Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Privacy Security Transportation

Boarding Pass Barcodes Can Reveal Personal Data, Future Flights 64

An anonymous reader writes: Security experts have warned that barcodes contained on airplane boarding passes could offer a detailed stream of information to malicious individuals, including data on travel habits and future flight plans. Brian Krebs explained yesterday that by using an easily available online barcode reader, attackers can retrieve a person's name, frequent flyer number, and record locator — information needed to access an individual's account and details of past and upcoming flights, phone numbers, and billing information, along with options to change seats and cancel flights.
This discussion has been archived. No new comments can be posted.

Boarding Pass Barcodes Can Reveal Personal Data, Future Flights

Comments Filter:
  • Umm (Score:5, Insightful)

    by Doug Otto ( 2821601 ) on Wednesday October 07, 2015 @08:48AM (#50678655)
    Brian Krebs explained yesterday that by using an easily available online barcode reader, attackers can retrieve a person's name, frequent flyer number, and record locator

    Or, you could just read that information from the boarding pass, no barcode reader required.
    • Not all information on the card is plain text. See BrianKreb's comment on the reporting site. Quoted here: It’s not all on the boarding pass. Read the story. Some airlines treat frequent flyer codes as semi-secret, and redact them from boarding passes and email communications, but leave them in plaintext on the barcode. The story gives one example.
      • I just googled several examples of boarding passes with all of the information listed in the summary, directly readable. Yes, not all airlines include all of that in plain text, but many of them do.
    • by boaworm ( 180781 )

      Maybe it is easier to automatically read large numbers of boarding passes if they have bar codes, rather than just text..

      But I agree, there seems to be ways to get the name, FQTV and RLOC also from the plain text on the boarding pass...

      • Maybe it is easier to automatically read large numbers of boarding passes if they have bar codes, rather than just text..

        Well, D'oh! Why do you think they have the qcode (not barcode) readers at TSA security checkpoints and at the gates? So that the people can just slap the pass up against the glass and the computer reads the info, and nobody has to take the time to read the pass. It also allows online boarding passes where you show the face of your smart phone to the reader instead of having a piece of paper.

        I have no idea what the presumed issue is here. If you don't want someone to use a q-code reader on your boarding pa

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Guys, all bickering about what's in plain text vs what's in the barcode aside, the main point still holds, "The next time you’re thinking of throwing away a used boarding pass with a barcode on it, consider tossing the boarding pass into a document shredder instead."

      • by Anonymous Coward

        Why? Because someone might find out what seat you MIGHT have chosen to sit in? To obtain your frequent flyer number? Some information isn't worth protecting.

        • Re:Umm (Score:4, Informative)

          by Anonymous Coward on Wednesday October 07, 2015 @09:35AM (#50678941)

          You might just need to read past the first sentence of TFA to get an answer to your question. For me, this was a big deal.

          “I then proceeded to Lufthansa’s website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance.”

          • Re:Umm (Score:5, Insightful)

            by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Wednesday October 07, 2015 @09:44AM (#50679005) Homepage Journal

            You might just need to read past the first sentence of TFA to get an answer to your question. For me, this was a big deal.

            âoeI then proceeded to Lufthansaâ(TM)s website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance.â

            That's not a problem with the information being on the boarding pass. That's a problem with the website's security model. It's obvious that this data should be on the boarding pass. It's also obvious that shouldn't be enough to log in and check records.

        • Why? Because someone might find out what seat you MIGHT have chosen to sit in? To obtain your frequent flyer number? Some information isn't worth protecting.

          If your Frequent Flyer number is worth protecting is decided by the airline and if they use that number for any kind of identification or authentication.

          "Hi, My name is Mr. Spanneck and I forgot the passwort to your website"
          "No problem, we can reset that for you. Could you please give us your mother maidens name and your Frequent Flyer number?"

        • Re:Umm (Score:4, Interesting)

          by Archangel Michael ( 180766 ) on Wednesday October 07, 2015 @10:40AM (#50679447) Journal

          Here is a novel idea, have one time IDs used for that flight that are not usable for anything else, ever. Consider it a "one time pad" that is used for doing all the needed transactions for that flight (boarding pass).

          Good Security isn't hard, it is just inconvenient.

      • Re:Umm (Score:4, Insightful)

        by GuB-42 ( 2483988 ) on Wednesday October 07, 2015 @09:48AM (#50679037)

        As a matter of fact, you should shred all your personal documents before throwing them away, especially if you recycle.
        No need to be paranoid but doing it won't cost you much, so, why not.

