24
Aug 17

Why It’s Still A Bad Idea to Post or Trash Your Airline Boarding Pass

An October 2015 piece published here about the potential dangers of tossing out or posting online your airline boarding pass remains one of the most-read stories on this site. One reason may be that the advice remains timely and relevant: A talk recently given at a Czech security conference advances that research and offers several reminders of how being careless with your boarding pass could jeopardize your privacy or even cause trip disruptions down the road.

In What’s In a Boarding Pass Barcode? A Lot, KrebsOnSecurity told the story of a reader whose friend posted a picture of a boarding pass on Facebook. The reader was able to use the airline’s Web site combined with data printed on the boarding pass to discover additional information about his friend. That data included details of future travel, the ability to alter or cancel upcoming flights, and a key component need to access the traveler’s frequent flyer account.

A search on Instagram for "boarding pass" returned 91,000+ results.

A search on Instagram for “boarding pass” returned 91,000+ results.

More recently, security researcher Michal Špaček gave a talk at a conference in the Czech Republic in which he explained how a few details gleaned from a picture of a friend’s boarding pass posted online give him the ability to view passport information on his friend via the airline’s Web site, and to change the password for another friend’s United Airlines frequent flyer account.

Working from a British Airways boarding pass that a friend posted to Instagram, Špaček found he could log in to the airline’s passenger reservations page using the six-digit booking code (a.k.a. PNR or passenger name record) and the last name of the passenger (both are displayed on the front of the BA boarding pass).

Once inside his friend’s account, Špaček saw he could cancel future flights, and view or edit his friend’s passport number, citizenship, expiration date and date of birth. In my 2015 story, I showed how this exact technique permitted access to the same information on Lufthansa customers (this still appears to be the case).

Špaček also reminds readers about the dangers of posting boarding pass barcodes or QR codes online, noting there are several barcode scanning apps and Web sites that can extract text data stored in bar codes and QR codes. Boarding pass bar codes and QR codes usually contain all of the data shown on the front of a boarding pass, and some boarding pass barcodes actually conceal even more personal information than what’s printed on the boarding pass.

As I noted back in 2015, United Airlines treats its customers’ frequent flyer numbers as secret access codes. For example, if you’re looking for your United Mileage Plus number, and you don’t have the original document or member card they mailed to you, good luck finding this information in your email correspondence with the company.

When United does include this code in correspondence, all but the last three characters are replaced with asterisks. The same is true with United’s boarding passes. However, the customer’s full Mileage Plus number is available if you take the time to decode the barcode on any United boarding pass.

Until very recently, if you knew the Mileage Plus number and last name of a United customer, you would have been able to reset their frequent flyer account password simply by guessing the multiple-choice answer to two secret questions about the customer. However, United has since added a third step — requiring the customer to click a link in an email that gets generated when someone successfully guesses the multiple-choice answers to the two secret questions.

It’s crazy how many people post pictures of their boarding pass on various social networking sites, often before and/or during their existing trip. A search on Instagram for the term “boarding pass”, for example, returned more than 91,000 such images. Not all of those images include the full barcode or boarding record locator, but plenty enough do and that’s just one social network.

For anyone interested in how much of today’s airline industry still relies on security by obscurity, check out this excellent talk from last year’s Chaos Communication Congress (CCC) in Berlin by security researchers Karsten Nohl and Nemanja Nikodijevic. Nohl notes that the six digit booking code or PNR is essentially a temporary password issued by airlines that is then summarily printed on all luggage tags and inside all boarding pass barcodes.

“You would imagine that if they treat it as a password equivalent then they would keep it secret like a password,” Nohl said. “Only, they don’t, but rather print it on everything you get from the airline. For instance, on every piece of luggage you have your last name and the six-digit (PNR) code.”

In his talk, Nohl showed how these PNRs are used in code-sharing agreements between and among airlines, meaning that gaining access to someone else’s frequent flyer account may reveal information associated with that customer’s accounts at other airlines.

Nohl and his co-presenter also demonstrated how some third-party travel sites do little to prevent automated programs from rapidly submitting the same last name and changing the PNR, essentially letting an attacker brute-force a targeted customer’s PNR.

My advice: Avoid the temptation to brag online about that upcoming trip or vacation. Thieves looking to rob someone in your area will be delighted to see this kind of information posted online.

Don’t post online pictures of your boarding pass or anything else with a barcode in it (e.g., there are currently 42,000 search results on Instagram for “concert tickets”).

Finally, avoid leaving your boarding pass in the trash at the airport or tucked into that seat-back pocket in front of you before deplaning. Instead, bring it home and shred it. Better still, don’t get a paper boarding pass at all (use a mobile).

Tags: , , , , ,

28 comments

  1. I recommend to keep the boarding pass in your documents instead of shredding it. From time to time, class actions are authorized against airlines and the boarding pass makes it simpler to prove that you took a flight with the airline at a certain date.

    • I go as far as tearing off the label from checked baggage and shredding that as well.. I leave no traces behind..

      • Some shredders don’t like the sticky stuff on peel-off backings. So, stick it to another paper first. Better yet, keep a box of things to be burnt.

        The shredder may not like the paper type or adhesives, but the papers and adhesives all love a good bonfire once it gets going.

      • I find a very sharp pair of scissors will chop up every adhesive label that I have ever encountered.

        Yes, it takes some effort compared to “drop it in a shredder”, but if you chopped it up by hand you know how well you destroyed the original.

        Heck, you can even “crosscut” the remaining bits as much as you want/can and then know with some certainty that only a seriously determined identity thief with lots of time on their hands could reassemble it from the trash bin(s).

  2. Brian, you briefly mention certain sensitive information is also encoded on luggage tags, but don’t specifically mention a recommendation for secure disposal. Any clarification you can share?

