What Your Boarding Pass is Secretly Revealing About You

Block Ads With Ad-Blocks
November 23, 2015
BolehVPN not affected by "Port Fail" IP Leak vulnerability
November 30, 2015
Show all

What Your Boarding Pass is Secretly Revealing About You

Creative abstract business air travel, mobility and communication concept: modern touchscreen smartphone or mobile phone with airline internet web site offering booking or buying airliner tickets online, credit cards and passports on laptop or notebook computer PC keyboard with selective focus effect

Source: Shaun.net

Do you know how much of personal information is on your airplane boarding pass barcode? The answer is: a LOT. A simple two-dimensional barcode and Quick Response (QR) codes can hold a great deal of information. The codes printed on airline boarding passes could potentially open the gateway for someone to discover more about you, your future travel plans and your frequent flyer account, even from a travel snap you posted online. But before all that, let’s go back to the beginning of Bar-Coded Boarding Passes (BCBP).


History of the BCBP

Back in 2005, the International Air Transport Association (IATA) commenced a five year project to deploy Bar Coded Boarding Passes (BCBP) across IATA member airlines in an effort to eliminate magnetic boarding passes. This change was to allow airlines to use cheaper boarding paper stock and enable technologies such as web and mobile check-in. Being able to be accessed from anywhere due to off-airport check-ins, this advancement is estimated to save the industry US$1.5bn annually. This project was said to be successfully ended in 2010 when it reached the Board’s target of 95% global BCBP capability.


Boarding pass security scare

The security scare amidst the flurry of recent reports on the sensitive information contained in a boarding pass all began with a very interesting blog post by Brian Krebs, a former Washington Post reporter. A curious reader of his influential blog “Krebs on Security”, named Cory, took a screen shot of a friend’s Lufthansa boarding pass that was posted to Facebook, found a free barcode reader online (Inlite Research), uploaded the image and found he was able to gather a lot of personal information from the screen shot alone. Barcodes. QR codes. Little boxes encompassing ample information.


What’s in a boarding pass barcode?

“I found a website that could decode the data and instantly had lots of info about his trip. Besides his name, frequent flyer number and other (personally identifiable information), I was able to get his record locator (a.k.a. “record key” for the Lufthansa flight he was taking that day). I then proceeded to Lufthansa’s website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance.” – Cory, KrebsonSecurity blog reader.


Source: KrebsonSecurity

  • Full name
  • Frequent flyer number
  • Flight record locator
  • Current and future itineraries
  • Phone numbers

From the scanning of the barcode alone, perhaps the most worrying issue is that Cory now has the key to access all future flights tied to the friend’s frequent flyer account, change seats for the ticketed passengers, and even cancel any future flights altogether.

However, in a Fusion article, Kashmir Hill refutes the claim that a boarding pass barcode is a ‘treasure trove’ of private information. Although Hill does agree that there is plentiful information to be garnered from a boarding pass barcode, Hill claimed that after scanning more than five different airline boarding passes, she found that in all cases, the only information contained in the barcode that was not printed on the pass itself was the frequent flyer number.

Boarding passes can allow strangers one step closer to your airline account. These accounts still require a PIN or password, Hill argues. While a frequent flyer number can let people reset your PIN or password, they still have to answer a security question to complete the process.

In fact, figuring out the security question may not be that difficult. Cory’s friend’s security question was one of the most common one around: “What is your mother’s maiden name?”. Truthfully, more and more Internet users are already willingly sharing all their private details on social media. Such information to answer pre-selected security questions could easily be found by merely perusing a person’s Facebook or Instagram.

In a similar scenario in 2006, Steve Boggan, a writer for The Guardian, had performed a barcode test similar to Cory’s on a boarding pass stub picked out of a trash can in Heathrow airport, which revealed to belong to traveller Mark Broer. He used the information from the crumpled piece of paper to access everything from the Broer’s passport number to his date of birth. With this basic information, a quick Internet search led Boggan to even find out Broer’s home address, certainly a frightening prospect to behold.


Suggestions for smarter travel habits

  • Take your boarding pass with you when you leave the airplane. Never leave it in the backseat.
  • Feed your boarding pass into a paper shredder, or at least dispose of it carefully by tearing it into smaller pieces.
  • Use an electronic boarding pass on your phone to get to your gate.
  • If you are going to post a photo of your boarding pass online, be sure to obscure not only your name, but also its barcode.
  • However, as much as possible, try not to post your boarding pass on any social media, no matter how much you want to brag about your travel adventures!




[1] KrebsonSecurity

[2] Shaun.net

[3] IATA

[4] The Economist

[5] CBS News

Leave a Reply

Your email address will not be published. Required fields are marked *