Millions of people worldwide fly with a commercial airline every day. Less than two-thirds of those airline passengers utilize mobile boarding passes; meaning the majority of passengers still use printed boarding passes.
Many of those passengers end up leaving that boarding pass on the plane or discarding it at their destination. In the age of social media, posting a photo of your boarding pass is a great way to make all your friends jealous of your European vacation. In fact, a simple Instagram search of #boardingpass, returns over 91,000 results.
So what’s the big deal with posting or throwing away your boarding pass? Well, the information printed on airline boarding passes may jeopardize your privacy or even cause trip disruptions down the road.
This information was first brought to light in late 2015, by notable cybersecurity website Krebs on Security. In the post, security researcher Brian Krebs, details the story of a longtime reader named Cory, who said he began to get curious about the data stored inside a boarding pass barcode after a friend posted a picture of his boarding pass on Facebook. Cory took a screenshot of the boarding pass, enlarged it, and quickly found a site online that could read the data.
“I found a website that could decode the data and instantly had lots of info about his trip,” Cory said, showing this author step-by-step exactly how he was able to find this information. ‘
“Besides his name, frequent flyer number and other [personally identifiable information], I was able to get his record locator (a.k.a. “record key” for the Lufthansa flight he was taking that day,” Cory said. “I then proceeded to Lufthansa’s website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance.”
The access granted by Lufthansa’s site also included his friend’s phone number, and the name of the person who booked the flight. More worrisome, Cory now had the ability to view all future flights tied to that frequent flyer account, change seats for the ticketed passengers, and even cancel any future flights.
This story was largely debated and tested. Many online stated that the claims made were untrue for various airlines.
More recently, security researcher Michal Špaček gave a talk at a conference in the Czech Republic where he explained how a few details from a picture of a friend’s boarding pass posted online gave him the ability to view his friend’s passport information via the airline’s website, and to change the password for another friend’s United Airlines frequent flyer account.
Working from a British Airways boarding pass that a friend posted to Instagram, Špaček found he could log in to the airline’s passenger reservations page using the six-digit Passenger Name Record (PNR) and the last name of the passenger (both are displayed on the front of the boarding pass).
Passenger Name Records are essentially a temporary password issued by airlines, that are used to coordinate global travel, printed inside all boarding pass barcodes and on all luggage tags.
In this talk from last year’s Chaos Communication Congress (CCC) in Berlin by security researchers Karsten Nohl and Nemanja Nikodijevic, the two detail the weaknesses in the PNR system.
“If the PNR is supposed to be a secure password, then it should be treated like one,” Nohl said. “But they don’t keep it secret, but rather print it on everything you get from the airline. For instance, on every piece of luggage you have your last name and the six-digit (PNR) code.”
Once gaining access to his friend’s account using the PNR gleaned from the photo, Špaček saw he could cancel future flights, and view or edit his friend’s passport number, citizenship, expiration date and date of birth.
Additionally, boarding pass barcodes and QR codes usually contain all of the data shown on the front of a boarding pass, and some boarding pass barcodes actually conceal more personal information than what’s printed on the boarding pass. With the proliferation of barcode/QR reader apps, this information can be easily decoded.
United Airlines has recently updated their login process to require more stringent steps that no longer make login possible without access to the user’s email account.
While the information garnered from a boarding pass may seem trivial or compartmentalized to only being important during travel, these little tidbits of information may be all a cyber thief needs to complete the bigger picture of your identity.
Our advice:
- You never know what bits of information are contained in a personally identifying barcode, or who may be looking to use them. Refrain from posting photos online containing the barcode to boarding passes, concert tickets, etc.
- While bragging about vacations on social media, it also alerts thieves that you are out of town. This can be used for social engineering attacks, or CEO fraud.
- Avoid leaving boarding passes in airplane seatbacks or hotel waste bins. Bring them home and shred them to minimize risk to your privacy.
When it comes to protecting your private information, our advice will always be to err on the side of being overly cautious. In today’s connected world, we’re always just one click (or Instagram post) away from cybertheft.
Breadcrumb is a cybersecurity and executive advisory firm. Located in Central California, we partner with organizations throughout the US, protecting their critical assets from cyber breach. Contact us today for a no-obligation consultation.
