The largest expert travel community:
  • 746,146 Total members
  • 6,135 Users online now
  • 1,690,013 Threads
  • 30,580,134 Posts
News

You Won’t Believe What Your Boarding Pass Is Hiding

You Won’t Believe What Your Boarding Pass Is Hiding
Jeff Edwards

A Krebs on Security expose finds that the bar codes on boarding passes contain a wealth of sensitive information that might leave passengers vulnerable.

In the wrong hands, a boarding pass may provide more information than just flight numbers and seating assignments. The scannable Quick Response (QR) code that nearly every airline uses on boarding passes can expose a wealth of sensitive information about passengers to just about anyone with a little bit of knowhow.

An investigative report by Krebs on Security found that a surprising amount of personal information can be linked to the small scannable square printed on most airline tickets. According to the report, investigators were able to obtain personal information including future travel itineraries, frequent flyer account details and contact information, simply by scanning used boarding passes into an easy-to-find site on the internet.

The data obtained from the bar code of a used boarding pass, in some cases, could allow a complete stranger to control a passenger’s frequent flyer accounts, including Star Alliance accounts, canceling future travel or even booking reward travel without consent of the account holder.

Security experts say even more troubling is the personal information hidden on boarding pass QR codes that could provide identity thieves with the tools to gain control of accounts, reset pins and obtain fraudulent accounts in a passenger’s name.

There are a number of free websites and apps, including the Inlite Research Free Barcode Reader, that can give flyers an idea of just how much information about them is hidden in the scannable code on their boarding pass. In some cases, the barcode holds no more information that the plain text printed on the boarding pass, but in many more cases, printed tickets hold much more information than what is simply printed on the ticket.

[Photo: iStock]

View Comments (12)

12 Comments

  1. MaxVO

    MaxVO

    October 14, 2015 at 12:59 pm

    Ok, we’ve established that bar codes may contain sensitive confidential information. Then in the last paragraph you seem to encourage uploading that sensitive info to a strange website for no apparent benefit? That’s genius!

  2. Open Jaw

    October 14, 2015 at 6:38 pm

    Yet another reason to shred every document once frequent flyer miles have posted.

  3. dll

    October 15, 2015 at 11:34 am

    “In some cases, the barcode holds no more information that the plain text printed on the boarding pass, but in many more cases, printed tickets hold much more information than what is simply printed on the ticket.”

    Any insight what distinguishes these two scenarios? Is it carrier-specific? If so, would be beneficial to hunt down which carriers overreach on the data vs. those that don’t.

  4. CyBeR

    October 21, 2015 at 4:11 am

    PDF417 bar codes have been used on boarding passes for wel over a decade now. Everyone already knew this.

  5. Brook Monroe

    October 21, 2015 at 4:36 am

    The IATA bar code specification supports secured data blocks, which airlines should be using to store encrypted passenger-sensitive data. While it’s true that such data as frequent-flyer numbers are part of the unsecured data, a lot of the bar code data isn’t encrypted because of the need to support interline travel and carrier transfers during IRROPS.. Having carrier 5E be able to read carrier ZQ’s boarding pass bar codes is also an unfortunate necessity brought about by carrier alliances and it won’t be going away in the immediate future.

    The example from the Krebs article really illustrates a problem with some carrier websites, not an issue with including an FFN in the bar code data. Treating an FFN as some sort of “secret code” is a terrible security idea, on par with the sincerely lazy 1980s idea of using Social Security numbers as database lookup keys.

