Do you know how much of personal information is on your airplane boarding pass barcode? The answer is: a LOT. A simple two-dimensional barcode and Quick Response (QR) codes can hold a great deal of information. The codes printed on airline boarding passes could potentially open the gateway for someone to discover more about you, your future travel plans and your frequent flyer account, even from a travel snap you posted online. But before all that, let’s go back to the beginning of Bar-Coded Boarding Passes (BCBP).
History of the BCBP
Back in 2005, the International Air Transport Association (IATA) commenced a five year project to deploy Bar Coded Boarding Passes (BCBP) across IATA member airlines in an effort to eliminate magnetic boarding passes. This change was to allow airlines to use cheaper boarding paper stock and enable technologies such as web and mobile check-in. Being able to be accessed from anywhere due to off-airport check-ins, this advancement is estimated to save the industry US$1.5bn annually. This project was said to be successfully ended in 2010 when it reached the Board’s target of 95% global BCBP capability.
Boarding pass security scare
The security scare amidst the flurry of recent reports on the sensitive information contained in a boarding pass all began with a very interesting blog post by Brian Krebs, a former Washington Post reporter. A curious reader of his influential blog “Krebs on Security”, named Cory, took a screen shot of a friend’s Lufthansa boarding pass that was posted to Facebook, found a free barcode reader online (Inlite Research), uploaded the image and found he was able to gather a lot of personal information from the screen shot alone. Barcodes. QR codes. Little boxes encompassing ample information.
What’s in a boarding pass barcode?
“I found a website that could decode the data and instantly had lots of info about his trip. Besides his name, frequent flyer number and other (personally identifiable information), I was able to get his record locator (a.k.a. “record key” for the Lufthansa flight he was taking that day). I then proceeded to Lufthansa’s website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance.” – Cory, KrebsonSecurity blog reader.
From the scanning of the barcode alone, perhaps the most worrying issue is that Cory now has the key to access all future flights tied to the friend’s frequent flyer account, change seats for the ticketed passengers, and even cancel any future flights altogether.
However, in a Fusion article, Kashmir Hill refutes the claim that a boarding pass barcode is a ‘treasure trove’ of private information. Although Hill does agree that there is plentiful information to be garnered from a boarding pass barcode, Hill claimed that after scanning more than five different airline boarding passes, she found that in all cases, the only information contained in the barcode that was not printed on the pass itself was the frequent flyer number.
Boarding passes can allow strangers one step closer to your airline account. These accounts still require a PIN or password, Hill argues. While a frequent flyer number can let people reset your PIN or password, they still have to answer a security question to complete the process.
In fact, figuring out the security question may not be that difficult. Cory’s friend’s security question was one of the most common one around: “What is your mother’s maiden name?”. Truthfully, more and more Internet users are already willingly sharing all their private details on social media. Such information to answer pre-selected security questions could easily be found by merely perusing a person’s Facebook or Instagram.
In a similar scenario in 2006, Steve Boggan, a writer for The Guardian, had performed a barcode test similar to Cory’s on a boarding pass stub picked out of a trash can in Heathrow airport, which revealed to belong to traveller Mark Broer. He used the information from the crumpled piece of paper to access everything from the Broer’s passport number to his date of birth. With this basic information, a quick Internet search led Boggan to even find out Broer’s home address, certainly a frightening prospect to behold.
Suggestions for smarter travel habits
 The Economist
 CBS News