Web: www.fishfotoworldwide.com -- E-Mail: fish@flyingwithfish.com
5/08/2008 - 'Clear' Registered Traveler User Information Stolen
For the past few days I have been reading rumours and reports of a laptop being stolen from the Verified Identity Pass company office on the 26th of July, at San Francisco International Airport (SFO).
What is the big deal with a company laptop being stolen from a company office? Normally it is not such a big deal, unless that company operates the "Clear" card scheme and is in charge of maintaining and operating the "Registered Traveler" program in the United States.
When a laptop was stolen from the Verified Identity Pass office the security of the Registered Traveler program was compromised. The laptop contained the personal information of more than 33,000 Clear applicants and users. To make matters worse, none of this information was encrypted. The Clear-users file had only a double password to gain access. The files are far from secure as a skilled hacker can get past two passwords and enter a non-encrypted file with some finesse.
What kind of information does this laptop contain in regard to more than 33,000 Clear card users? All the information you would need to steal someone's identity. These files include names, date of birth, address, social security numbers and in many files a Clear Card users drivers license and/or passport number of Clear users.
The Transportation Security Administration (TSA) has suspended any new applicants from seeking to sign up for the Clear card. While the TSA has suspended this application process at this time it does mean that the overall security of Registered Traveler program has been compromised. The TSA is charged with the security of the traveling public and Verified Identity Pass is a private company that oversees the security of the Registered Traveler program. How can these two entities place the very sensitive information of 33,000 Clear users into a file that is not encrypted?
Shouldn't the actual use of the Clear lane be suspended at this time? With all this stolen data can we trust the true identity of those who will be applying for a Clear card in the future? Is it possible that an identity thief can use the stolen date of those who are in the Clear system without a passport to request all the required documents to illegally get a passport? With this valuable piece of identification can the identity thief now apply for Clear to be a "Registered Traveler" and provide their person biometrics with a false identity gained through Verified Identity Pass' inability to keep secure and sensitive data secure?
I very recently was reconsidering looking into the Clear system again to speed up travel through certain airports. I had decided against Clear in the past and now in-light of Verified Identity Pass' blatant inability to keep data secure I have to question the overall use of the system to keep the flying public secure as well.
Happy Flying!
05 August 2008
'Clear' Registered Traveler User Information Stolen
Subscribe to:
Post Comments (Atom)
1 comment:
While you bring up some valid points you're premise that the file has to be encrypted is not entirely useful. Who keeps the password? What if that person dies, how do people get access to the encrypted file? Oh, multiple people now have to have the password. As you said yourself, any hacker can break a password. How is that any safer? Oh, use a certificate? Well that certificate has to be kept on a disk somewhere, probably on the same laptop. And there has to be more than one copy of the disk is corrupted. Encryption of a file is not the end all solution. It is a bigger problem to solve than the average person understands.
Post a Comment