Boarding Pass Barcodes Can Reveal Personal Data, Future Flights 64
An anonymous reader writes: Security experts have warned that barcodes contained on airplane boarding passes could offer a detailed stream of information to malicious individuals, including data on travel habits and future flight plans. Brian Krebs explained yesterday that by using an easily available online barcode reader, attackers can retrieve a person's name, frequent flyer number, and record locator — information needed to access an individual's account and details of past and upcoming flights, phone numbers, and billing information, along with options to change seats and cancel flights.
Umm (Score:5, Insightful)
Or, you could just read that information from the boarding pass, no barcode reader required.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Maybe it is easier to automatically read large numbers of boarding passes if they have bar codes, rather than just text..
But I agree, there seems to be ways to get the name, FQTV and RLOC also from the plain text on the boarding pass...
Re: (Score:2)
Maybe it is easier to automatically read large numbers of boarding passes if they have bar codes, rather than just text..
Well, D'oh! Why do you think they have the qcode (not barcode) readers at TSA security checkpoints and at the gates? So that the people can just slap the pass up against the glass and the computer reads the info, and nobody has to take the time to read the pass. It also allows online boarding passes where you show the face of your smart phone to the reader instead of having a piece of paper.
I have no idea what the presumed issue is here. If you don't want someone to use a q-code reader on your boarding pa
Re: (Score:2, Interesting)
Guys, all bickering about what's in plain text vs what's in the barcode aside, the main point still holds, "The next time you’re thinking of throwing away a used boarding pass with a barcode on it, consider tossing the boarding pass into a document shredder instead."
Re: (Score:1)
Why? Because someone might find out what seat you MIGHT have chosen to sit in? To obtain your frequent flyer number? Some information isn't worth protecting.
Re:Umm (Score:4, Informative)
You might just need to read past the first sentence of TFA to get an answer to your question. For me, this was a big deal.
“I then proceeded to Lufthansa’s website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance.”
Re:Umm (Score:5, Insightful)
You might just need to read past the first sentence of TFA to get an answer to your question. For me, this was a big deal.
âoeI then proceeded to Lufthansaâ(TM)s website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance.â
That's not a problem with the information being on the boarding pass. That's a problem with the website's security model. It's obvious that this data should be on the boarding pass. It's also obvious that shouldn't be enough to log in and check records.
Re: (Score:2)
Why? Because someone might find out what seat you MIGHT have chosen to sit in? To obtain your frequent flyer number? Some information isn't worth protecting.
If your Frequent Flyer number is worth protecting is decided by the airline and if they use that number for any kind of identification or authentication.
"Hi, My name is Mr. Spanneck and I forgot the passwort to your website"
"No problem, we can reset that for you. Could you please give us your mother maidens name and your Frequent Flyer number?"
Re:Umm (Score:4, Interesting)
Here is a novel idea, have one time IDs used for that flight that are not usable for anything else, ever. Consider it a "one time pad" that is used for doing all the needed transactions for that flight (boarding pass).
Good Security isn't hard, it is just inconvenient.
Re:Umm (Score:4, Funny)
Re:Umm (Score:4, Insightful)
As a matter of fact, you should shred all your personal documents before throwing them away, especially if you recycle.
No need to be paranoid but doing it won't cost you much, so, why not.
Re: (Score:2)
Most recycling places don't want shredded paper, the fiber length is far too short for adequate strength in cardboard and quality paper. Shredded paper would be fine for tissue and toilet paper.
Re: (Score:3)
If one has read the first sentence of the article (I know, I know....) it basically motivates why you should not store your old boarding passes or simply dump them in the trash, but shred them (or otherwise destroy them).
The issue is not that there is readable information on it, but that you should ensure that it is not readable for other people that have no business reading it.
Re: (Score:2)
But again, why?
1. Dig through trash in can in front of house.
2. Go look up airline bookings, see inhabitants will be away for all of next week.
:
3. PROFIT!!!
Agreed, in some locales there are less individuals per capita who feel a living may be made this way, and so the inhabitants of such an area may be more inclined to ask "why?" Having already been on the receiving (or is that "giving"??) end of some of said individuals, I prefer, and do what I can, not to reprise that.
From the article you didn't read (Score:4, Informative)
Re: (Score:3)
Re: (Score:2)
Combine that with United's horrible secur
Re: (Score:2)
Bad design? (Score:4, Insightful)
Re: (Score:2)
Re:Bad design? (Score:4, Insightful)
Yes and no. Sure, it could be lazy. OTOH, when your use case is eight million passengers every single day, there's a certain amount of redundancy to having the information with the passenger, rather than dependent on a network/data link. Four 9s uptime during flying hours still means over a thousand passenger cancellations every single day due to inaccessible data.
Re: (Score:3)
because handheld scanners used by gate staff and sometimes stewardesses (not all of airport is covered by wifi). if there were no barcodes, only printed text, anybody could "fix" their home printed boarding pass to give themselves priority boarding/business class seat/etc. this is a way for them to verify the text matches the code.
Re: (Score:3, Informative)
Your subject says it all ... bad design.
This stuff isn't designed to be secure, or protect your privacy, it's designed to make the process easier for airlines and the idiots who run the security theater.
