Boarding pass barcodes can reveal personal data, future flights
Wed 7 Oct 2015
Security experts have warned that barcodes contained on aeroplane boarding passes could offer a detailed stream of information to malicious individuals, including data on travel habits and future flight plans.
In 2005 boarding pass barcodes were introduced by the IATA (International Air Transport Association), to eliminate the need for magnetic passes, reduce costs for airlines and enable web and mobile check-in. However, the personal information ‘hidden’ in the barcodes can be used to breach accounts and manipulate bookings, as cybercrime blogger Brian Krebs explained in a KrebsOnSecurity post yesterday.
Krebs introduced blog reader Cory, who had been curious to see what information he could deduce from a friend’s boarding pass – a photo of which had been uploaded to Facebook.
Using an easily available online barcode reader, Cory reported that besides the person’s name, frequent flyer number, and other personal ID information, he was able to retrieve the record locator for the exact flight taken. Cory continued to log in to the airline’s website, using the individual’s surname, frequent flyer ID and record locator, and successfully accessed the entire online account which showed details of past and upcoming flights.
Phone numbers, email address, emergency contacts and billing information were also visible, along with options to change seats and cancel flights.
Cory explained that the information stored in the boarding pass could also make it easy for hackers to reset the password on Star Alliance frequent flyer accounts. The information can guide attackers through the early PIN resetting process, before they reach the secret question stage. In this case, Cory’s friend’s question was the popular mother’s maiden name query – information simply gathered from browsing the social networking profiles of family members.
The security vulnerability serves as a reminder to users of Facebook, Instagram and other photo sharing platforms to be careful about what they post online and to keep easily decipherable barcodes and QR codes away from prying eyes.