depending on the level of access :
Name
Address
Telephone numbers and email address
Date of birth
Passport number/issue date/expiry date
Credit card number, expiry, CVV number, and billing address
Full airline FF profile
details of itinerary
............ more than enough for identity fraud and credit card fraud. Not to mention that it wouldn't be difficult to work out how long someone will be away from an empty home for.

I recently took this up with Barcelona airport, where they refused to let me buy a few bars of chocolate and some turron if I wouldn't show my boarding pass, so I decided to take it up with the authority :
From: xxxxxxxxxxx@gmail.com>
Date: 29 December 2015 at 00:16
Subject: Boarding pass control in shops
To: bcninformacion@aena.es, administracionelectronica@aena.es

Dear Sirs

I need to know why your airport shops require scanning of a boarding pass for all purchases, when the passenger is travelling from Spain to an EU destination. Specifically, I require to know where this is legally mandated and by whom.

If you are unable to answer this question fully and adequately, please put me in contact with the appropriate authority.

Thank you

This was the meaningless and untrue 'response' I got.
Dear xxxxxx

In response to your mail, we inform you that in order to comply with the regulation of the Tax Administration, World Duty Free Group has the obligation of asking the boarding pass to each passenger that buys in their shops travel value/duty free.

Unlike other shops based in the airport, the products that are sold in shops travel value/duty free are in suspension arrangements of VAT and special duties, therefore only in the moment that the item is being sold to the passenger, after checking the destination shown in the boarding pass, it can be determined the fiscal regime to be applied, to deposit to the Tax Administration, for the passenger, the taxes that proceed.

This procedure doesn't allow World Duty Free Group to claim to the Tax Administration the refund of any tax deposited by the passenger. On the contrary, this procedure required by the Tax Administration allows World Duty Free Group to sell in their shops the products in suspension arrangement of VAT and special duties and deposit, for the passenger, the taxes whenever proceeds.

We please you to understand that is not an arbitrary decision made by our company, however a required requisite in all airport shops in the world, hence, a legal and necessary process.

In the confidence of clarifying your claims and doubts, we put at your disposal the Department of Customer Service of WDFG where you can make any suggestion in our free toll line 900.25.24.23 and in the e-mail address atencion.clientes@wdfg.com, that, without a doubt, which will allow us with the goal of continuous improving and quality engagement to our clients.

Remember that you can contact us for any other information you may need.

Yours Sincerely,

Barcelona-El Prat Airport Information Office.

User avatar
Rwy in Sight
Chief Pilot
Chief Pilot
Posts: 6740
Joined: Wed Aug 26, 2015 8:04 pm
Location: Lost in an FIR somewhere
Gender:

Re: The great boarding pass/duty free con

#2 Post by Rwy in Sight » Sun Feb 14, 2016 7:03 pm

It seems you will never buy chocolates and other items in Barcelona.

What happen when security arrived?

Seriously now, it all comes to whether you need the items more that they need your data. In any case thank you very much for the warning about how much data is stored on the boarding pass.

Pinky the pilot
Chief Pilot
Chief Pilot
Posts: 2510
Joined: Tue Aug 25, 2015 3:20 am
Location: Back home, looking for a bad bottle of Red
Gender:
Age: 69

Re: The great boarding pass/duty free con

#3 Post by Pinky the pilot » Mon Feb 15, 2016 1:21 am

however a required requisite in all airport shops in the world, hence, a legal and necessary process.



Most interesting Capetonian, I have purchased numerous items at Duty Free shops in Japan when on my way back to Australia and have never been asked for my boarding pass! :-?
You only live twice. Once when you're born. Once when you've looked death in the face.

User avatar
OFSO
Chief Pilot
Chief Pilot
Posts: 18600
Joined: Sat Aug 22, 2015 6:39 pm
Location: Teddington UK and Roses Catalunia
Gender:
Age: 80

Re: The great boarding pass/duty free con

#4 Post by OFSO » Tue Feb 16, 2016 9:16 pm

You have to PAY for the items at Barcelona duty-free ? My goodness, I thought they were provided free and you just stuffed them into your pockets as fast as you could. Whatever will they be charging for next !

Octopussy2
Capt
Capt
Posts: 718
Joined: Mon Aug 24, 2015 9:40 am
Location: Au pied du Mont Saleve

Re: The great boarding pass/duty free con

#5 Post by Octopussy2 » Tue Feb 23, 2016 10:43 am

I'll produce mine for booze, perfume, fags, but not anything else. So far, no-one has insisted. They get a steely "Sorry I don't have it handy" (patently untrue) and the kind of look that says "your day will not be enhanced by an argument with THIS middle-aged woman".

The problem now is where you have to do the self-checkout (like WH Smith in H'row) and the machine insists on it. I don't think there's a way round that.

User avatar
Woody
Chief Pilot
Chief Pilot
Posts: 10244
Joined: Tue Aug 25, 2015 6:33 pm
Location: Sir Kenny Dalglish Stand
Age: 59

Re: The great boarding pass/duty free con

#6 Post by Woody » Tue Feb 23, 2016 11:59 am

I love using the self-service machine at Smith's T5 , as I'm staff and it always asks for a boarding card and they have to leave the till and overide the machine, they get really p***ed off :ymdevil:
When all else fails, read the instructions.