    Ps – thanks for years of informative reporting. You are by far my preferred source for novice understandable infosec information.

  3. It can be summed up in one line–Follow hygenic internet practices! If it is about paper and ink then use your phone.

  4. Excellent article and reminders bout personal Opsec. I tweeted this out – hope that is ok.
    Don

  5. This just goes to prove that People are the common threat.. You can explain it until you are blue in the face, but they won’t change in their ways.. I look at this information as common knowledge.. basically destroy anything that provides (or has) personal info that allows you access to, either on or in, something whether it be a boarding pass, pre-printed luggage label ( even the claim tag). I mean I am shocked (I shouldn’t be) at the number of boarding passes posted to social media (The devil it self).. just asking for trouble…

  6. Keith Appleyard

    Re final sentence “…. Better still, don’t get a paper boarding pass at all (use a mobile)….” I saw a very distressed American lady in Heraklion Airport (Crete, Greece) last month whose phone wasn’t working so she couldn’t display her boarding pass, so she was denied boarding. I print out all my Boarding Passes & Visas at least 24 hours before travelling in case my ISP is down or my Printer breaks. Leave nothing to chance.

    • (bump)

      Agreed. I do the same.

      • Simply take a screenshot of your boarding pass. Solves the no ISP/Internet connection issue. Also with proper ID, any gate agent can print a copy of your boarding pass for you. Don’t miss the trees for the forest.

        • Apparently you’ve never traveled in the Second or Third World.
          In some locations, this is the golden bribe extraction opportunity against the “rich westerner” who can afford planes AND an iPhone.

          They will take US$ for their services…small denominations to avoid large US$ counterfeits…rampant in their country…

          The larger point being made by others here is to think about your situation individually, and not be overly reliant on your mindless game and social media device.

  7. “PNR is essentially a temporary password” – if it’s temporary, when does it expire?

    The boarding passes that people post are mostly for completed flights. The PNR should be expired for completed flights. If it’s not expired promptly, I don’t understand why.

    • The PNR is the actual complete reservation, not the code. The six digit code is the record locator which is what is used to actually LOCATE the reservation.

      The PNR can actually expire the day after travel is complete, however a lot of travel agencies add a retention line to keep the PNR live for a set length of time after travel (sometimes up to 6 months) to make it easier to look at in case of a customer service issue.

      If it’s not kept live then the greedy GDS companies charge a fee for retrieving the details

  8. IRS iTUNE cards (Number 1 Fan)

    Yes, let’s keep our boarding pass private. Great recommendation, Krebs!

  9. Public access to a computer system’s data should require more than a simple QR code.

    This should be a two step process. (1) Authenticate with the computer with a user id, password, pin, etc.. (2) share data quickly using the QR code.

    The QR code should contain nothing more than a pointer to a database record. Without access to the database, the code is useless.

    Bar Codes and QR Codes should only contain public data. Any private data must be stored in a secure database that would require authentication to access the data. The QR Code can contain a pointer to the database record. This is a best practice.

    Perhaps someone should teach the airlines.

    • An interesting idea and good recommendation under other circumstances, however, can you imagine the time the boarding process would take if every person had to enter their user credentials after scanning their boarding pass at the gate?

      Many people are severely technically challenged by the POS at the grocery store and ATMs, and you are suggesting that you add an authentication step to the already minimally functional boarding process to get on a plane.

      I agree that something should change, but a better implementation would need to be considered.

      • I read Tony’s response to mean, the QR/bar code should only mean something when scanned by the airline’s own computer.

        An independent QR scanner on my cell phone wouldn’t have access to the airline’s DB, and in turn I’d get no usable information from decoding it.

  10. Why don’t airlines print “For privacy concerns, do no post your boarding passes on internet” on the boarding passes?

    This would be a short term solution before they modify barcodes/QR codes to remove sensitive information from them.

  11. Top Drivers Epson

    I go as far as tearing off the label from checked baggage and shredding that as well.. I leave no traces behind..

  12. “Better still, don’t get a paper boarding pass at all (use a mobile).”

    Pfffft… That’s actually WORSE than posting your PNR to some crap-filled Social Media pig pen. The last thing I want the Evil Ones at the likes of Facebook or Google to have is the following [1]:

    * Passengers’ gender
    * Passport details – nationality, number, and date of expiry
    * Date and place of birth
    * Redress number, (if previously given to the passenger by the US authorities).
    * All available payment/billing information.

    Ref.-1: Wikipedia page for “Passenger Name Record”.

  13. Security Expert

    Until people stop bragging their flights to a (less) successful mates, there will be still a lot of room for various nasty things like identity theft.

    Unluckily, websites like Instagram or Facebook dont discourage this “social unsocialness”.

  14. It’s actually a nice and useful piece of information. I am satisfied that you simply shared this useful info with us.

    Please stay us informed like this. Thanks for sharing.

  15. I keep my boarding passes and shred them at work.

    With the luggage tags, I tend to rip them into several pieces which I keep in my pocket and then gradually dispose of them in different bins as I move around through the day.

  16. I take all my boarding passes home along with all baggage tags and stickers. I then incinerate them in an industrial furnace at 2000 degrees Celsius. I then take the ashes from the furnace and encase them in concrete. Following this put the concrete block in a boat and travel at least 12 nautical miles off the coast. I then drop the block in the water – but only when it’s 300 feet deep.

    I also make sure to leave my phone and EPIRB on-shore. This removes any chance of being tracked by GPS.

  17. I eat the boarding passes and other flight documents at the beginning of each flight, and use the plane lavatory before landing. Works everytime and leaves no trail…

  18. All told, there were more than 14,000 such records, Mr Krebs said, concluding that the firm had been “sloppy”.

Leave a comment