Why You Should Not Throw Out Your Boarding Pass

Why you Should not Throw out Your Boarding Pass

The next time you’re thinking of throwing away a used boarding pass with a barcode on it, consider tossing the boarding pass into a document shredder instead. Two-dimensional barcodes and QR codes can hold a great deal of information, and the codes printed on airline boarding passes may allow someone to discover more about you, your future travel plans, and your frequent flyer account.

Earlier this year, I heard from a longtime KrebsOnSecurity reader named Cory who said he began to get curious about the data stored inside a boarding pass barcode after a friend put a picture of his boarding pass up on Facebook. Cory took a screen shot of the boarding pass, enlarged it, and quickly found a site online that could read the data.

“I found a website that could decode the data and instantly had lots of info about his trip,” Cory said, showing this author step-by-step exactly how he was able to find this information. ‘

“Besides his name, frequent flyer number and other [personally identifiable information], I was able to get his record locator (a.k.a. “record key” for the Lufthansa flight he was taking that day,” Cory said. “I then proceeded to Lufthansa’s website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance.”

The access granted by Lufthansa’s site also included his friend’s phone number, and the name of the person who booked the flight. More worrisome, Cory now had the ability to view all future flights tied to that frequent flyer account, change seats for the ticketed passengers, and even cancel any future flights.

The information contained in the boarding pass could make it easier for an attacker to reset the PIN number used to secure his friend’s Star Alliance frequent flyer account. For example, that information gets you past the early process of resetting a Star Alliance account PIN at United Airline’s “forgot PIN” Web site.

After that, the site asks for the answer to a pre-selected secret question. The question in the case of Corey’s friend was “What is your Mother’s maiden name?” That information can often be gleaned by merely perusing someone’s social networking pages (e.g., does your aunt or uncle on your mom’s side have your mother’s maiden name as their last name? If so, are they friends with you on Facebook?)

Finally, the standards for the boarding pass barcodes are widely available and have been for years. Check out this document (PDF) from the International Air Transport Association (IATA) for more on how the barcode standards work and have been implemented in various forms.

 

From: KrebsOnSecurity.com

 

Here's 1 comment for "Why you Should not Throw out Your Boarding Pass"
Jenn

Good information and very useful as I travel to any destination with my jet lag prevention, jetLAGFX [link removed]. Thanks to you.

almost 2 years ago

I want to go to Toronto

calendar

Experiences

Book Early and Save on Long Stays in Portugal and Spain Discover another south this winter! Save by booking ea... $2,049.00
Last Minute Deals to Cuba and Jamaica There are still some deals to be had to all-inclusive res... $649.00
Meet Anthony Bourdain, Other Celebrity Chefs At Cayman Cookout Grand Cayman becomes the culinary epicenter of the Caribb...
Sunwing Cancels all Flights to St. Maarten until April Sunwing Cancels Winter 2017/2018 St. Maarten Program b...
Early Booking Promotions from Transat has Been Extended!