Boarding Pass Barcodes Can Reveal Personal Data, Future Flights

An anonymous reader writes: Security experts have warned that barcodes contained on airplane boarding passes could offer a detailed stream of information to malicious individuals, including data on travel habits and future flight plans. Brian Krebs explained yesterday that by using an easily available online barcode reader, attackers can retrieve a person's name, frequent flyer number, and record locator — information needed to access an individual's account and details of past and upcoming flights, phone numbers, and billing information, along with options to change seats and cancel flights.

Umm

[DougOtto]

Brian Krebs explained yesterday that by using an easily available online barcode reader, attackers can retrieve a person's name, frequent flyer number, and record locator

Or, you could just read that information from the boarding pass, no barcode reader required.

Re:Umm

[kaka.mala.vachva]

Not all information on the card is plain text. See BrianKreb's comment on the reporting site. Quoted here: It’s not all on the boarding pass. Read the story. Some airlines treat frequent flyer codes as semi-secret, and redact them from boarding passes and email communications, but leave them in plaintext on the barcode. The story gives one example.

Re:Umm

[boaworm]

Maybe it is easier to automatically read large numbers of boarding passes if they have bar codes, rather than just text..

But I agree, there seems to be ways to get the name, FQTV and RLOC also from the plain text on the boarding pass...

Re: Umm

Exactly, is the bar code encoding information not plainly visible? If the bar code is just a GUID for a lookup into some remote database, then there is nothing to see here.

Re:Umm

[DougOtto]

I just googled several examples of boarding passes with all of the information listed in the summary, directly readable. Yes, not all airlines include all of that in plain text, but many of them do.

Re:Umm

Guys, all bickering about what's in plain text vs what's in the barcode aside, the main point still holds, "The next time you’re thinking of throwing away a used boarding pass with a barcode on it, consider tossing the boarding pass into a document shredder instead."

Re:Umm

Why? Because someone might find out what seat you MIGHT have chosen to sit in? To obtain your frequent flyer number? Some information isn't worth protecting.

Re:Umm

You might just need to read past the first sentence of TFA to get an answer to your question. For me, this was a big deal.

“I then proceeded to Lufthansa’s website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance.”

Re:Umm

[codeButcher]

If one has read the first sentence of the article (I know, I know....) it basically motivates why you should not store your old boarding passes or simply dump them in the trash, but shred them (or otherwise destroy them).

The issue is not that there is readable information on it, but that you should ensure that it is not readable for other people that have no business reading it.

Re:Umm

[drinkypoo]

You might just need to read past the first sentence of TFA to get an answer to your question. For me, this was a big deal.

âoeI then proceeded to Lufthansaâ(TM)s website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance.â

That's not a problem with the information being on the boarding pass. That's a problem with the website's security model. It's obvious that this data should be on the boarding pass. It's also obvious that shouldn't be enough to log in and check records.

Re:Umm

[GuB-42]

As a matter of fact, you should shred all your personal documents before throwing them away, especially if you recycle.
No need to be paranoid but doing it won't cost you much, so, why not.

Re:Umm

[bickerdyke]

Why? Because someone might find out what seat you MIGHT have chosen to sit in? To obtain your frequent flyer number? Some information isn't worth protecting.

If your Frequent Flyer number is worth protecting is decided by the airline and if they use that number for any kind of identification or authentication.

"Hi, My name is Mr. Spanneck and I forgot the passwort to your website"
"No problem, we can reset that for you. Could you please give us your mother maidens name and your Frequent Flyer number?"

Re:Umm

[Nidi62]

Update: Researchers have discovered another vulnerability regarding baggage at baggage claim that lets attackers determine the name, passenger record, and trip history of a passenger simply by reading the tag located on the baggage. Airline spokesmen were not available for comment at the time of publication.

Re:Umm

[Archangel+Michael]

Here is a novel idea, have one time IDs used for that flight that are not usable for anything else, ever. Consider it a "one time pad" that is used for doing all the needed transactions for that flight (boarding pass).

Good Security isn't hard, it is just inconvenient.

Re:Umm

Maybe it is easier to automatically read large numbers of boarding passes if they have bar codes, rather than just text..

If your scanning documents, barcodes are quicker to read than OCR on text, and almost always more accurate.

Re:Umm

But again, why? Who cares if someone has that information? Does it really matter if someone knows you are going to St. Louis? Are you in the CIA or something? Really you guys worry about the wrong things. Your information is being collected and monitored online.

Re:Umm

[Minwee]

That sounds an awful lot like "real security", which has no place anywhere near an airport.

