Security in filing flight plans question?


#1

Just curious, since the flight planner does not ask me for my DUAT or DUATS account information, what is to prevent somebody from using my name, my tail number other then a self certification that they are allowed to file on my behalf?

Is there any security to prevent this. One would think that a flight plan could not be filed with the FAA system without a valid FAA DUAT or DUATS account unless I am missing something?


#2

Someone could call 1-800-WX-BRIEF and do the same.


#3

Yes very true, but direct input into the FAA system would be an authorized person from FSS.

From the DUAT log on screen.

"Who can use DUAT?

In order to use the DUAT Service, you must have an access code and password. If you possess a Pilot Certificate and current medical or are a student pilot with a current medical and you are in the FAA provided database, you can log onto the our Web Site at www.duat.com, click on register, enter your name and certificate number, then choose a password and access code"

As it stands now, filing a flight plan on Flight Aware doesn’t meet the basic requirements of DUAT assuming of course that the plan file through here goes through DUAT or DUATS?

Of course if a Flight Aware flight plan is being filed through a different FAA system, then that would be beyond my comprehension insofar as security, but something to be considered?


#4

A flight plan in the system is of little value until a clearance is requested and provided by an FAA source.


#5

We log every flight plan filed through our system so we can watch for abuse.

I’m not sure what the concern is about someone else filing a bunch of flight plans with your tail number/name on them.


#6

Again true and that is not what I am addressing.

It’s ensuring that authorized people are “accessing” the FAA systems. Filing a flight plan is accessing gubment computer systems.

Part of that process includes in every other flight planner I have (and am using) is to include the user name and password from DUAT or DUATS.

I am primarily looking at this from an IT computer view, but tossed in the what if scenario about somebody filing a flight plan not authorized by me to begin this discussion.

There are other issues running through my thoughts that I will not plant seeds in a public forum.


#7

See PM…


#8

I am resurrecting this thread as somebody apparently filed a flight plan under my name this evening and showed up in Flight Aware (See PM to Flight planning support) Originally when the alert went to my wife’s phone I chalked it up as a wrong filed tail number.

Also whoever filed my flight plan also attempted to change my email password associated with Flight Aware and was unsuccessful. I know this was directly from here as the email alert from Gmail to my alternate email address corresponded right about the time the flight plan was filed.

That cookie stored on computers (if this was indeed the cause) from Flight Aware really needs to be set to expire after a certain timee as I stated earlier, this is a computer security issue. I may have inadvertently left myself logged on at KMEI, dunno but that would be the only place I can imagine I left myself wide open.

I changed my password here and of course my email. I saw I was logged in on 5 different computers which seems pretty consistent with what computers I do use (doesn’t show IP addresses), but since I couldn’t be sure, I reset my password.


#9

This brings up a good point. If you use a publicly accessible computer, always DCB when you are done with your session.

  1. Delete all cookies
  2. Clear the cache
  3. Browser is shut down

Ideally, it would be great if you could turn off the computer when done.


#10

Number 1 should be log out then the above.

Also, at some FBO’s I have been to, browser settings are locked down where you can’t clear browser and then at the end of the other pole, other FBOs who knows what kinda security is implemented.

Could have been a key logger on a computer unknown to me that I may have accessed Flight Aware. Could have been a random guess of my “easy password” that now has been changed to a much more difficult one. Could have been a security breach at FA. Dunno but my question raised in 2008 sure came to reality…

Just glad the person didn’t think to hijack my FA account by changing the password (forums I know is different!

While expiring cookies won’t prevent key loggers getting passwords, it will add security to inadvertent leaving the computer logged onto an FA account which could have easily happened to me.

Whatever the case, on the briefing, my cell number was posted. Not gotten any strange calls today but that is information not available on flight plans to the public so there is a serious security issue that needs to be addressed.

Most importantly, somebody authorized access to a government computer using FA as a conduit without my explicit permission.


#11

Given the email password change attempt, it sounds like you’ve been keylogged.

If you logout your session is expired so there’s no need for our site to clear cache and cookies.

If you ever use a public computer and forget to log out, when you realize it later you can use the clear all sessions link on your account page to log yourself out everywhere. Looks like you already found that.

Session expiration becomes a hassle with people never being logged in, and the need for it is abated by the ability to expire all your sessions.

Your contact number from your pilot profile is included in your flight plan filing, but the flight plan filing email only goes to the account’s email address, no one else.