        • Most recycling places don't want shredded paper, the fiber length is far too short for adequate strength in cardboard and quality paper. Shredded paper would be fine for tissue and toilet paper.

    • If one has read the first sentence of the article (I know, I know....) it basically motivates why you should not store your old boarding passes or simply dump them in the trash, but shred them (or otherwise destroy them).

      The issue is not that there is readable information on it, but that you should ensure that it is not readable for other people that have no business reading it.

    • by wiredog ( 43288 ) on Wednesday October 07, 2015 @09:43AM (#50678999) Journal

      When United does include this code in correspondence, all but the last three characters are replaced with asterisks. The same is true with Unitedâ(TM)s boarding passes. However, the full Mileage Plus number is available if you take the time to decode the barcode on a boarding pass.

    • by Nidi62 ( 1525137 )
      Update: Researchers have discovered another vulnerability regarding baggage at baggage claim that lets attackers determine the name, passenger record, and trip history of a passenger simply by reading the tag located on the baggage. Airline spokesmen were not available for comment at the time of publication.
    • Fair enough for the name and record locator, but on many boarding passes (e.g. United) it's not plainly printed in plaintext (E.G. MileagePlus Gold, Star Alliance Gold, ******ABC). Just scan the boarding pass with a barcode reader (it's in the standard BCBP format, so the frequent flier # is in plaintext) and then you have a username, and an idea if the account is worth breaking into (global services or 1K [top two tiers] would have that status printed on the BP).

      Combine that with United's horrible secur
      • I realize this may not be clear given the above post, but I forgot to explicitly say I was talking about the Frequent Flier number in my prior comment.
  • Bad design? (Score:4, Insightful)

    by kaka.mala.vachva ( 1164605 ) on Wednesday October 07, 2015 @08:49AM (#50678665)
    Why is that kind of information on the bar code at all? Why isn't the bar code just a handle that allows information to be retrieved from a remote (secured) system? If this is the norm for bar codes, teach me - why is it so? I
    • because laziness.
      • Re:Bad design? (Score:4, Insightful)

        by Overzeetop ( 214511 ) on Wednesday October 07, 2015 @09:26AM (#50678897) Journal

        Yes and no. Sure, it could be lazy. OTOH, when your use case is eight million passengers every single day, there's a certain amount of redundancy to having the information with the passenger, rather than dependent on a network/data link. Four 9s uptime during flying hours still means over a thousand passenger cancellations every single day due to inaccessible data.

      • because handheld scanners used by gate staff and sometimes stewardesses (not all of airport is covered by wifi). if there were no barcodes, only printed text, anybody could "fix" their home printed boarding pass to give themselves priority boarding/business class seat/etc. this is a way for them to verify the text matches the code.

    • Re: (Score:3, Informative)

      by gstoddart ( 321705 )

      Why is that kind of information on the bar code at all?

      Your subject says it all ... bad design.

      This stuff isn't designed to be secure, or protect your privacy, it's designed to make the process easier for airlines and the idiots who run the security theater.

      There's a lot of products which are absolutely terribly designed like this ... apparently with a bar code reader and a hotel key card, you can extract a tremendous amount of information which has no business being encoded on that.

      As long as there are no

      • Re:Bad design? (Score:5, Insightful)

        by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Wednesday October 07, 2015 @09:00AM (#50678747) Homepage Journal

        Your subject says it all ... bad design.

        Is it actually bad design? It's fault-tolerant design. If there's a problem with their network, they can still retrieve the data from the boarding pass itself. Protect your boarding pass, and you won't have a problem. You were already planning to treat it as a secret, right?

        • Is it actually bad design? It's fault-tolerant design. If there's a problem with their network, they can still retrieve the data from the boarding pass itself. Protect your boarding pass, and you won't have a problem. You were already planning to treat it as a secret, right?

          And how many people are shredding their boarding passes when they get home instead of throwing them away?

          This doesn't seem to be current practice, because most regard it as a "permission slip to board an individual flight" instead of

          • And how many people are shredding their boarding passes when they get home instead of throwing them away?

            That's foolish beyond reason (shock, amazement) because every boarding pass I've ever had has had personal information right on it that I'd rather not leave to the whims of trash collection. I haven't flown in a while (hate it now) but it's easy enough to keep your documents in your suitcase until you get home.