Re:Umm

[Coopjust]

Fair enough for the name and record locator, but on many boarding passes (e.g. United) it's not plainly printed in plaintext (E.G. MileagePlus Gold, Star Alliance Gold, ******ABC). Just scan the boarding pass with a barcode reader (it's in the standard BCBP format, so the frequent flier # is in plaintext) and then you have a username, and an idea if the account is worth breaking into (global services or 1K [top two tiers] would have that status printed on the BP).

Combine that with United's horrible security (requiring you to have a four digit PIN = weak to bruteforce) and you end up with a recipe for disaster if you leave your BPs laying around.

Re: Umm

If your what?

Re:Umm

[Coopjust]

I realize this may not be clear given the above post, but I forgot to explicitly say I was talking about the Frequent Flier number in my prior comment.

Re:Umm

[rubycodez]

Most recycling places don't want shredded paper, the fiber length is far too short for adequate strength in cardboard and quality paper. Shredded paper would be fine for tissue and toilet paper.

Re:Umm

[Obfuscant]

Maybe it is easier to automatically read large numbers of boarding passes if they have bar codes, rather than just text..

Well, D'oh! Why do you think they have the qcode (not barcode) readers at TSA security checkpoints and at the gates? So that the people can just slap the pass up against the glass and the computer reads the info, and nobody has to take the time to read the pass. It also allows online boarding passes where you show the face of your smart phone to the reader instead of having a piece of paper.

I have no idea what the presumed issue is here. If you don't want someone to use a q-code reader on your boarding pass -- DON'T SHOW IT TO THEM. Problem solved. Otherwise it is just like swiping your credit card through a mag stripe reader.

Now, if the kerfluffle was because someone invented an RFID-like system that could read the data from your boarding pass while it was in your pocket without you knowing it, that would be something to worry about.

Re:Umm

[codeButcher]

But again, why?

1. Dig through trash in can in front of house.
2. Go look up airline bookings, see inhabitants will be away for all of next week.
:
3. PROFIT!!!

Agreed, in some locales there are less individuals per capita who feel a living may be made this way, and so the inhabitants of such an area may be more inclined to ask "why?" Having already been on the receiving (or is that "giving"??) end of some of said individuals, I prefer, and do what I can, not to reprise that.

Bad design?

[kaka.mala.vachva]

Why is that kind of information on the bar code at all? Why isn't the bar code just a handle that allows information to be retrieved from a remote (secured) system? If this is the norm for bar codes, teach me - why is it so? I

Re:Bad design?

[harshath.jr]

because laziness.

Re:Bad design?

[gstoddart]

Why is that kind of information on the bar code at all?

Your subject says it all ... bad design.

This stuff isn't designed to be secure, or protect your privacy, it's designed to make the process easier for airlines and the idiots who run the security theater.

There's a lot of products which are absolutely terribly designed like this ... apparently with a bar code reader and a hotel key card, you can extract a tremendous amount of information which has no business being encoded on that.

As long as there are no data privacy laws, and companies have no penalties for incompetently making use of it, this will continue.

You should pretty much assume that all companies who want your data are either incompetent, or have other motives to misuse your data -- you'll be less surprised when it proves to be true. It won't help you, but you'll be less surprised.

Re:Bad design?

[drinkypoo]

Your subject says it all ... bad design.

Is it actually bad design? It's fault-tolerant design. If there's a problem with their network, they can still retrieve the data from the boarding pass itself. Protect your boarding pass, and you won't have a problem. You were already planning to treat it as a secret, right?

Re:Bad design?

[PPH]

Because it's just a machine readable copy of the stuff already printed on your ticket in human-readable form.

retrieved from a remote (secured) system

Do you mean the systeme that's always down whenever they try to load an airplane?

Re:Bad design?

Why is that kind of information on the bar code at all? Why isn't the bar code just a handle that allows information to be retrieved from a remote (secured) system?
If this is the norm for bar codes, teach me - why is it so? I

Cuz the data is printed in plain text on the boarding pass anyway.

Re:Bad design?

[Overzeetop]

Yes and no. Sure, it could be lazy. OTOH, when your use case is eight million passengers every single day, there's a certain amount of redundancy to having the information with the passenger, rather than dependent on a network/data link. Four 9s uptime during flying hours still means over a thousand passenger cancellations every single day due to inaccessible data.

Re:Bad design?

[greenfruitsalad]

because handheld scanners used by gate staff and sometimes stewardesses (not all of airport is covered by wifi). if there were no barcodes, only printed text, anybody could "fix" their home printed boarding pass to give themselves priority boarding/business class seat/etc. this is a way for them to verify the text matches the code.

Re:Bad design?

[houghi]

OK, let us look a bit at history and how I assume we got here.

1) We got boarding passes before we had barc code scanners.
2) Name and what not was added to the boarding pass, like seatnumber, name and the like
3) Top automate it, barcodes where added
4) Extra infor,ation was added before and after the introduction of the barcode.

