October 6, 2015

The next time you’re thinking of throwing away a used boarding pass with a barcode on it, consider tossing the boarding pass into a document shredder instead. Two-dimensional barcodes and QR codes can hold a great deal of information, and the codes printed on airline boarding passes may allow someone to discover more about you, your future travel plans, and your frequent flyer account.

Earlier this year, I heard from a longtime KrebsOnSecurity reader named Cory who said he began to get curious about the data stored inside a boarding pass barcode after a friend put a picture of his boarding pass up on Facebook. Cory took a screen shot of the boarding pass, enlarged it, and quickly found a site online that could read the data.

An older Delta boarding pass with a board code. Source: IATA.

An older Delta boarding pass with a bar code that does not include a frequent flyer number. Source: IATA.

“I found a website that could decode the data and instantly had lots of info about his trip,” Cory said, showing this author step-by-step exactly how he was able to find this information. ‘

“Besides his name, frequent flyer number and other [personally identifiable information], I was able to get his record locator (a.k.a. “record key” for the Lufthansa flight he was taking that day,” Cory said. “I then proceeded to Lufthansa’s website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance.”

The access granted by Lufthansa’s site also included his friend’s phone number, and the name of the person who booked the flight. More worrisome, Cory now had the ability to view all future flights tied to that frequent flyer account, change seats for the ticketed passengers, and even cancel any future flights.

The information contained in the boarding pass could make it easier for an attacker to reset the PIN number used to secure his friend’s Star Alliance frequent flyer account. For example, that information gets you past the early process of resetting a Star Alliance account PIN at United Airline’s “forgot PIN” Web site.

After that, the site asks for the answer to a pre-selected secret question. The question in the case of Corey’s friend was “What is your Mother’s maiden name?” That information can often be gleaned by merely perusing someone’s social networking pages (e.g., does your aunt or uncle on your mom’s side have your mother’s maiden name as their last name? If so, are they friends with you on Facebook?)

bpdecoded

The readout from the barcode on Cory’s friend’s boarding pass (redacted).

United Airlines seems to treat its customers’ frequent flyer numbers as secret access codes. For example, if you’re looking for your United Mileage Plus number, and you don’t have the original document or member card they mailed to you, good luck finding this information in your email correspondence with the company. When United does include this code in correspondence, all but the last three characters are replaced with asterisks. The same is true with United’s boarding passes. However, the full Mileage Plus number is available if you take the time to decode the barcode on a boarding pass.

Interested in learning what’s in your boarding pass barcode? Take a picture of the barcode with your phone, and upload it to this site. This blog on the same topic from several years back includes some helpful hints on how to decode the various information fields that get dumped by the barcode reader.

Finally, the standards for the boarding pass barcodes are widely available and have been for years. Check out this document (PDF) from the International Air Transport Association (IATA) for more on how the barcode standards work and have been implemented in various forms.


124 thoughts on “What’s in a Boarding Pass Barcode? A Lot

  1. Paul Lawler

    Okay, but what’s the big deal about decoding the bar code? All that information (Name, record locator, etc.) is printed right on the boarding pass in plain English.

    1. BrianKrebs Post author

      It’s not all on the boarding pass. Read the story. Some airlines treat frequent flyer codes as semi-secret, and redact them from boarding passes and email communications, but leave them in plaintext on the barcode. The story gives one example.

      1. Gabor Szathmari

        I suspect it is to cover up their bad authentication practices. For example KLM only uses a 4 digit PIN as a password on their frequent flyer page.

        1. Robert.Walter

          Lufthansa does smth similar. No chance to use a best practice long complex pw as generated by iCloud Keychain.

          Spoke to a Lufthansa IT rep in the states who chalked this up to the arrogance of Knucklehead Germans.

          1. Robert.Walter

            To clarify, Lufthansa’s knucklehead IT department like in so many companies, requires one to logo in using their account number (as bad as using email address as a username) as their user name (as I understood it this was for legacy accounts), and offers users no way to change this to a username of their own choosing.

      2. Andrew MacPherson

        All this information was originally in the magstripe? Whats the big deal about it now being in a different format, that it is easier to decode with a phone than a square reader?

  2. itsmeitsmeitsddp

    I would suspect that bus and train (albeit less used than airlines) would still have the same type of information on the tickets and schedules that the airlines do.

  3. TC

    “Two-dimensional barcodes and QR codes can hold a great deal of information, and the codes printed on airline boarding passes may allow someone to discover more about you, your future travel plans, and your frequent flyer account.”

    “Take a picture of the barcode with your phone, and upload it to this site.”

    Come on Krebs, you can’t tell us to be more careful with our boarding passes, and then in the same article recommend uploading photos of it to some random website. That’s appalling advice.

    1. JCitizen

      If you force SSL on the URL, it looks like it goes to a different page where you can upload things a little safer. If they are going to do that, and have a good web of trust rating, chances are they are a legitimate site. The information in their hands is obviously no worse than how the airline stores it – so it might as well try it.

      1. TC

        Transport Layer Security has nothing to do with how a website stores your data, nor does it offer any assurance on how trustworthy the owner and operator of the website is.

        The “Web of Trust” rating is a very shallow assurance. It only guarantees that nobody has sufficiently proven any dodgy activity to that particular Web of Trust provider. No in depth audit is undertaken, therefore it does not prove that the website owner is storing this data securely in the event of a breach (or more nefarious purposes).

    2. Nathaniel

      If you want to keep things local, search for “PDF417 Barcode Scanner” on the App Store or Play Store. It’s a standard format and there are many apps out there that can read it.

      1. Rabid Howler Monkey

        Keeping one’s data locally with mobile apps can be problematic as more than a few app developers augment their income by collecting user data. In this particlular case, the data could be strictly barcode-related or, more ominously, include additional data stored on one’s device…depending on the permissions used by an app.

    3. Ben

      I know, anecdotally, that Krebs is reputable, but this really had me doing a double-take.

    4. Ryan

      Yeah, that had me do a double-take. Looks like just a PDF417, which “Barcode Scanner” by ZXing team or the related Barcode Scanner+ can scan right on your phone (in airplane mode if you’re in one or want to turn off comms) if the stars and camera align. (Same kind as on the back of US drivers licenses, except there it’s just a machine-readable version of the front plaintext)

  4. Dave R

    This isn’t news. And all the information in the barcode is printed in plain text on the boarding pass. You don’t need to scan the pass to get the info.

    Any bar code scanner app that supports the PDF417 standard will also read boarding pass barcodes – I use one for iOS called “Scanner” by ManateeWorks. Used to come in handy to figure out if I was getting Precheck before they started printing it on the boarding pass.

    1. BrianKrebs Post author

      It’s called awareness. I never claimed this was “news”. In fact at the bottom of the piece I reference a similar story from 2011.

      And, depending on the airline, it’s not all on the readable portion of the boarding pass. Read the story. Some airlines treat frequent flyer codes as semi-secret, and redact them from boarding passes and email communications, but leave them in plaintext on the barcode.

      1. Dave R

        Ah, missed that part. I haven’t seen a boarding pass with a redacted frequent flyer number, but I guess I don’t travel nearly as much as I used to… 🙂

    2. Stu

      It may not be “news” for many of Brian’s regular readers but I can think of many people who would be surprised to learn about this. I for one was not aware, and found the article quite informative. Also I don’t believe phone numbers are usually printed on the boarding pass

  5. TomB

    Is similar info on baggage tags? Thanks for keeping us all informed!

  6. John McCarthy

    If you think this is bad take a look at what is printed on your hotel mag stripes for your hotel keys.

    1. Paul Lawler

      What do you think that is precisely? Hotels generally have no practical or functional reason for wanting to encode customers’ personal information on their room key cards; most of them have databases that store the very same customer data, so they have no reason to encode anything more than basic information (e.g., room number, access code, activation and expiration dates) on the key cards themselves.

    2. Notme

      Can you give some examples of what data is stored on the key?

  7. a38

    A while ago, 2years or so, we where able to retrieve the data about the payment from some festival tickets. Come to think about it, a abuse of these data would not be a to hard thing to do. Especialy with a singel target profiel. This brothers me, shouldn’t the private data be hadden?

      1. Robert.Walter

        Did it occur to you that this might be a non native English speaker, without English spell check or fighting a foreign language spell checker?

        1. Rui

          I second that. I had so much problems with my mother tongue dictionaries acting up I ended up disabling them. Technology is not perfect. the original poster could be visually impaired too

      2. Brail draft

        You’re a victim of your english teachers at school.
        There is no canonical spelling, or pronunciation, of any word in english. Disctionaries[sic] are collections of words as used by people. That’s why there are so many dictionaries. As long as you understand what the author is saying the actaul[sic] spelling is irrelevant.

        1. bob

          Utter bollocks. I don’t know what you think you mean by canonical but spelling and grammar are standardised to aid reading and comprehension. It takes significantly more time to parse bad spelling and grammar. Lazy writers are justly penalised for their selfishness. Poor writers need to be careful.

      3. a38

        Duck! The auto-correct on Dutch and i didn’t notice, glad to see some decent replies.
        I had some good fun decoding newer barcodes the past few days, how about you guys?

  8. Dan Clements

    I am an underwater photographer/publisher who does a lot of travel and flying. Great information, but I cannot remember the last time I had a paper boarding pass. All electronic on a smart phone. Starting to see this on a limited basis with hotel “keys.”

    What I worry about is hacking of Apple’s key chain and the subsequent exposure of those log on credentials.

    1. Robert.Walter

      Me too. Although I use it and recommend it and feel it is better overall than any alternative, I still fear that some event will demonstrate that it could have been more robust.

    2. Robert.Walter

      Me too.

      Although I both depend on and recommend iCloud Keychain, and think it is better than any other alternative available to me, I fear that some future event will demonstrate it could have been more robust (like some other, now improved, aspects of Apple’s other security features.)

  9. Kyle H

    You can use zxing (github.com/zxing/zxing) to decode PDF417 2-dimensional barcodes. On Android’s Play Store, the project also has an app called “Barcode Scanner” which can often (though not always) decode them.

  10. Rob B

    While many readers have already pointed out that the information in the barcode is visible on the face of the pass, this isn’t really the issue. It’s that airlines, in an effort to dumb down access to their self-service applications (especially websites) make it all too easy to access travel records and user profiles with very little in the way of verification.

    The example given of some airlines using frequent flyer data as an access key is a prime example. It has been true even before the days of barcodes that I could pull an old boarding pass from someone else out of a seat pocket or off the floor in baggage claim and probably access their records. In fact, IATA Resolution 792, the industry spec that stipulates boarding pass barcodes that is referenced in the article, does not contemplate use beyond the document’s original purpose – rapid scanning of basic boarding pass data at the gate.

    The solution is to make access to the info (via the website) harder. As airlines automate more, and depend upon their travelers to self-serve, this should not be done at the expense of some basic security best practices. For instance, force users to create a unique username and password to use for check-in on websites rather than allowing search criteria such as confirmation number, frequent flyer number, or (gasp!) credit card number.

    1. Robert.Walter

      Delta upgraded their site earlier in the year.

      Where one previously had to use their FF number (Or IIRC their email addy) as their username, Delta changed this to a user-defined username, and added a third field (last name) to the authentication page.

      Wish more sites would allow user-defined usernames, but great kudos to Delta.

      (Now only for 2FA Delta.)

  11. Greg D.

    Thanks for this article Brian! I always suspected there was something unsafe about boarding passes. I have thought many times, how one could use the info on the boarding pass to log into the airline’s website under the user’s account and totally mess with or steal the user’s info. This article proves it. Keep up the great work.

    1. BrianKrebs Post author

      Yes, and no. Yes, it is a myth or urban legend that there is all kinds of personal data on regular plastic hotel keys.

      However, it is not at all uncommon for credit card thieves — people who buy stolen card data and encode it onto new plastic and go shopping in big-box stores for stuff they can easily resell for cash — have been known to use old hotel keys to store card data, so that if they’re stopped and searched by police it’s not immediately evident that they’r holding stolen credit cards (they look like old hotel keys).

      I wrote about this in 2006 when I was at The Washington Post.

      http://voices.washingtonpost.com/securityfix/2006/03/street_level_credit_card_fraud.html

  12. Charles

    The hotel key thing is an urban myth. Check it out on Snopes. There would be no reason for the hotel to want any personal information to be on your hotel keycard.

