[tinus_hn]

The problem is not barcodes and it is not Facebook. The problem is airlines with security systems that went out of style in the 90’s.

You don’t print a paper with all the information you need to hijack accounts. You don’t use ‘secret questions’. You don’t treat birthdays as secrets. You don’t use a number as a secret if it’s on the ticket.

[csomar]

I was traveling with a friend and we could benefit from changing flights. So my friend went to the counter to just ask about the possibility. He had my boarding pass but not my passport. He returned 20 minutes later with both boarding passes changed. The counter stuff just took his "word" for "he is my friend".

Edit: An hour later driving and thinking about it, I think it is the right move from the airline. The risk is small because identity theft and authentication hacking is not possible in this case. The Airport is a highly controlled environment and thus someone pulling this will have a higher chance of getting arrested. On contrast, you can't just take anonymous IPs on the Internet for their words. You have to carefully authenticate them and even then you can still have issues.

[orless]

If you booked the flight together then it is very probable that it's seen in the booking system that you travel together. So it was probably a little bit mor that just his "word". (I'm, however, not judging if it was correct action on the counter stuffs behalf.)

A friend of mine was once travelling to Bali and she posted pictures of the boarding pass on Twitter. It was a few weeks after the CCC talk by Karsten Nohl and Nemanja Nikodijevic (https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carme...), so I warned her that it might be not the best idea to post these images. She was very self-assured and replied that she's almost in the plane so there's not much risk.

I've asked if it would be OK for me to test and she was fine with it. I could log in to her booking without problems (booking code and the name which I knew anyway were on the images). In the system I saw the other person she was travelling with., I could change seats and names of passengers. I think I could even change the date of the flight back (but I'm no longer sure about it).

But this is how I'm pretty sure that if you've booked together, this might habe been visible in the booking system.

[csomar]

See my other comment: https://news.ycombinator.com/item?id=15319656

[marcosdumay]

At least here in Brazil, airlines are expected to authenticate you at boarding time and not a second earlier. This is the sanest option too, since they will have to authenticate you at boarding time anyway, and anything earlier will at most cause a mild economical loss for the company.

[FabHK]

I always wonder about that. Often, in the line at the boarding gate several agents will walk around, compare your boarding pass with your passport (and your face), and then draw a squiggle on your boarding pass (sometimes with a coloured felt-tip pen, sometimes with a biro/ballpoint pen).

It seems to me that it would be trivial to squiggle on your boarding pass yourself, and then claim that you've been checked already. I wonder how much security theatre is happening there, too.

[hvindin]

But usually when people get to the front of the line they still present both documents, the fact that 9/10 times the passport is ignored just makes it a judgement call by the ground staff.

Having spent some time working on staff management systems in airports I can say with some confidence that (at least in australia) most of the ground staff will immediately flag someone not at least offering their passport, and/or trying to talk their way out of needing to do so as sus.

And let's not forget that if your entire plan was to get on a plane under a fake name, it's a hell of a risk to just hope that you end up in a situation where some chap is squiggling on boarding passes.

[jstanley]

If you booked the flights together, and paid together, it's probably pretty likely that you are travelling together.

If the flights were booked together, I don't think this is out of line.

[saryant]

In theory it still shouldn't be possible. The passenger owns the ticket, not the purchaser.

But that doesn't mean a smile and polite word won't get you around that...

[csomar]

Nope. That's not the case. In fact we live in different countries and booked from our countries (different countries/credit cards). I don't think of any possible thing that could make us related.

[grogenaut]

So what's going to happen is that 2 of the same person show up to the plane... and the copy cat goes on the plane and then you check in, and they say, nope, not you. And then you pull your passport. And then they go get the other person off the plane.

[user5994461]

The scammer may have changed the flight time but it's still the original name and ID on the ticket. The scammer would have to fake your passport to be able to onboard as yourself. That's a pretty high bar.

[rpenm]

And if the scammer moves your fare to an earlier flight, they get away and your ticket is void when you show up.

[toast0]

Chances are they'll figure this out before the flight in question lands, and have someone to arrest the scammer at the destination.

[marcosdumay]

At worst, the company is a flight seat in the loss. Is this really worth protecting?

[amigoingtodie]

Has this happened?

[grogenaut]

And you get a change notification email and you can the airline and scanner gets arrested

[johannes1234321]

The question is: What's the higher risk for the airline - that a bad person shows up in person, with a valid foreign boarding pass, to do some fraud with the risk of you coming to the counter shortly after or to have an unhappy customer if they resist (well yeah, airlines do much to avoid having happy customers ...)

The risk of someone doing real harm there is quite low ...

[kossae]

This is the case I've seen the most. It also really speaks to what is the ultimate security hole which is human error and social engineering. Granted your friend was not being malicious, the fact that it was that easy is scary.

[pmontra]

Maybe this is not intentional social engineering but a former customer working in the micro credit market once told me that the people who's most difficult to get money back are friends, not strangers. Maybe he had an agenda (send your friends to me) but it matches my experience.

[mrhappyunhappy]

Exactly. I lost count how many times I was able to sweet talk my way past regular phone security measures while trying to access my own account after having forgotten security details. Now imagine I was a bad actor trying to get someone else's info.

[weego]

Or it speaks to years of cost benefit analysis and outcome of someone doing this maliciously is so benign or so embedded within a trust chain that there's no benefit to closing that particular hole.

Not that I have any expertise in this particular situation, but not every 'threat' when armchair analysed in isolation is a threat when put into its correct domain and context.

[ptero]

Yes, you often only need the 6-char conf code and last name to change or cancel a random reservation.

The system is not set for security only for convenience and assumes a world of 80-90s of regulated travel with never full planes and no change penalties. At the time (US) airlines were even honoring competitor tickets at gate (assuming they has space, which they almost always did) -- show up with AA ticked at a United gate and get it swapped for a United flight by agent on the spot. Gratis.

The system had lots of problems, but malicious changes were not one of them.

[bogomipz]

>"The problem is not barcodes and it is not Facebook. The problem is airlines with security systems that went out of style in the 90’s."

No the problem as outlined in the post is people not thinking through what they are sharing on social media.

[mrhappyunhappy]

You are correct sir.