Sometimes people fly to places where barcodes are not readily available and must be readable by people to know if you are getting on the correct flight.

So the barcode can handle all the information, but not all the time. I have seen barcode readers fail. I can imagine aitports that do not have barcode readers at all (remember that it needs to work 100% worldwide all the time)
Not all airports are in the developed world or the USofA.

It was not that they had a barcode and added text. They had text and added barcodes.

I have seen non-working barcode readers on airports where they just read the paper part. No other option besides not flying at all or serious delays till the IT department could fix the situation as an alternative.

Re:Bad design?

Because that creates an external dependency which would be expensive to implement and which could bring their whole operation to a halt in the event of a network failure. To perform the lookup, you either need an international data connection at every airport, or a server (with international data connections so that it can be informed of tickets purchased elsewhere) at every airport, or some combination of the two. Most of these systems were designed in days when that was impossible, and even now, this is too much at small airports and in many parts of the developing world. Generally speaking, a boarding pass barcode is just a machine-readable form of the information on the rest of the boarding pass, with the possible addition of a record identifier (which in many cases does exist in non-barcode form on the boarding pass as well, so that it can be entered manually into a system if the barcode is unreadable).

The real problem in the article is that apparently Lufthansa's website requires no more identification than a last name and a record number to allow complete access to a frequent flyer account.

Re:Bad design?

[macklin01]

Is it actually bad design? It's fault-tolerant design. If there's a problem with their network, they can still retrieve the data from the boarding pass itself. Protect your boarding pass, and you won't have a problem. You were already planning to treat it as a secret, right?

And how many people are shredding their boarding passes when they get home instead of throwing them away?

This doesn't seem to be current practice, because most regard it as a "permission slip to board an individual flight" instead of a "embedding of personalized information beyond the individual flight."

Re:Bad design?

[radarskiy]

"Why is that kind of information on the bar code at all?"

So that you can still board and dispatch planes rather than let a 5 minute network fault in Chicago causing flight delays across the country.

Re:Bad design?

[drinkypoo]

And how many people are shredding their boarding passes when they get home instead of throwing them away?

That's foolish beyond reason (shock, amazement) because every boarding pass I've ever had has had personal information right on it that I'd rather not leave to the whims of trash collection. I haven't flown in a while (hate it now) but it's easy enough to keep your documents in your suitcase until you get home.

Re:Bad design?

Of course it's bad design. It's supposed to be an anti-forgery measure and it completely fails in that regard.

Consider this: the whole 2D code (I'm not saying 2D barcode because there's no such thing) is unencrypted plaintext that is also unsigned. This means that anybody with enough technical knowledge can still print their own boarding pass including the plaintext 2D code.

How can this be improved?

A first step would be to PKI sign the plaintext content of the 2D code using the airline's private key and add that hash to the 2D code. This would still leave the main content in plaintext but at least the terminals at the gates could detect forged tickets.

Taking it further would be encryption, i.e.: the whole content of the 2D code would be encrypted using the airline's private key and decrypted by the gate terminals using the airline's public key. Since most of the information is already visible as printed text on the boarding pass, though, this extra step does nothing to protect passenger identity information.

Re:Bad design?

[macklin01]

That's foolish beyond reason (shock, amazement) because every boarding pass I've ever had has had personal information right on it that I'd rather not leave to the whims of trash collection. I haven't flown in a while (hate it now) but it's easy enough to keep your documents in your suitcase until you get home.

OK, I appreciate a good discussion, and you made me think twice about it. I went back and looked at a boarding pass (United). Please tell me what personal information I'm missing that's "foolish beyond reason" to throw out:
Name: not top-secret
Starting point/flight time: not sensitive after travel is done
Destination/landing time: not sensitive after travel is done
Flight number: not sensitive after travel is done
date: not sesitive after travel is done
gate: not terribly sensitive
seat: well, I suppose I'll guard this information jealously
boarding group: not sensitive
reservation confirmation code: not useful after flight
ticket number: not useful after flight
last 3 digits of United frequent flyer pass: the only thing that is remotely sensitive

In particular, I don't see an credit card information, home address, social security number, date of birth, driver's license number, or passport number. The receipt for any luggage payments is another matter, but what am I missing on the boarding pass? Thanks -- Paul

Re:Bad design?

[drinkypoo]

Please tell me what personal information I'm missing that's "foolish beyond reason" to throw out:

I don't think it takes much for it to be foolish beyond reason. If you reason it out, it costs you little to nothing to deal with that stuff some way smarter than throwing it away in the airport or your hotel. Most people won't bother to use reason. Most of them won't actually suffer for it anyway.

Another flaw found

They could also obtain the name, record locator, frequent flyer number and seat and flight information by looking at the English printing on the ticket. Won't someone think of the the children? This must be stopped.

