October 6, 2015

The next time you’re thinking of throwing away a used boarding pass with a barcode on it, consider tossing the boarding pass into a document shredder instead. Two-dimensional barcodes and QR codes can hold a great deal of information, and the codes printed on airline boarding passes may allow someone to discover more about you, your future travel plans, and your frequent flyer account.

Earlier this year, I heard from a longtime KrebsOnSecurity reader named Cory who said he began to get curious about the data stored inside a boarding pass barcode after a friend put a picture of his boarding pass up on Facebook. Cory took a screen shot of the boarding pass, enlarged it, and quickly found a site online that could read the data.

An older Delta boarding pass with a board code. Source: IATA.

An older Delta boarding pass with a bar code that does not include a frequent flyer number. Source: IATA.

“I found a website that could decode the data and instantly had lots of info about his trip,” Cory said, showing this author step-by-step exactly how he was able to find this information. ‘

“Besides his name, frequent flyer number and other [personally identifiable information], I was able to get his record locator (a.k.a. “record key” for the Lufthansa flight he was taking that day,” Cory said. “I then proceeded to Lufthansa’s website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance.”

The access granted by Lufthansa’s site also included his friend’s phone number, and the name of the person who booked the flight. More worrisome, Cory now had the ability to view all future flights tied to that frequent flyer account, change seats for the ticketed passengers, and even cancel any future flights.

The information contained in the boarding pass could make it easier for an attacker to reset the PIN number used to secure his friend’s Star Alliance frequent flyer account. For example, that information gets you past the early process of resetting a Star Alliance account PIN at United Airline’s “forgot PIN” Web site.

After that, the site asks for the answer to a pre-selected secret question. The question in the case of Corey’s friend was “What is your Mother’s maiden name?” That information can often be gleaned by merely perusing someone’s social networking pages (e.g., does your aunt or uncle on your mom’s side have your mother’s maiden name as their last name? If so, are they friends with you on Facebook?)

bpdecoded

The readout from the barcode on Cory’s friend’s boarding pass (redacted).

United Airlines seems to treat its customers’ frequent flyer numbers as secret access codes. For example, if you’re looking for your United Mileage Plus number, and you don’t have the original document or member card they mailed to you, good luck finding this information in your email correspondence with the company. When United does include this code in correspondence, all but the last three characters are replaced with asterisks. The same is true with United’s boarding passes. However, the full Mileage Plus number is available if you take the time to decode the barcode on a boarding pass.

Interested in learning what’s in your boarding pass barcode? Take a picture of the barcode with your phone, and upload it to this site. This blog on the same topic from several years back includes some helpful hints on how to decode the various information fields that get dumped by the barcode reader.

Finally, the standards for the boarding pass barcodes are widely available and have been for years. Check out this document (PDF) from the International Air Transport Association (IATA) for more on how the barcode standards work and have been implemented in various forms.


124 thoughts on “What’s in a Boarding Pass Barcode? A Lot

  1. Mitch

    I’m wondering how much data the site you’ve pointed to for the decoding is getting and how secure they are.

    1. duke

      Did anyone ever answer this? Having just returned from an international trip, I’d like to try it. But before I do I’d like to know what that site hangs on to. Catch-22. I want to see if there’s any PII on my boarding passes but without trying the site I won’t know.

  2. Oops

    Perhaps more concerning than any of this info is the fact that the pre-check indicator is also included in barcode unencrypted and could easily be manipulated to bypass more stringent security.

    1. Karl Koscher

      The PreCheck indicator is on the boarding pass (in the “selectee” field), but PreCheck boarding passes (as well as boarding passes on your phone) need to be digitally signed. I believe the “selectee” field encodes the response returned by the DHS APIS system. A 0 means normal/cleared, a 1 means “inhibited” (i.e. on the No-Fly List), a 2 means “selectee,” and a 3 means “TSA PreCheck.” (A 4 indicates insufficient passenger information.)

      I believe the airlines are supposed to generate these signatures using an HSM, but I would not be surprised if someone found a vulnerability.

      1. S. Keeling

        “I believe the “selectee” field encodes the response returned by the DHS APIS system. A 0 means normal/cleared, a 1 means “inhibited” (i.e. on the No-Fly List) …”

        Finally, a way to find out whether one’s on the no-fly list or not without having to go to an airport attempting to fly somewhere! :-O

        Kind of stunning. I wonder if any of the kids implementing stuff these days have any clue as to what they’re doing or how any of this !@#$ works. And this is including Lufthansa, of whom I’d expect far better.

        Thanks again, Brian. Holy crap, as usual.

  3. Jim Butler

    The barcode is not the issue. I just decoded the barcode on my American Airlines boarding pass. All the information was printed in plain text on the pass.

    The idea that the frequent flyer number, confirmation number, and name could be used to cancel future flights is still valid, but the barcode was not the problem.

    1. William Clardy

      You make the most cogent point in both the article and the comments, Jim.

      All the gnashing of teeth about the barcoding the information printed in plain text would be amusing if folks weren’t so earnestly panicked about it.

