Slashdot Mirror

← Back to Stories (view on slashdot.org)

Boarding Pass Barcodes Can Reveal Personal Data, Future Flights

Posted by Soulskill on from the another-paper-for-the-shredder dept.

An anonymous reader writes: Security experts have warned that barcodes contained on airplane boarding passes could offer a detailed stream of information to malicious individuals, including data on travel habits and future flight plans. Brian Krebs explained yesterday that by using an easily available online barcode reader, attackers can retrieve a person's name, frequent flyer number, and record locator — information needed to access an individual's account and details of past and upcoming flights, phone numbers, and billing information, along with options to change seats and cancel flights.

24 of 64 comments (clear)

  1. Umm by DougOtto · · Score: 5, Insightful

    Brian Krebs explained yesterday that by using an easily available online barcode reader, attackers can retrieve a person's name, frequent flyer number, and record locator

    Or, you could just read that information from the boarding pass, no barcode reader required.

    --
    Solving Unix problems since 1989...
    1. Re:Umm by kaka.mala.vachva · · Score: 2

      Not all information on the card is plain text. See BrianKreb's comment on the reporting site. Quoted here: It’s not all on the boarding pass. Read the story. Some airlines treat frequent flyer codes as semi-secret, and redact them from boarding passes and email communications, but leave them in plaintext on the barcode. The story gives one example.

    2. Re:Umm by DougOtto · · Score: 2

      I just googled several examples of boarding passes with all of the information listed in the summary, directly readable. Yes, not all airlines include all of that in plain text, but many of them do.

      --
      Solving Unix problems since 1989...
    3. Re:Umm by Anonymous Coward · · Score: 2, Interesting

      Guys, all bickering about what's in plain text vs what's in the barcode aside, the main point still holds, "The next time you’re thinking of throwing away a used boarding pass with a barcode on it, consider tossing the boarding pass into a document shredder instead."

    4. Re:Umm by Anonymous Coward · · Score: 4, Informative

      You might just need to read past the first sentence of TFA to get an answer to your question. For me, this was a big deal.

      “I then proceeded to Lufthansa’s website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance.”

    5. Re:Umm by codeButcher · · Score: 2

      If one has read the first sentence of the article (I know, I know....) it basically motivates why you should not store your old boarding passes or simply dump them in the trash, but shred them (or otherwise destroy them).

      The issue is not that there is readable information on it, but that you should ensure that it is not readable for other people that have no business reading it.

      --
      Free, as in your money being freed from the confines of your account.
    6. Re:Umm by drinkypoo · · Score: 4, Insightful

      You might just need to read past the first sentence of TFA to get an answer to your question. For me, this was a big deal.

      âoeI then proceeded to Lufthansaâ(TM)s website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance.â

      That's not a problem with the information being on the boarding pass. That's a problem with the website's security model. It's obvious that this data should be on the boarding pass. It's also obvious that shouldn't be enough to log in and check records.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    7. Re:Umm by GuB-42 · · Score: 3, Insightful

      As a matter of fact, you should shred all your personal documents before throwing them away, especially if you recycle.
      No need to be paranoid but doing it won't cost you much, so, why not.

    8. Re:Umm by Nidi62 · · Score: 2

      Update: Researchers have discovered another vulnerability regarding baggage at baggage claim that lets attackers determine the name, passenger record, and trip history of a passenger simply by reading the tag located on the baggage. Airline spokesmen were not available for comment at the time of publication.

      --
      The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
    9. Re:Umm by Archangel+Michael · · Score: 3, Interesting

      Here is a novel idea, have one time IDs used for that flight that are not usable for anything else, ever. Consider it a "one time pad" that is used for doing all the needed transactions for that flight (boarding pass).

      Good Security isn't hard, it is just inconvenient.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    10. Re:Umm by Minwee · · Score: 3, Funny

      That sounds an awful lot like "real security", which has no place anywhere near an airport.

  2. Bad design? by kaka.mala.vachva · · Score: 4, Insightful

    Why is that kind of information on the bar code at all? Why isn't the bar code just a handle that allows information to be retrieved from a remote (secured) system? If this is the norm for bar codes, teach me - why is it so? I

    1. Re:Bad design? by harshath.jr · · Score: 2

      because laziness.

    2. Re:Bad design? by gstoddart · · Score: 2, Informative

      Why is that kind of information on the bar code at all?

      Your subject says it all ... bad design.

      This stuff isn't designed to be secure, or protect your privacy, it's designed to make the process easier for airlines and the idiots who run the security theater.