            • That's foolish beyond reason (shock, amazement) because every boarding pass I've ever had has had personal information right on it that I'd rather not leave to the whims of trash collection. I haven't flown in a while (hate it now) but it's easy enough to keep your documents in your suitcase until you get home.

              OK, I appreciate a good discussion, and you made me think twice about it. I went back and looked at a boarding pass (United). Please tell me what personal information I'm missing that's "foolish beyo

              • Please tell me what personal information I'm missing that's "foolish beyond reason" to throw out:

                I don't think it takes much for it to be foolish beyond reason. If you reason it out, it costs you little to nothing to deal with that stuff some way smarter than throwing it away in the airport or your hotel. Most people won't bother to use reason. Most of them won't actually suffer for it anyway.

    • by PPH ( 736903 )

      Because it's just a machine readable copy of the stuff already printed on your ticket in human-readable form.

      retrieved from a remote (secured) system

      Do you mean the systeme that's always down whenever they try to load an airplane?

    • Comment removed based on user account deletion
    • Re: (Score:2, Informative)

      by Anonymous Coward

      Because that creates an external dependency which would be expensive to implement and which could bring their whole operation to a halt in the event of a network failure. To perform the lookup, you either need an international data connection at every airport, or a server (with international data connections so that it can be informed of tickets purchased elsewhere) at every airport, or some combination of the two. Most of these systems were designed in days when that was impossible, and even now, this is

    • "Why is that kind of information on the bar code at all?"

      So that you can still board and dispatch planes rather than let a 5 minute network fault in Chicago causing flight delays across the country.

  • by Anonymous Coward

    They could also obtain the name, record locator, frequent flyer number and seat and flight information by looking at the English printing on the ticket. Won't someone think of the the children? This must be stopped.

    Meanwhile in the real world your Windows or OSX box can be trivially hacked and all your communications are monitored. But we should worry about someone seeing what other seats we might be able to sit in.

  • It also goes to say you can't help but broadcast it, don't collect it.

  • Bad Seats (Score:2, Funny)

    by Anonymous Coward

    So that is why I always get the worst seat on the plane.

    • So that is why I always get the worst seat on the plane.

      I have accessed your frequent flyer account and downloaded all your information. If you want to keep from being seated in stowage class, send one bitcoin within the next 48 hours to the following bitcoin address:

      0292jqoij091j1f0[nu q0wu 1ru02ud091wudjwjqw

      If you do not respond within 48 hours, the price goes up to two bitcoins. If you pay me, you will never hear from me again, I promise, double pinky swear.

      By the way, here's a handy website where you can buy bitcoins at an inflated rate ...

  • You know what else has a lot of your personal information in plain text? Your driver's license. Your credit cards. Your insurance card. Do you know why no1curz? Because they don't put them on display for the world to see.

    I'm not 5. I don't walk around the airport with my boarding pass pinned to my shirt. It's only visible when I hand it to the TSA groper or the gate agent. When I'm done using it, it gets shredded like any other mildly sensitive document.

    • Should we be impressed that you are not part of the articles target audience, or see you as a fool for not seeing that yourself?
  • by bkr1_2k ( 237627 ) on Wednesday October 07, 2015 @09:45AM (#50679009)

    Shred it. Simple rule; if it has my name and address or any other information that identifies me, it gets shredded. Even junk mail gets my name torn off and shredded before it goes in the recycle bin.

    For good measure I use the shreds as fire starters in the winter.

    • For good measure I use the shreds as fire starters in the winter.

      I don't bother to shred, but I do use records to start fires. If someone is breaking into my house and stealing my old records out of my burn bin, I've got problems bigger than identity theft.

    • by antdude ( 79039 )

      I just shred everything if I can. I might miss something!

  • I was on a flight through detroit a couple months ago and had need to reprint boarding pass while inside the terminal (inside security). Delta kiosk just required last name and flight number - no confirmation number, or FF#, or CC#, etc., as is typically the case outside of security.
  • You can easily view the data, parsed out, using an app like Boarding Pass Scanner [apple.com] (iOS). You can use a generic barcode scanner as well, but it won't parse the fields properly. The standard allows for a cryptographic signature, which can be validated so that you know the data isn't modified, but indeed, the data is not encrypted.
  • Boarding Pass Barcodes Can Reveal Personal Data, Future Flights

    Now that's a neat trick.

It is better to travel hopefully than to fly Continental.

Working...