      1. Daniel

        …yes, much ado is made about the common data elements, EXCEPT the key one (Star Alliance – Frequent Flyer Number) isn’t anywhere on the plaintext boarding pass (the author redacted all but the first three characters, so tell me where you find “GJ0” printed in plaintext on the boarding pass?)

        Same with the RecordKey, Airport Codes, Airline Codes and Flight Number (some of that could be searched up online, but having it provided for you makes this trivial. Trivial = ripe for picking).

        So, here’s the challenge, scoffers. Using only the plain data on the boarding pass, log into this guy’s Star Alliance frequent flyer account.

        Cant? OP point proven.

        1. Cavoyo

          The pictured boarding pass is different from the one with the scanned barcode. As the first picture’s caption says:

          “An older Delta boarding pass with a bar code that does not include a frequent flyer number. Source: IATA.”

    2. Brook Monroe

      The problem solved by including the FFN (and some other data) in the bar code sans encryption is that of interline or alliance travel, particularly that forced by IRROPS. There’s a secured data block supported in the IATA spec, but putting FFNs in that wouldn’t help 5E read ZQ’s data during one of those scenarios.

      Treating FFNs as “secret magic numbers” is as bad an idea as that of using Social Security numbers as database foreign keys–an idea that showed up during the 1980s–the repercussions of which we’re still feeling today. As was said elsewhere, this says more about the security on airline websites than it does about the IATA bar code standard.

  4. ChoppedBroccoli

    This is why I collect and shred them at the end of the trip (I had no idea this much information was on it, but I am paranoid and assumed the worst 😉

    So my question is – is the problem that qr/bar code is directly linked to too much personal information or that there are services that present all this data to the public instead of just the name the passenger? Sounds like a combination of both. The QR/bar code should be flight specific (or maybe at worst, trip specific), and only have the passenger name. I don’t see why the rewards numbers need to be directly linked to the code (should require another lookup based on a uid or passenger name).

    Nevertheless, great detective work Cory and Brian!

  5. ChoppedBroccoli

    “””
    After that, the site asks for the answer to a pre-selected secret question. The question in the case of Corey’s friend was “What is your Mother’s maiden name?” That information can often be gleaned by merely perusing someone’s social networking pages (e.g., does your aunt or uncle on your mom’s side have your mother’s maiden name as their last name? If so, are they friends with you on Facebook?)
    “””

    As if you needed another reason to NOT be friends with your parents on social networks 😀 !

    1. David Dann

      It’s a good reason to leave blank all the fields in your Facebook profile (that FB is constanly egging me on to fill in), and to also be more circumspect about posting the minutiae of your past and present life.

      1. Tim

        It’s a better idea to not use Facebook at all, [or linked-in, myspace,instagram, etc]
        🙂

    2. Rob

      More like: Another reason not to take secret questions literally.

      1. Bob

        Yup. As far as my bank’s concerned, my mother’s maiden name is Kqzxpoaqwmetx.

        1. Ib O

          Wow, then we are related!
          Kqzxpoaqwmetx is the maiden name of my fathers mothers great grandsons second cousins third daughters mother.
          The world is really small.

    3. S. Keeling

      As if you needed another reason to not be spewing PII via social networking.

  6. Gary

    Has anyone heard of or used electronic boarding passes on their smartphones to avoid this issue?

    Most major airlines have that capability even for international travel.

    1. RBliss

      I’ve used the electronic boarding pass, but eventually stopped. I will often turn my phone off and leave it off for the duration of my trip. If I use electronic boarding passes, I have to dig it out between flights.

      But, the worst was when my flight was delayed. By the time we boarded, the electrnoic boarding pass had “expired.” (Your flight already left, we cannot retrieve the boarding pass for this flight.)

      A PITA to get a second copy of the boarding pass in the middle of the boarding process.

      1. duke

        This is exactly why it’s good to have 2 copies of that electronic boarding pass. The first you choose is the one you’ve added to your Passbook app (assuming all of you security aware folks use iPhones, not Android devices). Those passes remain regardless of age until you delete them. Then the second copy, the backup, is in the airline’s mobile app.

    1. Lewis

      Decoded… “Why are you viewing this? It’s not a real boarding pass, silly.” 🙂

  7. Jerome

    The amount and quality of information in bar codes (which represent your information) is largely unknown. This is why I shred everything! Even shipping labels!

  8. Charles

    @Brian, a colleague asks “What about the barcode on the luggage tags? Does that contain similar information?”

    1. Pedro Ximenez

      The most recent baggage tag I have actually just has the PNR locator printed on it in plain text.

  9. Alan Hoeffler

    Can’t any authorized ticket agent at the airlines print one up? Is there a limit to how many could be printed by the airline computer system- such as only one per passenger per flight? Now seems like something that could be easily used illegitimately.

  10. Tom

    I wonder what ticket agents at airlines (eg, Southwest) do with boarding passes as they collect them from the passengers during the boarding process.

  11. Sam

    You can see the raw information using any barcode scanner app – but on an iPhone the BP Scanner app – https://itunes.apple.com/us/app/boarding-pass-scanner/id820796885 – shows it to you interpreted, and in a ready-to-email format.

