Slashdot Mirror

← Back to Stories (view on slashdot.org)

Boarding Pass Barcodes Can Reveal Personal Data, Future Flights

Posted by Soulskill on from the another-paper-for-the-shredder dept.

An anonymous reader writes: Security experts have warned that barcodes contained on airplane boarding passes could offer a detailed stream of information to malicious individuals, including data on travel habits and future flight plans. Brian Krebs explained yesterday that by using an easily available online barcode reader, attackers can retrieve a person's name, frequent flyer number, and record locator — information needed to access an individual's account and details of past and upcoming flights, phone numbers, and billing information, along with options to change seats and cancel flights.

6 of 64 comments (clear)

  1. Umm by DougOtto · · Score: 5, Insightful

    Brian Krebs explained yesterday that by using an easily available online barcode reader, attackers can retrieve a person's name, frequent flyer number, and record locator

    Or, you could just read that information from the boarding pass, no barcode reader required.

    --
    Solving Unix problems since 1989...
    1. Re:Umm by drinkypoo · · Score: 4, Insightful

      You might just need to read past the first sentence of TFA to get an answer to your question. For me, this was a big deal.

      âoeI then proceeded to Lufthansaâ(TM)s website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance.â

      That's not a problem with the information being on the boarding pass. That's a problem with the website's security model. It's obvious that this data should be on the boarding pass. It's also obvious that shouldn't be enough to log in and check records.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:Umm by GuB-42 · · Score: 3, Insightful

      As a matter of fact, you should shred all your personal documents before throwing them away, especially if you recycle.
      No need to be paranoid but doing it won't cost you much, so, why not.

  2. Bad design? by kaka.mala.vachva · · Score: 4, Insightful

    Why is that kind of information on the bar code at all? Why isn't the bar code just a handle that allows information to be retrieved from a remote (secured) system? If this is the norm for bar codes, teach me - why is it so? I

    1. Re:Bad design? by drinkypoo · · Score: 5, Insightful

      Your subject says it all ... bad design.

      Is it actually bad design? It's fault-tolerant design. If there's a problem with their network, they can still retrieve the data from the boarding pass itself. Protect your boarding pass, and you won't have a problem. You were already planning to treat it as a secret, right?

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:Bad design? by Overzeetop · · Score: 3, Insightful

      Yes and no. Sure, it could be lazy. OTOH, when your use case is eight million passengers every single day, there's a certain amount of redundancy to having the information with the passenger, rather than dependent on a network/data link. Four 9s uptime during flying hours still means over a thousand passenger cancellations every single day due to inaccessible data.

      --
      Is it just my observation, or are there way too many stupid people in the world?