There's a lot of products which are absolutely terribly designed like this ... apparently with a bar code reader and a hotel key card, you can extract a tremendous amount of information which has no business being encoded on that.
As long as there are no
Re:Bad design? (Score:5, Insightful)
Your subject says it all ... bad design.
Is it actually bad design? It's fault-tolerant design. If there's a problem with their network, they can still retrieve the data from the boarding pass itself. Protect your boarding pass, and you won't have a problem. You were already planning to treat it as a secret, right?
Re: (Score:2)
And how many people are shredding their boarding passes when they get home instead of throwing them away?
This doesn't seem to be current practice, because most regard it as a "permission slip to board an individual flight" instead of
Re: (Score:2)
And how many people are shredding their boarding passes when they get home instead of throwing them away?
That's foolish beyond reason (shock, amazement) because every boarding pass I've ever had has had personal information right on it that I'd rather not leave to the whims of trash collection. I haven't flown in a while (hate it now) but it's easy enough to keep your documents in your suitcase until you get home.
Re: (Score:2)
OK, I appreciate a good discussion, and you made me think twice about it. I went back and looked at a boarding pass (United). Please tell me what personal information I'm missing that's "foolish beyo
Re: (Score:2)
Please tell me what personal information I'm missing that's "foolish beyond reason" to throw out:
I don't think it takes much for it to be foolish beyond reason. If you reason it out, it costs you little to nothing to deal with that stuff some way smarter than throwing it away in the airport or your hotel. Most people won't bother to use reason. Most of them won't actually suffer for it anyway.
Re: (Score:3)
Because it's just a machine readable copy of the stuff already printed on your ticket in human-readable form.
retrieved from a remote (secured) system
Do you mean the systeme that's always down whenever they try to load an airplane?
Re: (Score:3)
Re: (Score:2, Informative)
Because that creates an external dependency which would be expensive to implement and which could bring their whole operation to a halt in the event of a network failure. To perform the lookup, you either need an international data connection at every airport, or a server (with international data connections so that it can be informed of tickets purchased elsewhere) at every airport, or some combination of the two. Most of these systems were designed in days when that was impossible, and even now, this is
Re: (Score:3)
"Why is that kind of information on the bar code at all?"
So that you can still board and dispatch planes rather than let a 5 minute network fault in Chicago causing flight delays across the country.
Another flaw found (Score:1)
They could also obtain the name, record locator, frequent flyer number and seat and flight information by looking at the English printing on the ticket. Won't someone think of the the children? This must be stopped.
Meanwhile in the real world your Windows or OSX box can be trivially hacked and all your communications are monitored. But we should worry about someone seeing what other seats we might be able to sit in.
If you can't secure it, don't collect it (Score:2)
It also goes to say you can't help but broadcast it, don't collect it.
Bad Seats (Score:2, Funny)
So that is why I always get the worst seat on the plane.
Re: (Score:2)
So that is why I always get the worst seat on the plane.
I have accessed your frequent flyer account and downloaded all your information. If you want to keep from being seated in stowage class, send one bitcoin within the next 48 hours to the following bitcoin address:
0292jqoij091j1f0[nu q0wu 1ru02ud091wudjwjqw
If you do not respond within 48 hours, the price goes up to two bitcoins. If you pay me, you will never hear from me again, I promise, double pinky swear.
By the way, here's a handy website where you can buy bitcoins at an inflated rate ...
Re: (Score:1)
Security experts have warned that barcodes contained on airplane boarding passes could offer a detailed stream of information to malicious individuals ...
You mean like the TSA?
When I travel by air I always wear a latex catsuit, waist-cinching back-laced corset, and ballet boots. The security screeners look really uncomfortable. Finally found a way to turn the tables on those privacy invasion actors.
Re: (Score:2)
When I travel by air I always wear a latex catsuit, waist-cinching back-laced corset, and ballet boots. The security screeners look really uncomfortable. Finally found a way to turn the tables on those privacy invasion actors.
Curiously, this is exactly why Stephen Fry is no longer allowed to fly to many airports.
The sky is falling!!! (Score:2)
You know what else has a lot of your personal information in plain text? Your driver's license. Your credit cards. Your insurance card. Do you know why no1curz? Because they don't put them on display for the world to see.
I'm not 5. I don't walk around the airport with my boarding pass pinned to my shirt. It's only visible when I hand it to the TSA groper or the gate agent. When I'm done using it, it gets shredded like any other mildly sensitive document.
Re: (Score:2)
Re: (Score:2)
Shred it (Score:3)
Shred it. Simple rule; if it has my name and address or any other information that identifies me, it gets shredded. Even junk mail gets my name torn off and shredded before it goes in the recycle bin.
For good measure I use the shreds as fire starters in the winter.
Re: (Score:2)
For good measure I use the shreds as fire starters in the winter.
I don't bother to shred, but I do use records to start fires. If someone is breaking into my house and stealing my old records out of my burn bin, I've got problems bigger than identity theft.
Re: (Score:2)
I just shred everything if I can. I might miss something!
no validation to reprint at kiosk inside security (Score:1)
You can see the data yourself (Score:2)
Re: (Score:2)
Causality violation (Score:2)
Boarding Pass Barcodes Can Reveal Personal Data, Future Flights
Now that's a neat trick.
Re: (Score:2)
Re: (Score:2)
Recognising a silly joke? Etc.