    Interesting how much is on there. Also, many boarding passes have a secure signature to ensure the content isn’t modified, but it doesn’t protect against reading it…

  12. Fritz

    It doesn’t work with SWISS, I tried. You can’t get into past bookings with the Key Code.

  13. JS

    This seems to be a good way to gain information for social engineering.

    I tried to replicate the scenario with a recent boarding pass of mine and there seem to be two errors in the text:

    1. name and record locator only give you access to the flights on lufthansa.com. It does not give you access to the entire account as the text claims (i.e. no possibility to spend miles).
    2. the forgotton-pin-function on united.com works only for United and not for all Star Alliance accounts. Some Star Alliance carriers might have similar mechanisms, but at least for Lufthansa this does not seem to work.

    Still there is a lot of information that can be gained by having access to boarding passes.

  14. Marc P

    “… reset the PIN number …”

    Please stop writing like this. The “N” in PIN stands for “number”. So you’re being redundant. Like writing “ATM machine”, or “SSN number”.

    thanks.

    1. Jay Deet

      Marc P: Agreed! Also things like “Shrimp Scampi” ; guess what Scampi means in Italian?

      1. jj

        Danube in several languages means river basically. English speakers redundify it to Danube River.

    2. Beth R

      Marc, I feel your pain, but you’re not going to win this fight.

  15. Heather R

    Similarly, I am curious about the information that may be contained on hotel key cards. Have you ever explored this?

    1. Charles

      I think the hotel keycards thing has been pretty thoroughly debunked, once in this thread already!

  16. Govt Cheese

    I’m not sure if it’s been mentioned, but if a bad guy knows about your future flights then he would also know when to break into your house.

    1. Govt Ham

      “if a bad guy knows about your future flights then he would also know when to break into your house.”

      And run into my pistol packing wife or son.

    2. S. Keeling

      “… but if a bad guy knows about your future flights then he would also know when to break into your house.”

      Or, when to show up at the airport in order to assassinate you. I wonder how Dick Chaney deals with his boarding passes. He seems to have a lot of detractors these days. If this’s a potential problem for Chaney, lots of other high value targets are as well, pretty much any who use commercial airlines.

      I wonder if TSA has any clue this is going on.

  17. Al Conterra

    On a different barcode matter: What does the barcodes on a US postal mail have in terms of information? Address?

    Al

  18. Travis Longmore

    I know nothing about security but this scares me a little. I haven’t really tried to keep much of my life a secret but after having my credit card details stolen while still IN my wallet IN my pocket I’m starting to take things a little more seriously.

    Thanks for the info!

  19. Ronald winkler

    Why are my Apple apps coming in blank why can’t I install my newspaper
    What’s wrong with the updates now
    Can’t Apple do better than this ?

  20. JST

    I fly a lot and have always shredded my used board passes. But I’ve wondered why in an airport gate when you exchange a boarding pass, e.g. seat change, upgrade, they just drop the old one in a wastebasket. Between flights that wastebasket is unattended.

    Also, I’ve always questioned how easy it is to access a flight itinerary record. I think the idea behind easy access is that, say, a hotel concierge or assistant can use just the locator and last name to call up a reservation to check the client/boss in for a flight, print board passes, etc. without logging on with full credentials.

  21. Bill

    Yet another reason to stop sharing so much information on social media. I will never understand how people can be so oblivious to the dangers of sharing things such as a boarding pass on their social media account. The amount of information people share on their social media accounts makes the information gathering process for the bad guys a piece of cake.

    Although I have to admit I have never seen anyone share a picture of their boarding pass, but I would not have not much of it in regards to security.

  22. Wojtek

    I have just tried to use the only somehow hidden information from the boarding pass (the M&M membership number) to reset my PIN, as explained in the article.

    As expected, this failed as the email address was not correct.

    I can imagine trying to social-engineer my way though the M&M phone help desk but the information I would use would be known from the ticket itself (except for the M&M number, which is not a secret anyway)

  23. jus wonderin

    Can this be used in reverse? Can someone create a printed ticket that has the settings they want? Like first class seat, or change their TSA designation etc?

  24. Charles

    I do not know personally but it was reported here earlier that boarding passes with TSA Pre must be digitally signed.

  25. NotMyRealName

    It’s astonishing how careless airlines are with information. A few years ago I was bumped off a US Air flight. After the ground crew left me stranded and moved off to work another gate I noticed that someone had dropped the flight manifest on the ground – the full passenger list (including who had checked in and who had not). This information is not supposed to be released while the flight is in the air and here it was on the floor. It also had all kinds of personal info on each passenger (including me). I’ve still got it around here somewhere.

  26. not worried at all

    Considering that the average American (at least 50%) don’t make enough money to pay any taxes and that over 60% are on some kind of freebee handout – one wonders who would even care.
    Can you imagine sorting through all those air tickets until you finally find some one of substance that will make it worth your while.
    In the old days you could just pick up the phone book and get anyones home address and phone number.
    If You think I am some kind of crazy— leave this site and google your own name.
    ooooops

  27. gigi

    I also shred all barcodes that come in Amazon packages and such. I imagine there’s a lot of info on me there as well. Would be interesting to read about it here.

Comments are closed.