[fredley]

It's amazing that with the algorithmic power Facebook brings to bear on every photo you upload, finding faces etc., that they can't spare a few cycles for security.

It would be simple to run barcode detection over any post and blur the result (maybe prompt the user just in case they actually wanted to post one?).

Almost any barcode is assumed to be private information, even a barcode on a store receipt can be used for return fraud in certain circumstances.

Saying 'don't post barcodes online' is all well and good, but that message will never reach the general public.

[tinus_hn]

The problem is not barcodes and it is not Facebook. The problem is airlines with security systems that went out of style in the 90’s.

You don’t print a paper with all the information you need to hijack accounts. You don’t use ‘secret questions’. You don’t treat birthdays as secrets. You don’t use a number as a secret if it’s on the ticket.

[csomar]

I was traveling with a friend and we could benefit from changing flights. So my friend went to the counter to just ask about the possibility. He had my boarding pass but not my passport. He returned 20 minutes later with both boarding passes changed. The counter stuff just took his "word" for "he is my friend".

Edit: An hour later driving and thinking about it, I think it is the right move from the airline. The risk is small because identity theft and authentication hacking is not possible in this case. The Airport is a highly controlled environment and thus someone pulling this will have a higher chance of getting arrested. On contrast, you can't just take anonymous IPs on the Internet for their words. You have to carefully authenticate them and even then you can still have issues.

[orless]

If you booked the flight together then it is very probable that it's seen in the booking system that you travel together. So it was probably a little bit mor that just his "word". (I'm, however, not judging if it was correct action on the counter stuffs behalf.)

A friend of mine was once travelling to Bali and she posted pictures of the boarding pass on Twitter. It was a few weeks after the CCC talk by Karsten Nohl and Nemanja Nikodijevic (https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carme...), so I warned her that it might be not the best idea to post these images. She was very self-assured and replied that she's almost in the plane so there's not much risk.

I've asked if it would be OK for me to test and she was fine with it. I could log in to her booking without problems (booking code and the name which I knew anyway were on the images). In the system I saw the other person she was travelling with., I could change seats and names of passengers. I think I could even change the date of the flight back (but I'm no longer sure about it).

But this is how I'm pretty sure that if you've booked together, this might habe been visible in the booking system.

[csomar]

See my other comment: https://news.ycombinator.com/item?id=15319656

[marcosdumay]

At least here in Brazil, airlines are expected to authenticate you at boarding time and not a second earlier. This is the sanest option too, since they will have to authenticate you at boarding time anyway, and anything earlier will at most cause a mild economical loss for the company.

[FabHK]

I always wonder about that. Often, in the line at the boarding gate several agents will walk around, compare your boarding pass with your passport (and your face), and then draw a squiggle on your boarding pass (sometimes with a coloured felt-tip pen, sometimes with a biro/ballpoint pen).

It seems to me that it would be trivial to squiggle on your boarding pass yourself, and then claim that you've been checked already. I wonder how much security theatre is happening there, too.

[hvindin]

But usually when people get to the front of the line they still present both documents, the fact that 9/10 times the passport is ignored just makes it a judgement call by the ground staff.

Having spent some time working on staff management systems in airports I can say with some confidence that (at least in australia) most of the ground staff will immediately flag someone not at least offering their passport, and/or trying to talk their way out of needing to do so as sus.

And let's not forget that if your entire plan was to get on a plane under a fake name, it's a hell of a risk to just hope that you end up in a situation where some chap is squiggling on boarding passes.

[jstanley]

If you booked the flights together, and paid together, it's probably pretty likely that you are travelling together.

If the flights were booked together, I don't think this is out of line.

[saryant]

In theory it still shouldn't be possible. The passenger owns the ticket, not the purchaser.

But that doesn't mean a smile and polite word won't get you around that...

[csomar]

Nope. That's not the case. In fact we live in different countries and booked from our countries (different countries/credit cards). I don't think of any possible thing that could make us related.

[grogenaut]

So what's going to happen is that 2 of the same person show up to the plane... and the copy cat goes on the plane and then you check in, and they say, nope, not you. And then you pull your passport. And then they go get the other person off the plane.

[user5994461]

The scammer may have changed the flight time but it's still the original name and ID on the ticket. The scammer would have to fake your passport to be able to onboard as yourself. That's a pretty high bar.

[rpenm]

And if the scammer moves your fare to an earlier flight, they get away and your ticket is void when you show up.

[toast0]

Chances are they'll figure this out before the flight in question lands, and have someone to arrest the scammer at the destination.