Meanwhile in the real world your Windows or OSX box can be trivially hacked and all your communications are monitored. But we should worry about someone seeing what other seats we might be able to sit in.

If you can't secure it, don't collect it

[sandbagger]

It also goes to say you can't help but broadcast it, don't collect it.

Bad Seats

So that is why I always get the worst seat on the plane.

Re:Bad Seats

[Obfuscant]

So that is why I always get the worst seat on the plane.

I have accessed your frequent flyer account and downloaded all your information. If you want to keep from being seated in stowage class, send one bitcoin within the next 48 hours to the following bitcoin address:

0292jqoij091j1f0[nu q0wu 1ru02ud091wudjwjqw

If you do not respond within 48 hours, the price goes up to two bitcoins. If you pay me, you will never hear from me again, I promise, double pinky swear.

By the way, here's a handy website where you can buy bitcoins at an inflated rate ...

Slashdotted

Anyone have a copy they can post elsewhere?

Government Goons

Security experts have warned that barcodes contained on airplane boarding passes could offer a detailed stream of information to malicious individuals ...

You mean like the TSA?

Re:Government Goons

Security experts have warned that barcodes contained on airplane boarding passes could offer a detailed stream of information to malicious individuals ...

You mean like the TSA?

When I travel by air I always wear a latex catsuit, waist-cinching back-laced corset, and ballet boots. The security screeners look really uncomfortable. Finally found a way to turn the tables on those privacy invasion actors.

Re:Government Goons

[Minwee]

When I travel by air I always wear a latex catsuit, waist-cinching back-laced corset, and ballet boots. The security screeners look really uncomfortable. Finally found a way to turn the tables on those privacy invasion actors.

Curiously, this is exactly why Stephen Fry is no longer allowed to fly to many airports.

In Other News...

Mr. Krebs arrested...

Because airplane.

From the article you didn't read

[wiredog]

When United does include this code in correspondence, all but the last three characters are replaced with asterisks. The same is true with Unitedâ(TM)s boarding passes. However, the full Mileage Plus number is available if you take the time to decode the barcode on a boarding pass.

The sky is falling!!!

[jtownatpunk.net]

You know what else has a lot of your personal information in plain text? Your driver's license. Your credit cards. Your insurance card. Do you know why no1curz? Because they don't put them on display for the world to see.

I'm not 5. I don't walk around the airport with my boarding pass pinned to my shirt. It's only visible when I hand it to the TSA groper or the gate agent. When I'm done using it, it gets shredded like any other mildly sensitive document.

Re:The sky is falling!!!

[Zero__Kelvin]

Should we be impressed that you are not part of the articles target audience, or see you as a fool for not seeing that yourself?

Re:The sky is falling!!!

Should we be impressed that you are not part of the articles target audience, or see you as a fool for not seeing that yourself?

Neither. You should feel embarrassed that the target audience is still within your species.

Re:The sky is falling!!!

[Zero__Kelvin]

I'm too busy being embarrassed that I post on the same website as idiots who cannot log in.

Shred it

[bkr1_2k]

Shred it. Simple rule; if it has my name and address or any other information that identifies me, it gets shredded. Even junk mail gets my name torn off and shredded before it goes in the recycle bin.

For good measure I use the shreds as fire starters in the winter.

Re:Shred it

[drinkypoo]

For good measure I use the shreds as fire starters in the winter.

I don't bother to shred, but I do use records to start fires. If someone is breaking into my house and stealing my old records out of my burn bin, I've got problems bigger than identity theft.

Re:Shred it

[antdude]

I just shred everything if I can. I might miss something!

no validation to reprint at kiosk inside security

[AmusingClown]

I was on a flight through detroit a couple months ago and had need to reprint boarding pass while inside the terminal (inside security). Delta kiosk just required last name and flight number - no confirmation number, or FF#, or CC#, etc., as is typically the case outside of security.

I g

I 8jhjgwj

You can see the data yourself

[sam1am]

You can easily view the data, parsed out, using an app like Boarding Pass Scanner (iOS). You can use a generic barcode scanner as well, but it won't parse the fields properly. The standard allows for a cryptographic signature, which can be validated so that you know the data isn't modified, but indeed, the data is not encrypted.

Re:You can see the data yourself

[Minwee]

Clearly the only solution is to outlaw this kind of terrorism-assisting application.

Causality violation

[wonkey_monkey]

Boarding Pass Barcodes Can Reveal Personal Data, Future Flights

Now that's a neat trick.

Re:Causality violation

[Minwee]

Reading the article to see exactly how that would be possible? That would be a neat trick.

Re:Causality violation

[wonkey_monkey]

Recognising a silly joke? Etc.