JetBlue: Password Encryption is for Suckers

JetBlue: Encryption is for Suckers

The Background

The Missus and I flew to Florida a couple of days ago, and as usual we took JetBlue. The only eventful part of the flight was a pleasant arrival 30 minutes ahead of schedule. The flight crew had mentioned that the satellite TV was out of commission, and that all in-flight movies would be free for the duration.

I thought that was a good way of handling the issue, and figured that was then end of that.

However, the next day we both received emails from JetBlue stating that we’d been signed up for their Travel Bank, and that a $15 credit had been applied to both of our Banks in exchange for the inconvenience of the malfunctioning TV service! That kind of proactive customer service is fantastic, and one of the main reasons that we fly JetBlue.

Hello SCOTT

Thank you for choosing JetBlue.

The following credit has been applied to your Travel Bank account number: XXXXXXXXXXXXXXXXXX (Ed. Note: Account # redacted)

Service Credit: InFlight Entertainment 15.00

We‘re sorry that DIRECTV® service didn’t work during your flight—we know this is one of the many reasons our customers choose to fly with JetBlue. Please accept our sincere apologies and this flight credit for the inconvenience you recently experienced with us.

This credit, which expires 365 days from the date it is issued, is available for use on future travel with JetBlue and is non-transferable.

To book a flight using your Travel Bank credit, visit jetblue.com and choose Travel Bank as your form of payment.

You can check the balance and transactions of your Travel Bank account by clicking here. For more information about Travel Bank and your credits, please visit jetblue.com/help/travelbank. We thank you for your understanding and look forward to a future opportunity to welcome you onboard.

Sincerely,

JetBlue Airways

Plain-Text Passwords

Here’s where the story turns dark, at least from a security perspective: Because this Travel Bank was a new service for both of us, and because JetBlue likewise had to create accounts for us, they sent us a password to get started.

Unlike — oh, I don’t know — every other website in the world, they didn’t send us randomly generated passwords. No.

THEY RE-USED OUR OUR TRUE BLUE ACCOUNT PASSWORDS, AND SENT THEM TO US IN PLAIN TEXT.

JetBlue Travel Bank Password in Plain Text

Click on this image for the full-size version.

This is a big deal for three reasons, the last of which is maybe a little less than obvious to most:

When emails are transmitted across the internet they are generally not encrypted. This means that your password would be visible to any server or router between JetBlue and your email service. It might be stored, intercepted, or otherwise snooped at any point along the journey.

Perhaps more importantly, anyone that gained access to your email account would know your password. That may seem unlikely (after all, you probably don’t have a crack team of international hackers trailing your every move), but anyone that happened across your phone could see the password.

If that doesn’t sound important, then in my opinion this last point is the worst faux pas of all. Wait, it’s not a faux pas. It’s more an act of pure ignorance and/or negligence: It’s obvious that JetBlue is storing your password in plain text, or at the very least with reversible encryption.

This means that, were hackers to get access to JetBlue’s user account database (unlike you, JetBlue may indeed be targeted by their friendly neighborhood team of international hackers), they could see your password.

And you may store your credit card info in your True Blue account. If so, anyone with access to your account could book flights to your card. Moreover, how secure is your card number if your password isn’t properly secured? That’s the kind of question I shouldn’t have to ask of “New York’s favorite airline”.

And I’m betting that you use that same True Blue password for at least one of your other accounts, perhaps even something critical like your banking or credit card accounts.

Change your Password

The moral of this story is that you should change your password. Not just with JetBlue, but make sure you use a different password for JetBlue than any of your other accounts.

Actually, it’s a best practice to use different passwords for each of your online accounts. Realistically that can be a huge pain in the ass, so even I don’t do it 100% of the time.

The moral of the story for JetBlue: For the love of internet security, use non-reversible encryption to protect our account information! You should never be able to know my password. That principle comes straight out of a community college Web Design 101 course, and you’re an international airline!

About Scott

I'm a computer guy with a new house and a love of DIY projects. I like ranting, and long drives on your lawn. I don't post everything I do, but when I do, I post it here. Maybe.
Bookmark the permalink.

Leave a Reply