[marcosdumay]

At worst, the company is a flight seat in the loss. Is this really worth protecting?

[amigoingtodie]

Has this happened?

[grogenaut]

And you get a change notification email and you can the airline and scanner gets arrested

[johannes1234321]

The question is: What's the higher risk for the airline - that a bad person shows up in person, with a valid foreign boarding pass, to do some fraud with the risk of you coming to the counter shortly after or to have an unhappy customer if they resist (well yeah, airlines do much to avoid having happy customers ...)

The risk of someone doing real harm there is quite low ...

[kossae]

This is the case I've seen the most. It also really speaks to what is the ultimate security hole which is human error and social engineering. Granted your friend was not being malicious, the fact that it was that easy is scary.

[pmontra]

Maybe this is not intentional social engineering but a former customer working in the micro credit market once told me that the people who's most difficult to get money back are friends, not strangers. Maybe he had an agenda (send your friends to me) but it matches my experience.

[mrhappyunhappy]

Exactly. I lost count how many times I was able to sweet talk my way past regular phone security measures while trying to access my own account after having forgotten security details. Now imagine I was a bad actor trying to get someone else's info.

[weego]

Or it speaks to years of cost benefit analysis and outcome of someone doing this maliciously is so benign or so embedded within a trust chain that there's no benefit to closing that particular hole.

Not that I have any expertise in this particular situation, but not every 'threat' when armchair analysed in isolation is a threat when put into its correct domain and context.

[ptero]

Yes, you often only need the 6-char conf code and last name to change or cancel a random reservation.

The system is not set for security only for convenience and assumes a world of 80-90s of regulated travel with never full planes and no change penalties. At the time (US) airlines were even honoring competitor tickets at gate (assuming they has space, which they almost always did) -- show up with AA ticked at a United gate and get it swapped for a United flight by agent on the spot. Gratis.

The system had lots of problems, but malicious changes were not one of them.

[bogomipz]

>"The problem is not barcodes and it is not Facebook. The problem is airlines with security systems that went out of style in the 90’s."

No the problem as outlined in the post is people not thinking through what they are sharing on social media.

[mrhappyunhappy]

You are correct sir.

[microcolonel]

> Almost any barcode is assumed to be private information

I don't think that's really the case, I've deliberately embedded QR codes in images on Facebook. Your feature would be very annoying if it could not be toggled off.

[function_seven]

A nice feature would be for them to decode and display the barcode info when you're uploading.

Something like “This image contains the following info: <Sensitive info you didn't mean to share>. Would you like us to blur that out? (Y/n)”

[hoschicz]

This image contains the following info: (long line of gibberish, the boarding pass ID)

User: srsly fb? OK

[atomwaffel]

Detecting if the embedded data is from a boarding pass is not difficult, nor is parsing it[0] and displaying it in a human-friendly format to "prove" that it's probably sensitive ("The boarding pass you posted belongs to John Smith and contains their American Airlines frequent flyer number. Are you sure you want to share this?")

[0] https://www.iata.org/whatwedo/stb/Documents/BCBP-Implementat...

[_asummers]

Could also very easily link to documents explaining why that could be bad for the user.

[sitkack]

Gotta weaken security for everyone because you want your embedded QR codes? Most likely the only person on FB who has done this.

[mulmen]

Isn't embedding QR codes the reason they were created in the first place? It's an optical data format designed to be easy for computers to read.

You're basically evaluating the cryptographic merits of CSV.

[sitkack]

> You're basically evaluating the cryptographic merits of CSV.

I am not. I am weighing features vs unintended harm. Yes, the airlines shouldn't be including this data in the barcodes. It is improper to expose end users to this liability. And simply telling them not to expose them isn't a solution.

But if FB can detect harmful barcodes in an image, by all means they should remove the photo.

This is no different than Github scanning for AWS creds or MongoDB passwords in repos.

[always_good]

>This is no different than Github scanning for AWS creds or MongoDB passwords in repos.

But Github doesn't do that either.

Amazon pays a contractor to scan Github repos for keys.

[FabHK]

Is there any data in the barcode that's not also printed (in plain text) on the boarding pass?

[sitkack]

There is, that is issue. DoB specifically which in the US is used (dumbly) as PII.

[bogomipz]

Yes, they were meant for efficient consumption. The 'Q" is for quick.

[jacquesm]

Facebook has a billion users. To think that anything someone does there is the first or only time it happens is probably incorrect.