      There's a lot of products which are absolutely terribly designed like this ... apparently with a bar code reader and a hotel key card, you can extract a tremendous amount of information which has no business being encoded on that.

      As long as there are no data privacy laws, and companies have no penalties for incompetently making use of it, this will continue.

      You should pretty much assume that all companies who want your data are either incompetent, or have other motives to misuse your data -- you'll be less surprised when it proves to be true. It won't help you, but you'll be less surprised.

      --
      Lost at C:>. Found at C.
    3. Re:Bad design? by drinkypoo · · Score: 5, Insightful

      Your subject says it all ... bad design.

      Is it actually bad design? It's fault-tolerant design. If there's a problem with their network, they can still retrieve the data from the boarding pass itself. Protect your boarding pass, and you won't have a problem. You were already planning to treat it as a secret, right?

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    4. Re:Bad design? by PPH · · Score: 2

      Because it's just a machine readable copy of the stuff already printed on your ticket in human-readable form.

      retrieved from a remote (secured) system

      Do you mean the systeme that's always down whenever they try to load an airplane?

      --
      Have gnu, will travel.
    5. Re:Bad design? by Overzeetop · · Score: 3, Insightful

      Yes and no. Sure, it could be lazy. OTOH, when your use case is eight million passengers every single day, there's a certain amount of redundancy to having the information with the passenger, rather than dependent on a network/data link. Four 9s uptime during flying hours still means over a thousand passenger cancellations every single day due to inaccessible data.

      --
      Is it just my observation, or are there way too many stupid people in the world?
    6. Re:Bad design? by greenfruitsalad · · Score: 2

      because handheld scanners used by gate staff and sometimes stewardesses (not all of airport is covered by wifi). if there were no barcodes, only printed text, anybody could "fix" their home printed boarding pass to give themselves priority boarding/business class seat/etc. this is a way for them to verify the text matches the code.

    7. Re:Bad design? by houghi · · Score: 2

      OK, let us look a bit at history and how I assume we got here.

      1) We got boarding passes before we had barc code scanners.
      2) Name and what not was added to the boarding pass, like seatnumber, name and the like
      3) Top automate it, barcodes where added
      4) Extra infor,ation was added before and after the introduction of the barcode.

      Sometimes people fly to places where barcodes are not readily available and must be readable by people to know if you are getting on the correct flight.

      So the barcode can handle all the information, but not all the time. I have seen barcode readers fail. I can imagine aitports that do not have barcode readers at all (remember that it needs to work 100% worldwide all the time)
      Not all airports are in the developed world or the USofA.

      It was not that they had a barcode and added text. They had text and added barcodes.

      I have seen non-working barcode readers on airports where they just read the paper part. No other option besides not flying at all or serious delays till the IT department could fix the situation as an alternative.

      --
      Don't fight for your country, if your country does not fight for you.
    8. Re:Bad design? by Anonymous Coward · · Score: 2, Informative

      Because that creates an external dependency which would be expensive to implement and which could bring their whole operation to a halt in the event of a network failure. To perform the lookup, you either need an international data connection at every airport, or a server (with international data connections so that it can be informed of tickets purchased elsewhere) at every airport, or some combination of the two. Most of these systems were designed in days when that was impossible, and even now, this is too much at small airports and in many parts of the developing world. Generally speaking, a boarding pass barcode is just a machine-readable form of the information on the rest of the boarding pass, with the possible addition of a record identifier (which in many cases does exist in non-barcode form on the boarding pass as well, so that it can be entered manually into a system if the barcode is unreadable).

      The real problem in the article is that apparently Lufthansa's website requires no more identification than a last name and a record number to allow complete access to a frequent flyer account.

    9. Re:Bad design? by radarskiy · · Score: 2

      "Why is that kind of information on the bar code at all?"

      So that you can still board and dispatch planes rather than let a 5 minute network fault in Chicago causing flight delays across the country.

  3. Bad Seats by Anonymous Coward · · Score: 2, Funny

    So that is why I always get the worst seat on the plane.

  4. From the article you didn't read by wiredog · · Score: 3, Informative

    When United does include this code in correspondence, all but the last three characters are replaced with asterisks. The same is true with Unitedâ(TM)s boarding passes. However, the full Mileage Plus number is available if you take the time to decode the barcode on a boarding pass.

    --

    Best Slashdot Co
  5. Shred it by bkr1_2k · · Score: 2

    Shred it. Simple rule; if it has my name and address or any other information that identifies me, it gets shredded. Even junk mail gets my name torn off and shredded before it goes in the recycle bin.

    For good measure I use the shreds as fire starters in the winter.

    --
    "Growing old is inevitable; growing up is optional."