Boarding Pass Barcodes Can Reveal Personal Data, Future Flights

← Back to Stories (view on slashdot.org)

Boarding Pass Barcodes Can Reveal Personal Data, Future Flights

Posted by Soulskill on Wednesday October 7, 2015 @01:46AM from the another-paper-for-the-shredder dept.

An anonymous reader writes: Security experts have warned that barcodes contained on airplane boarding passes could offer a detailed stream of information to malicious individuals, including data on travel habits and future flight plans. Brian Krebs explained yesterday that by using an easily available online barcode reader, attackers can retrieve a person's name, frequent flyer number, and record locator — information needed to access an individual's account and details of past and upcoming flights, phone numbers, and billing information, along with options to change seats and cancel flights.

5 of 64 comments (clear)

Min score:

Reason:

Sort:

Umm by DougOtto · 2015-10-07 01:48 · Score: 5, Insightful

Brian Krebs explained yesterday that by using an easily available online barcode reader, attackers can retrieve a person's name, frequent flyer number, and record locator

Or, you could just read that information from the boarding pass, no barcode reader required.

--
Solving Unix problems since 1989...
1. Re:Umm by Anonymous Coward · 2015-10-07 02:35 · Score: 4, Informative
  
  You might just need to read past the first sentence of TFA to get an answer to your question. For me, this was a big deal.
  “I then proceeded to Lufthansa’s website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance.”
2. Re:Umm by drinkypoo · 2015-10-07 02:44 · Score: 4, Insightful
  
  You might just need to read past the first sentence of TFA to get an answer to your question. For me, this was a big deal.
  âoeI then proceeded to Lufthansaâ(TM)s website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance.â
  That's not a problem with the information being on the boarding pass. That's a problem with the website's security model. It's obvious that this data should be on the boarding pass. It's also obvious that shouldn't be enough to log in and check records.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Bad design? by kaka.mala.vachva · 2015-10-07 01:49 · Score: 4, Insightful

Why is that kind of information on the bar code at all? Why isn't the bar code just a handle that allows information to be retrieved from a remote (secured) system? If this is the norm for bar codes, teach me - why is it so? I
1. Re:Bad design? by drinkypoo · 2015-10-07 02:00 · Score: 5, Insightful
  
  Your subject says it all ... bad design.
  Is it actually bad design? It's fault-tolerant design. If there's a problem with their network, they can still retrieve the data from the boarding pass itself. Protect your boarding pass, and you won't have a problem. You were already planning to treat it as a secret, right?
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"