12 January 2008

TSA put travellers at risk of ID theft

Scary but true:

A scathing congressional report released Friday confirms that security flaws in a Transportation Security Administration site put thousands of Americans at risk of identity theft [...].

In October 2006, the TSA launched a Web site to help travelers whose names were erroneously listed on airline watch lists. This site had a number of security vulnerabilities: it was not hosted on a government domain; its home page was not encrypted; one of its data submission pages was not encrypted; and its encrypted pages were not properly certified. Furthermore, the site was filled with typos and other errors, causing some to wonder whether TSA's site had been taken over by phishers [...].

For the four months that the site was up, thousands of people visited it, and 247 travelers submitted highly personal information (including their Social Security number and place of birth) through an insecure, non-SSL encrypted form. TSA's lax security practices resulted in thousands of Americans being put at a direct risk of identity theft [...].

The TSA official in charge of the project awarded the contract--without competition--to one of his former employers, a company owned by one of his high school buddies [...] the report notes that "neither Desyne nor the technical lead on the traveler redress Web site have been sanctioned by TSA for their roles in the deployment of an insecure Web site. TSA continues to pay Desyne to host and maintain two major Web-based information systems. TSA has taken no steps to discipline the technical lead, who still holds a senior program management position at TSA." --Surveillance State
Follow the link if you'd like more background to this story and a link to the actual report.

No comments: