Better Than Nothing Security on the example of Russian Railways

       I think many used the system of buying train tickets via the Internet. And I used it more than once. There were different oddities of course ... but overall the system is cool. Many probably noticed that at terminals in Moscow time electronic terminals appeared for ticketing. Use case is this: I buy a ticket through the Internet site , print a form with a barcode, go to the station, there I bring this form to my iron brain, enter the passport details and get a ticket.
       There is one but which always confused me in this scheme. The cryptographic strength of my passport data. But still, I reassured myself - well, they will find my form on the street, well, they will see my name there, where can they get my passport number!

       Having issued a ticket on the site, this beautiful site offers me to immediately print it. Commendable zeal! But there is one thing - FF does not print documents on my printer, because they quarrel with the printer driver because of the paper size. It happens, well ... I copy the form in OpenOffice and print. I think this is not just me doing it - many, out of habit, can copy into an office suite and print from there.
       And here the fun begins! Having printed out the form in this way, I found on it ... my passport number! That is, the one who holds this form in his hands goes to receive it. Seeing this on the form, I thought at first the bad thing about Russian Railways, and then looked at their site and saw the following in the code:

        PN ***** 7890


       There are just two blocks, depending on the mode, either a block with passport data or an asterisk is selected (the position of the stars is also cool chosen, taking into account the structure number, yeah)! In the end, what we see is the use of CSS as a means of hiding data that is actually used as a password!

    Gentlemen, maybe I don’t understand something?

    Also popular now: