An October 2015 piece published here about the potential dangers of tossing out or posting online your airline boarding pass remains one of the most-read stories on this site. One reason may be that the advice remains timely and relevant: A talk recently given at a Czech security conference advances that research and offers several reminders of how being careless with your boarding pass could jeopardize your privacy or even cause trip disruptions down the road.
In What’s In a Boarding Pass Barcode? A Lot, KrebsOnSecurity told the story of a reader whose friend posted a picture of a boarding pass on Facebook. The reader was able to use the airline’s Web site combined with data printed on the boarding pass to discover additional information about his friend. That data included details of future travel, the ability to alter or cancel upcoming flights, and a key component need to access the traveler’s frequent flyer account.
More recently, security researcher Michal Špaček gave a talk at a conference in the Czech Republic in which he explained how a few details gleaned from a picture of a friend’s boarding pass posted online give him the ability to view passport information on his friend via the airline’s Web site, and to change the password for another friend’s United Airlines frequent flyer account.
Working from a British Airways boarding pass that a friend posted to Instagram, Špaček found he could log in to the airline’s passenger reservations page using the six-digit booking code (a.k.a. PNR or passenger name record) and the last name of the passenger (both are displayed on the front of the BA boarding pass).
Once inside his friend’s account, Špaček saw he could cancel future flights, and view or edit his friend’s passport number, citizenship, expiration date and date of birth. In my 2015 story, I showed how this exact technique permitted access to the same information on Lufthansa customers (this still appears to be the case).
Špaček also reminds readers about the dangers of posting boarding pass barcodes or QR codes online, noting there are several barcode scanning apps and Web sites that can extract text data stored in bar codes and QR codes. Boarding pass bar codes and QR codes usually contain all of the data shown on the front of a boarding pass, and some boarding pass barcodes actually conceal even more personal information than what’s printed on the boarding pass.
As I noted back in 2015, United Airlines treats its customers’ frequent flyer numbers as secret access codes. For example, if you’re looking for your United Mileage Plus number, and you don’t have the original document or member card they mailed to you, good luck finding this information in your email correspondence with the company.
When United does include this code in correspondence, all but the last three characters are replaced with asterisks. The same is true with United’s boarding passes. However, the customer’s full Mileage Plus number is available if you take the time to decode the barcode on any United boarding pass.
Until very recently, if you knew the Mileage Plus number and last name of a United customer, you would have been able to reset their frequent flyer account password simply by guessing the multiple-choice answer to two secret questions about the customer. However, United has since added a third step — requiring the customer to click a link in an email that gets generated when someone successfully guesses the multiple-choice answers to the two secret questions.
It’s crazy how many people post pictures of their boarding pass on various social networking sites, often before and/or during their existing trip. A search on Instagram for the term “boarding pass”, for example, returned more than 91,000 such images. Not all of those images include the full barcode or boarding record locator, but plenty enough do and that’s just one social network.
For anyone interested in how much of today’s airline industry still relies on security by obscurity, check out this excellent talk from last year’s Chaos Communication Congress (CCC) in Berlin by security researchers Karsten Nohl and Nemanja Nikodijevic. Nohl notes that the six digit booking code or PNR is essentially a temporary password issued by airlines that is then summarily printed on all luggage tags and inside all boarding pass barcodes.
“You would imagine that if they treat it as a password equivalent then they would keep it secret like a password,” Nohl said. “Only, they don’t, but rather print it on everything you get from the airline. For instance, on every piece of luggage you have your last name and the six-digit (PNR) code.”
In his talk, Nohl showed how these PNRs are used in code-sharing agreements between and among airlines, meaning that gaining access to someone else’s frequent flyer account may reveal information associated with that customer’s accounts at other airlines.
Nohl and his co-presenter also demonstrated how some third-party travel sites do little to prevent automated programs from rapidly submitting the same last name and changing the PNR, essentially letting an attacker brute-force a targeted customer’s PNR.
My advice: Avoid the temptation to brag online about that upcoming trip or vacation. Thieves looking to rob someone in your area will be delighted to see this kind of information posted online.
Don’t post online pictures of your boarding pass or anything else with a barcode in it (e.g., there are currently 42,000 search results on Instagram for “concert tickets”).
Finally, avoid leaving your boarding pass in the trash at the airport or tucked into that seat-back pocket in front of you before deplaning. Instead, bring it home and shred it. Better still, don’t get a paper boarding pass at all (use a mobile).