Capetonian

Re: The great boarding pass/duty free con

#7 Post by Capetonian » Tue Feb 23, 2016 2:14 pm

Those morons perhaps need to understand that it everyone used the self-service, they'd be out of jobs.
I refuse to use them for a number of reasons.

Capetonian

Re: The great boarding pass/duty free con

#8 Post by Capetonian » Sun Jan 01, 2017 11:20 pm

https://www.theguardian.com/technology/ ... ign=buffer

I have been banging on about this for years. It seems people are finally waking up. I know of at least 3 recent cases amongst acquaintances where CC fraud has taken place and I have been able to trace it, beyond reasonable doubt, to illegitimate access of data via an airline system.

Airline passenger details easy prey for hackers, say researchers

Worldwide system used to coordinate travel bookings between airlines is insecure and easy to exploit, experts reveal
Picture of boarding passes posted to Instagram
Pictures of boarding passes posted to services such as Instagram can be used to acquire PNRs. Photograph: Instagram

The worldwide system used to coordinate travel bookings between airlines, travel agents, and price comparison websites is hopelessly insecure, according to researchers.

The lack of modern security features, both in the design of the system itself and of the many sites and services that control access to it, makes it easy for an attacker to harvest personal information from bookings, steal flights by altering ticketing details, or earn millions of air miles by attaching new frequent-flyer numbers to pre-booked flights, according to German security firm SR Labs.

Known as Global Distribution Systems (GDS), the technology dates back to the 1960s, when one of the first companies in the field, Sabre, was founded. To most travellers, the technology is most obviously associated with the six-character Passenger Name Record (PNR) frequently used to enable online check-in and ticket retrieval.

The PNR system was also the route for many of the weaknesses demonstrated by Karsten Nohl and Nemanja Nikodijevic, the researchers who revealed the flaws at this year’s Chaos Communication Congress hacker convention in Hamburg. While it was presented at a hacker convention, “much less hacking was actually needed to exploit” the booking system, Nohl said.
Eight things you need to do right now to protect yourself online
Read more

At the core of many of the weaknesses was the standard use of just two pieces of information to authenticate a booking: the six-character PNR, combined with the user’s last name.

“If the PNR is supposed to be a secure password, then it should be treated like one,” Nohl said. “But they don’t keep it secret: it is printed on every piece of luggage. It used to be printed on boarding passes, until it disappeared and they replaced it with a barcode.”

However, the barcode is also easy to read using a number of apps, meaning many of the 80,000 travellers who have posted pictures on the #boardingpass tag on Instagram are at risk of information theft, as Nikodijevic demonstrated.

“This is supposed to be the only way of authenticating users,” Nohl said, “and it’s printed on pieces of paper you just throw away at the end of the journey.”

A bigger problem for most users, though, is that the six-character code is easy to guess. Each GDS provider (there are several, but the biggest two are Sabre, founded in 1960, and Amadeus, founded in 1987) uses a different system for generating them, but all have multiple problems that make them weaker than a simple six-character password.

For instance, some providers iterate the first two characters sequentially, meaning all the PNRs generated in one day will have the same opening characters. Others reserve some codes for specific airlines, again narrowing the range of guesses an attacker has to make.

Many of the portals into the GDS system also have minimal security features – or at least had minimal security features until Kohl and Nikodijevic notified them.

Some websites that have access to the system and allow you to use your PNR and last name to check the status of your flight offer no defences at all against an attacker guessing thousands of combinations a minute. The researchers were able to access multiple records. Looking for bookings under the name “Smith”, for example, and using a thousand randomly generated booking codes, five came back with active bookings.

Attackers could use that access to cancel a flight in exchange for airline credit and then use that to book new tickets. Or they could add your frequent flyer number to hundreds of flights and chalk up the air miles.

Even more damage could be done with the information contained in the booking. There is enough personal and flight data in them to craft convincing phishing emails purporting to report problems with the flights or bookings.

The PNR weaknesses are just scratching the surface of the problems with the GDS in general, the researchers said: there appears to be no good logging for who has accessed data and why, and access controls in general are almost non-existent, allowing anyone from any company involved in your booking to see the whole thing.

One saving grace, they said, was that the whole system might end up being rewritten anyway. As the “Smith” example shows, the namespace for booking codes is slowly filling up. Simply running out of characters for new bookings could force a rewrite of the system long before security fears do.

If not, Nohl suggested that a rise in cybercrime could do the same job. “Airlines sometimes notice this, but only when it becomes excessive,” he said. “I just hope it becomes so excessive that it can’t be ignored so that it gets fixed, because then the privacy issues get fixed as well. Privacy is never enough on its own.”