  6. vsevolod4

    vsevolod4

    October 21, 2015 at 5:00 am

    Alarmist article that mischaracterizes and sensationalizes the issue and makes it more complicated and more mysterious than it is.
    There is a real issue but let’s understand what it is.
    The boarding pass bar code contents are well know and published; here’s a document you can download and it will explain the fields contained within a bar code: http://www.iata.org/whatwedo/stb/Documents/BCBP_Implementation_Guidev4_Jun2009.pdf (see page 39 and surrounding).
    The PNR and/or the e-ticket number is generally also printed in complete text, so is available even without a bar-code reader/decoder.
    The difference is the frequent flyer number. Most airlines as of a few years ago stopped printing the full frequent flyer number on tickets. They usually put asterisks in place of some of the number in the printed version — but of course the complete number exists in the bar code. There’s a good reason to allow a BP to have the frequent flyer number — you want a connecting airline to know your number to get credit, identify status, validate upgrades, early boarding privileges, etc.
    The issue isn’t the bar code per se — it is that a number of airline sites, to make it easy to check in, allow checkin with nothing more than a name and PNR, a name and eticket number, or a name and frequent flyer number. So if you have the name (which is on the ticket in both plaintext and bar code), or the PNR (typically both), or the eticket (typically both) or the FFQ number (typically just the barcode) you can get access to this flight record — which means seeing the remainder of the itinerary, seeing details (most sensitive perhaps would be things like passport/visa details), changing seats, canceling, etc. In the case of the frequent flyer number, searching by FFQ number allows you to see not just the itinerary of which this BP is part — but seeing a list of other itineraries.
    Some airline websites make you log in with your frequent flyer number in order to see the list of itineraries — but that is feasible only if you are using that airline’s own FFQ program. But there’s no way for LH, for example, to authenticate you if you’re collecting miles on your UA account — they don’t have your UA login credentials. But LH wants to be able to check you in (and you want to check in) using your UA credentials for a ticket on LH. Therein lies the security hole.
    There is an issue, but as long as you either destroy your paper BPs (or keep them secure), or use your smartphone for your BPs, you are fine. Just don’t panic.

  7. DManzaluni

    October 21, 2015 at 5:44 am

    Let’s do a quick poll here: The only way this sort of information/data can be compromised is with what people in the security business call a “PASSWORD”

    Does anyone believe that any airline barcode includes ANY password information?

  8. vsevolod4

    vsevolod4

    October 21, 2015 at 5:56 am

    PS the picture of the boarding pass is also quite misleading because it uses an example of a one-dimensional bar code, which is simply a short numeric string, and does not encode things like Frequent Flyer numbers, etc. Making the first five digits ????? is unnecessary, as you can pretty much eyeball the numbers; it’s sort of like Morse Code. The issue referred to (somewhat impecisely) is with two-dimensional bar codes; there are multiple encoding systems but they all can contain far more information, and alphanumeric information at that. It is with 2D bar codes that the frequent flyer number is (optionally) exposed, which in addition to the plaintext exposure of the ticket number and/or the PNR, gives someone the information with which they can go to an airline’s easy chicken site and view somewhat sensitive information and even potentially to do some damage (cancel flights, switch to a middle seat, etc.)
    The photo is simply the wrong photo to use for this post.

  9. Orville

    October 21, 2015 at 5:57 am

    Hmm… This article is missing a lot of critical information:

    1. Which carriers are issuing boarding tickets with too much info?

    2. How would someone hack into an account using the boarding pass info?

    3. What other mysterious data is coded on these passes?

    From reading other articles on this subject, looks like the airlines could and should fix the problem by putting an encrypted hash of the FF number or some other number that is different from the FF number. This will make me more careful about how I discard my boarding passes, but it’s probably not a huge threat This article has a more balanced view on the subject: http://fusion.net/story/214993/boarding-pass-barcode-privacy-scare/

  10. rascally14

    October 21, 2015 at 6:44 am

    Scare mongering at its obvious worst. Beware….of nothing.

  11. deelmakur

    October 21, 2015 at 8:18 am

    A few years ago, some Delta customers managed to read their barcodes, and found information on the value of their homes, among other things.

  12. tanglin

    tanglin

    October 21, 2015 at 8:29 am

    Sensation bait headline. No news.

You must be logged in on the FORUM to post a comment Login

Leave a Reply

News

More in News

Hawaii Is Getting Tired Of Airbnb

Scott DylanMay 25, 2019

Cathay Pacific’s Same-Sex Advertisement Gets Banned

Jackie ReddyMay 21, 2019

Hotels Are Springing Up In Japan Ahead of Tokyo 2020

Scott DylanMay 16, 2019

Copyright © 2014 Top News Theme. Theme by MVP Themes, powered by Wordpress.