  13. Dave Bacher

    Instead of uploading the barcode to the website, you can use any number of apps that can process the barcodes locally, without sending one byte of data to the cloud.

    Google has a library for Windows Phone, Android, iOS and Blackberry that reads QR Codes and other barcodes directly. There are a large number of apps that can just decode them. Requires just a couple minutes to write one for Windows 10, for example.

    Using a website should always be a last resort — you’re sharing whatever you scanned with whoever runs the website, you’re sharing it with whoever owns the servers, and in many cases that will be companies like Google that have a proven track record of sharing data indiscriminately until they get caught.

    1. Cory Gross

      You can decode something like this on a website without ever sending your data into “the cloud”. A website can allow you to load an image locally from your file system, decode it on the client, and give you back the data without ever sending anything back to the server.

      Of course there is no guarantee that data won’t be sent to the server, but its not necessarily going to the server when you “upload” an image to a website as the author puts it. Upload is really not the correct term here.

  14. JOAQUIN

    Brian,

    This is something us older folks are notorious for doing….above 65 years of age! I’ve tossed my [and have seen others do likewise] boarding pass many times into the first trash receptacle I see after exiting the plane.

    Very grateful for the head’s up. read your column every time, learn something new just as often, to keep ahead of the ‘black hats”.

    Many thanks!

  15. Allan Ewing

    Thank you very much for the excellent article, Mr Krebs. I really had no idea that so much information was on the boarding pass. I am just stunned.

  16. Eric

    This helps to highlight why the security questions that many websites use are nothing more than security theater if you use them as they were intended.

    But one can use the existing system and improve upon it greatly. The approach that I use is non-sequitur answers. Example: “What was the first car you ever owned” – answer might be “chocolate”, “cat” or “paint”. For this to work, I have to keep the non-sequitur answers in my password vault on my phone (secured with a yubikey). Using random passwords as the “answers” could cause trouble – you might need to supply the answer to a customer service agent over the phone, and reading off 15 random characters could be a challenge.

    1. zorkman

      Concur.

      If you have a password management app, then you can go even further — not just non-sequitur answers, but answers that are entirely nonsense, even string of random characters created by a password-generating tool. And for sites that allow you to create your own questions, you can also create nonsense questions, as well.

  17. reposted

    I saw a presentation about this at a SecKC meeting. position A00…

  18. Walt French

    I used the linked site to read my CA driver’s license.

    Approximately everything—I’m not sure what “Data Type 11” means—is printed out in plaintext on the front or back.

    Seems the real issue here is not the barcodes but the fact that some issuers have sloppy security standards.

    It’d be pretty hard to target a specific individual by chasing down his discarded boarding passes, no? And pretty unlikely that Lufthansa would allow me to put dozens of people’s future ticket purchases onto MY frequent-miles account, and not notice.

    Maybe I’m missing something? What is the actual threat from exposed barcodes per se?

  19. MCB

    The Inlite Research site was unable to decode a Southwest Airlines 2D barcode. Does anyone know what format that barcode is?

  20. Michael

    I could be wrong, but the barcode on this boarding pass doesn’t seem to have a cryptographic hash in it to prevent forgery. (The IATA spec does set aside space for one. I would have thought that more airlines would have implemented hashing…)

  21. Francis Kim

    Yet this hasn’t been an issue that the public is aware of, ever. But when Facebook or Google update their Privacy Policy, everyone loses their minds.

  22. IA Eng

    Just think, its a lot of information – some that a stalker or a person with a vendetta didn’t have before. They now know what airlines you fly, the frequency of your flying habits (day of week, time, routes).

    So VIP’s, stars and people who have less than appealing followers probably haven’t thought much about these boarding passes and probably have chucked them in public waste bins at the exit to the airport, or at home in the trash that eventually gets put curbside.

    It’s not hard to think of ways to make people hate life by altering info on a connecting flight when you just took off, or cancelling a flight 30-45 minutes before the person arrives at the counter.

    Targeted attacks happen all of the time. For those that are determined, any additional information or “show of power” over a victim can sway a person’s decision at any given moment. I am sure it can become a scary ordeal.

    Save a forest, simply have people opt in for a bank-like card that has a 4-8 digit PIN and contains the minimal amount of information. Cards can then be brought close to a proximity scanner and if the light turns green, the person can board.