User avatar
ExSp33db1rd
Chief Pilot
Chief Pilot
Posts: 3229
Joined: Sat Sep 12, 2015 1:51 am
Location: Lesser Antipode
Gender:
Age: 89

Re: The great boarding pass/duty free con

#9 Post by ExSp33db1rd » Mon Jan 02, 2017 8:45 am

Didn't know, thanks, I'll take delight now in refusing. THEY need my money more than I need their goods.

Capetonian

Re: The great boarding pass/duty free con

#10 Post by Capetonian » Mon Jan 02, 2017 9:49 am

I'll go into this in a little more detail,

A few weeks ago as I waited to board a flight, I heard the man in front of me telling his wife that he hadn't bought her something she'd asked from 'Duty Free' for as they wanted to scan his boarding pass and he felt it was intrusive. I ended up chatting to him, very nice chap............. Anyway I gave him my view on this and explained exactly how and why it was intrusive. We exchanged emails and he sent me a scan of his boarding pass and asked me to email him back with what it revealed.

I was able to immediately obtain, just on retrieving the PNR, which any employee of the airline, or in most cases, across an airline alliance, with access to the reservations/ticketing side of the system would have :
Full names
Passport number, date of issue and expiry, place of issue, nationality
Date of birth
Home and office phone numbers
Address for CC billing
First and last 4 digits of his CC
Full itinerary
Email address

With a slightly higher level of access, which a more senior airline employee, for example someone in accounting or revenue management would have, I was able to get his full CC number including the CVV and date of expiry, his Frequent Flyer Profile, and through that, details of his past and future travel plans which would have led me to the same details in respect of anyone with whom he had booked to travel together (and that could have been his family, mistress etc!)

I emailed him with that, obviously xxxxing out parts of the numbers and so on in the email but telling him I was able to view it all.

His comment to me when he emailed me back was : "**** me sideways, I thought at first you were **** me. I hope you're honest!"

I think that what people don't realise is that an airport cleaner, for example, could pick up a discarded boarding pass, and working in cahoots with an airline employee, get all or some of that information. A lot of it is available (although it's a more convoluted process) from the information on the baggage tag as well. It really is a problem most people are unaware of.

Capetonian

Re: The great boarding pass/duty free con

#11 Post by Capetonian » Tue Jul 16, 2019 7:27 pm

The only part of this which surprises me is that it hasn't had more exposure before now.
Amadeus! Amadeus! Pwn me Amadeus! Airline check-in bug may have exposed all y'all boarding passes to spies
Patched IDOR hole would have been child's play to exploit

Updated A now-patched vulnerability in the Amadeus flight reservation system – used by airlines around the planet – could, or may, have been exploited by miscreants to view strangers' boarding passes.

David Stubley, CEO at UK security consultancy 7 Elements, told us last night he discovered the privacy-busting flaw, which was present in the Amadeus check-in application used by airlines.

Specifically, Stubley explained, when a traveler went to view their boarding pass, Amadeus presented the paperwork on a page with a URL that includes the passenger's ID number. This ID number could be changed to another number to call up other boarding passes from other Amadeus customers, such as British Airways, Air France, and United Airlines, without any further authentication. Just change the number in the web address bar and hit enter to fetch the pass for that ID number.

This is a classic insecure direct object reference (IDOR) vulnerability, which can be exploited to enumerate through records that otherwise should be off limits. Here is an example check-in URL with the passenger's ID number in bold:

https://checkin.si.amadeus.net/1ASIHSSC ... uctIndex=0

Stubley told The Register the flaw could be exploited in both websites and apps for airlines that use Amadeus's technology to handle their reservations and boarding passes – that's roughly half of the world's major carriers.

"Originally it was found when using an airline's mobile app for check-in," the CEO said. "Once you have the URL you can then access directly without needing to use the website or mobile app."

The bug was privately disclosed to Amadeus and was patched prior to public disclosure, so airlines and their customers are already protected. Still, the disclosure is hardly a ringing endorsement for Amadeus in the wake of the company's previous infosec gaffes.

The ability to pull up boarding passes would, at best, be a potential disclosure of personal information as a snoop could see things like flight dates and times, and possibly use that to collect other information.

More seriously, the downloaded boarding passes would be valid, meaning a scumbag who printed out the pass, arrived before the actual customer, and was able to somehow get past security could use it to get into restricted areas or a flight.

"It should be noted that additional security controls may restrict the successful use of a boarding pass that has already been used to gain access airside," said Stubley. "However, those controls are not uniformly deployed across all airports."

Amadeus sent us the following statement:

“Amadeus recently became aware of a configuration flaw affecting its Altéa Self Service Check-In solution. Our security teams took immediate action and the vulnerability is now fixed. We are not aware of there having been any further unauthorized access resulting from the vulnerability, beyond the activity of the security researcher. We regret any inconvenience this might cause to our customers.” ®
Updated to add

“Amadeus recently became aware of a configuration flaw affecting its Altéa Self Service Check-In solution," Amadeus told The Register in a statement.

"Our security teams took immediate action and the vulnerability is now fixed. We are not aware of there having been any further unauthorized access resulting from the vulnerability, beyond the activity of the security researcher. We regret any inconvenience this might cause to our customers.”

Post Reply