Boarding Pass Barcodes Can Reveal Personal Data, Future Flights

An anonymous reader writes: Security experts have warned that barcodes contained on airplane boarding passes could offer a detailed stream of information to malicious individuals, including data on travel habits and future flight plans. Brian Krebs explained yesterday that by using an easily available online barcode reader, attackers can retrieve a person's name, frequent flyer number, and record locator — information needed to access an individual's account and details of past and upcoming flights, phone numbers, and billing information, along with options to change seats and cancel flights.

Re:Bad design?

[gstoddart]

Why is that kind of information on the bar code at all?

Your subject says it all ... bad design.

This stuff isn't designed to be secure, or protect your privacy, it's designed to make the process easier for airlines and the idiots who run the security theater.

There's a lot of products which are absolutely terribly designed like this ... apparently with a bar code reader and a hotel key card, you can extract a tremendous amount of information which has no business being encoded on that.

As long as there are no data privacy laws, and companies have no penalties for incompetently making use of it, this will continue.

You should pretty much assume that all companies who want your data are either incompetent, or have other motives to misuse your data -- you'll be less surprised when it proves to be true. It won't help you, but you'll be less surprised.

Re:Umm

You might just need to read past the first sentence of TFA to get an answer to your question. For me, this was a big deal.

“I then proceeded to Lufthansa’s website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance.”

From the article you didn't read

[wiredog]

When United does include this code in correspondence, all but the last three characters are replaced with asterisks. The same is true with Unitedâ(TM)s boarding passes. However, the full Mileage Plus number is available if you take the time to decode the barcode on a boarding pass.

Re:Bad design?

Because that creates an external dependency which would be expensive to implement and which could bring their whole operation to a halt in the event of a network failure. To perform the lookup, you either need an international data connection at every airport, or a server (with international data connections so that it can be informed of tickets purchased elsewhere) at every airport, or some combination of the two. Most of these systems were designed in days when that was impossible, and even now, this is too much at small airports and in many parts of the developing world. Generally speaking, a boarding pass barcode is just a machine-readable form of the information on the rest of the boarding pass, with the possible addition of a record identifier (which in many cases does exist in non-barcode form on the boarding pass as well, so that it can be entered manually into a system if the barcode is unreadable).

The real problem in the article is that apparently Lufthansa's website requires no more identification than a last name and a record number to allow complete access to a frequent flyer account.