You Won’t Believe What Your Boarding Pass Is Hiding
Jeff Edwards October 14, 2015
A Krebs on Security expose finds that the bar codes on boarding passes contain a wealth of sensitive information that might leave passengers vulnerable.
In the wrong hands, a boarding pass may provide more information than just flight numbers and seating assignments. The scannable Quick Response (QR) code that nearly every airline uses on boarding passes can expose a wealth of sensitive information about passengers to just about anyone with a little bit of knowhow.
An investigative report by Krebs on Security found that a surprising amount of personal information can be linked to the small scannable square printed on most airline tickets. According to the report, investigators were able to obtain personal information including future travel itineraries, frequent flyer account details and contact information, simply by scanning used boarding passes into an easy-to-find site on the internet.
The data obtained from the bar code of a used boarding pass, in some cases, could allow a complete stranger to control a passenger’s frequent flyer accounts, including Star Alliance accounts, canceling future travel or even booking reward travel without consent of the account holder.
Security experts say even more troubling is the personal information hidden on boarding pass QR codes that could provide identity thieves with the tools to gain control of accounts, reset pins and obtain fraudulent accounts in a passenger’s name.
There are a number of free websites and apps, including the Inlite Research Free Barcode Reader, that can give flyers an idea of just how much information about them is hidden in the scannable code on their boarding pass. In some cases, the barcode holds no more information that the plain text printed on the boarding pass, but in many more cases, printed tickets hold much more information than what is simply printed on the ticket.
[Photo: iStock]
Sensation bait headline. No news.
A few years ago, some Delta customers managed to read their barcodes, and found information on the value of their homes, among other things.
Scare mongering at its obvious worst. Beware....of nothing.
Hmm... This article is missing a lot of critical information: 1. Which carriers are issuing boarding tickets with too much info? 2. How would someone hack into an account using the boarding pass info? 3. What other mysterious data is coded on these passes? From reading other articles on this subject, looks like the airlines could and should fix the problem by putting an encrypted hash of the FF number or some other number that is different from the FF number. This will make me more careful about how I discard my boarding passes, but it's probably not a huge threat This article has a more balanced view on the subject: http://fusion.net/story/214993/boarding-pass-barcode-privacy-scare/
PS the picture of the boarding pass is also quite misleading because it uses an example of a one-dimensional bar code, which is simply a short numeric string, and does not encode things like Frequent Flyer numbers, etc. Making the first five digits ????? is unnecessary, as you can pretty much eyeball the numbers; it's sort of like Morse Code. The issue referred to (somewhat impecisely) is with two-dimensional bar codes; there are multiple encoding systems but they all can contain far more information, and alphanumeric information at that. It is with 2D bar codes that the frequent flyer number is (optionally) exposed, which in addition to the plaintext exposure of the ticket number and/or the PNR, gives someone the information with which they can go to an airline's easy chicken site and view somewhat sensitive information and even potentially to do some damage (cancel flights, switch to a middle seat, etc.) The photo is simply the wrong photo to use for this post.