  23. Red Oktober

    *V$ Computer outages force delays in So. Cal, Atlanta (S 12 2)

    Vm Winnipeg rodent blows transformer, blacks out air-traffic control (R 23 61)

    * Macaque reaches 747 cockpit controls; monkey loose on Cosmos 1887 (S 12 4)

    $ Travicom computerized air cargo system withdrawn; £5M lost (S 12 2)

    $H Computer hides discount airline seats from agents; lost sales (S 12 2)

    $f Pricing program loses American Airlines $50M in ticket sales (S 13 4)

    f,h,i Ordering airline tickets on-line: Nonatomic transaction gave tickets but no reservation (R 19 27); name confusions on e-tickets, with similar names (R 19 28) and identical names (R 19 29)

    $d American Airlines reservation system SW woes adding cars, hotels (S 17 4)

    V$m Power outage causes Australian airline reservation system “virus” (S 13 3)

    f Delayed DoT airline complaint report blamed on computer (S 12 3)

    $ First-day snafu at new Pittsburgh Airport; BA luggage uncoded (S 18 1:25)

    Vm Hong Kong Flying Service computers corroded by hydrogen sulphide (R 19 41)

    $f*h British Air 10M-pound inventory system loses parts, earnings, convictions, user confidence, nearly causes deaths, and costs legal expenses (S 18 1:9)

    *?f?V? Out with pilots, in with pibots in our national airspace (R 21 96), and flocking algorithms (R 22 01)

    deS? F-35 fighter jet too reliant on foreign software? (R 23 13)

    Illustrative Risks to the Public
    in the Use of Computer Systems
    and Related Technology

    Nothing has ever been successfully defended. There’s only attack, attack and more attack.

  24. Eric

    Boarding passes in on US carriers are less secure than foreign carriers. Take British Airways for example. BA doesn’t list a record locator number or a ticket number on their boarding passes. The only way to find this information out is through the barcode. Also you don’t need a website to read the code, all you need is an app on your phone. Also if someone were to get ahold of lets say your outbound flight boarding pass, they could access your reservation and cancel your return flight.

  25. Mike Novack

    Years ago I had a lightbulb go off in my head regarding answering all these stupid questions about “your pet’s name”, “mother’s maiden name”, “high school”. Way back then it was not so common for this info to be easily available to any via FB and other social network sites. These days, when I’m asked for any of that kind of info I just make up a completely bogus answer … e.g., for pet name I might use “Godzilla”, for high school, “Ridgemont”, and so on. The airline or other web site has no way to know if these answers are right, but have bamboozled us into thinking they do and they must be correct. Only problem is remembering your answers.

    1. IA Eng

      yes, you’re absolutely right on for the answers. It doesn’t matter what they are, as long as you can answer them.

      It’s not a test to see if you remember the info provided – unless it’s something that is challenged by the credit reporting agencies – then choices have to be real.

      The only thing I can add is, come up with a Theme for each site that offers challenge questions, or simply write them down in a notepad vice keeping them on a computer.

      I am not a big fan of the social information gathering sites where people tend to let their guards down and give out tidbits of personal information. You are right, eventually, either through a unique phrase/saying and a name, you can dig further and further to find out info.

      Thanks to the exposure of Sarah Palin’s account getting taken over, people some what took notice of how easy people can answer these questions for you.

      I bet Sarah P. is one that has also embraced the notion not to use PII when answering the “challenge” questions .

    2. Chriz

      Been doing this for years now, pretty much since the beginning. I also encourage everyone around me to do the same. Working in an industry where these questions get regularly asked, I can tell you that most questions/answers are dumb stupid and can be found easily if you know the person or have access to her Facebook profile.

      Problem is: most companies enforce passwords complexity but discard the importance of these Q/A. And most of all, too many companies store these informations in plain clear text in the database.

      Don’t know the password? No problem, have it reset.
      Don’t have the key to the front door? No problem, use the unlocked garage door…

  26. Frooom

    People seem to be overlooking something very important here: the ability to see future travel plans or booked flights (not to mention cancelling flights on someone for malicious fun). With this, criminals could pick times/dates to burglarize homes and properties while folks are away travelling. NOT saying “will”, just saying COULD.

Comments are closed.