[oblio]

If something is a security issue for 99% of users, the 1% will have to just accept it.

Case in point: app sandboxing. I, for one, don't want it, but it's everywhere.

[jacquesm]

What if it turns out to be 70/30 or 50/50?

Stuff like this should be configurable or over-ridable, especially when it has legitimate uses.

There will always be a balancing act between features, security and usability, to ram the needle one way and to say 'tough luck' to everybody else is not a solution because then people will try to find ways around the block.

[noir_lord]

As a programmer the problem with feature toggles is this, lets say we have 1 feature toggle with on been 1 and off been 0.

For one feature that means we have

    1,0 states (two states).

For two features we have

    1,0/1,0 (four states).

By the time you get to 10 feature toggles you have

    1111111111 (1024 possible states).

In case I wasn't clear hammering home this obvious (to us but sadly not managers usually) point, feature flags are binary and when you have 16 of them you have 65536 possible states.

Now as a programmer that frightens me because the possible paths through the system has become incredibly large for us to handle and it's a UX/UI disaster unless handled very carefully, you end up with features that interact with other features (set a do not back up flag on a file, then a different flag for always back up all files) in unpredictable ways for us and for users.

You see this complexity in things like hierarchical role based permission systems and the like.

Not sure what the solution is but I can understand why programmers and users push back on adding features (not least because as a programmer I know that doubling the complexity for 1-5% of users just seems like a poor trade off in general - there are of course specific cases where it makes sense like the 5% of users is roughly the percentage who are paying for your product etc.).

[oblio]

They should make it opt-out.

[sitkack]

That is a pedantic response. Replace "only" with some mathematically qualified low number of pictures on facebook that have legitimate barcodes in them. Is it more than 1:100_000 photos posted? Probably not.

[kalleboo]

I’ve seen people and business pages post Snapchat and LINE QR codes

[brohee]

The issue here is the airlines, not Facebook...

[sitkack]

It's both.

Facebook already scans the image, probably even for QR codes, they could prevent users from harming themselves. And airlines shouldn't expose this info in the first place.

[bogomipz]

>"It's amazing that with the algorithmic power Facebook brings to bear on every photo you upload, finding faces etc., that they can't spare a few cycles for security."

Do you really believe the problem here is FB? Do you really believe FB should be the arbiter of what incidental information their users's pictures can and can not convey?

And even if they did parse pictures for sensitive data do you believe that FB, given what we know about them would simply redact that information from photos and then discard that sensitive data? I think we can safely assume that FB doesn't discard data on individuals.

[fredley]

No not at all! I'm just making a point that for a company that oversees an enormous proportion of all the user-uploaded images in the world could make a big impact with a relatively small extension to the processing they already do on uploaded photos. I'm not saying any blame is directed at Facebook. While a certain blame does lie with the airline industry, airline ticketing systems were designed and built way before the web and ubiquitous cameras. To change such a system is non-trivial, given that it operates in every(?) country in the World all the time, and is safety and security-critical.

Since there's no obvious single entity to blame (and even if there is, so what?), we should be working together to prevent and reduce attacks like this. Apart from anything, Facebook popping up a warning about a barcode would go a long way to making people realise that they contain easily readable, and potentially private information.

Also, given how well image classifiers work these days, how hard is it to do the same for photos of (physical) keys, bank cards, and other commonly posted things?

[Xoros]

> Do you really believe FB should be the arbiter of what incidental information their users's pictures can and can not convey?

Aren't they already do it for other stuff they don't want to see online ?

Surely a nipple isn't a barcode and legal implication aren't the same. And people sharing personal stuff ARE responsible for sharing those stuff.

So I guess it shows us again that FB is not our friend :)

[bogomipz]

Ha, yes you make a good point, I suppose this is already true. The removal of a posting Nick Ut’s iconic Vietnam War photo certainly comes to mind. Cheers.

[mulmen]

Aren't all the variations of bar codes just a way to make it easy for computers to read things? What other utility do they have?

It's a hilarious perversion of the technology to use computers to blur the thing we created so computers could read.

[cesarb]

> Almost any barcode is assumed to be private information

Wouldn't the most common barcode be the EAN-13, which is not private information?

[fredley]

Most common? Yes, almost certainly. Most commonly posted in photos? I don't know (Facebook could know).

[DonHopkins]

Facebook will probably target ads based on scraping data and machine learning from barcodes they recognize -- for their user's convenience of course, then blur them so their competitors can't do the same thing -- for their user's privacy of course.

[dredmorbius]

Incentives.