• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

The U.S. House banned WhatsApp on government devices due to security concerns

 | 

Russia-linked APT28 use Signal chats to target Ukraine official with malware

 | 

China-linked APT Salt Typhoon targets Canadian Telecom companies

 | 

U.S. warns of incoming cyber threats following Iran airstrikes

 | 

McLaren Health Care data breach impacted over 743,000 people

 | 

American steel giant Nucor confirms data breach in May attack

 | 

The financial impact of Marks & Spencer and Co-op cyberattacks could reach £440M

 | 

Iran-Linked Threat Actors Cyber Fattah Leak Visitors and Athletes' Data from Saudi Games

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 50

 | 

Security Affairs newsletter Round 529 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Iran confirmed it shut down internet to protect the country against cyberattacks

 | 

Godfather Android trojan uses virtualization to hijack banking and crypto apps

 | 

Cloudflare blocked record-breaking 7.3 Tbps DDoS attack against a hosting provider

 | 

Linux flaws chain allows Root access across major distributions

 | 

A ransomware attack pushed the German napkin firm Fasana into insolvency

 | 

Researchers discovered the largest data breach ever, exposing 16 billion login credentials

 | 

China-linked group Salt Typhoon breached satellite firm Viasat

 | 

Iran experienced a near-total national internet blackout

 | 

Malicious Minecraft mods distributed by the Stargazers DaaS target Minecraft gamers

 | 

Healthcare services company Episource data breach impacts 5.4 Million people

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Digital ID
  • Hacking
  • Don’t throw away your old Boarding Pass, it may contain personal information

Don’t throw away your old Boarding Pass, it may contain personal information

Pierluigi Paganini October 07, 2015

Don’t throw away your old Boarding Pass, it may contain personal information that could allow attackers to run targeted attacks on you!

Don’t throw away your old Boarding Pass, it may contain personal information.

After finishing your trip, the boarding pass becomes useless, but does that mean that you should throw it in the garbage? Certainly not.

Have you ever thought about what information is contained inside a barcode? No ?

The popular investigator Brian Krebs has published an interesting post on the topic explaining that a Boarding Pass Barcode contains a lot of data.

Airlines use the boarding pass barcode for every single boarding pass, but what happen if someone tries to read the information it contains?

Krebs reported the attempt made by one of its readers, named Cory, who saw a friend posting his boarding pass on Facebook so decided to analyze it.

boarding pass barcode 2

“I found a website that could decode the data and instantly had lots of info about his trip,” said Cory,  “Besides his name, frequent flyer number and other [personally identifiable information], I was able to get his record locator (a.k.a. “record key” for the Lufthansa flight he was taking that day,” “I then proceeded to Lufthansa’s website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance.”

It’s frightening what someone could do with this information, I used the barcode reader website myself to read an old boarding pass barcode, and the information I could get.

The boarding pass barcodes are widely available for years, the International Air Transport Association (IATA) published a details document  on how the barcode standards have been implemented by the organizations on the industry.

Coming back to Cory’s story, he was able to use the info available in the barcode to enter in Lufthansa website site and access his friend’s phone number, the name of the person who did the booking, and see future flights connected to the frequent flyer account.

What do you think about the possibility to conduct a targeted attack with this data? For example an attacker can send a spear phishing email to the victim reporting information on his flights.

The situation goes worse if we consider that accessing the list of future flights he is able to cancel them or change seats.

An attacker could also reset the PIN number associated with Star Alliance frequent flyer account, in the case of Cory, he tried to use the “Forgot Pin” reset and his friend question was, “What is your Mother’s maiden name?” An information like this, it’s not that difficult to extract and probably can be found in social media.

This is just an example of what can be done with a barcode, and the amount of information it can be extracted. Often people consider that the information revealed is harmless, but its because they don’t think like an criminal.

“Interested in learning what’s in your boarding pass barcode? Take a picture of the barcode with your phone, and upload it to this site. This blog on the same topic from several years back includes some helpful hints on how to decode the various information fields that get dumped by the barcode reader.” States Brian Krebs.

My advice to our dear reader are:

  • Do not leave your old boarding pass in the airplane
  • Avoid putting the boarding pass in the garbage in one piece
  • Don’t publish the boarding pass in social media

I also advise you to read some more details in the Shaun.net.

About the Author Elsio Pinto

Elsio Pinto is at the moment the Lead Mcafee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog http://high54security.blogspot.com/

[adrotate banner=”9″]

 

Edited by Pierluigi Paganini

(Security Affairs – Boarding Pass,  hacking)


facebook linkedin twitter

you might also like

Pierluigi Paganini June 24, 2025
The U.S. House banned WhatsApp on government devices due to security concerns
Read more
Pierluigi Paganini June 24, 2025
Russia-linked APT28 use Signal chats to target Ukraine official with malware
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    The U.S. House banned WhatsApp on government devices due to security concerns

    Mobile / June 24, 2025

    Russia-linked APT28 use Signal chats to target Ukraine official with malware

    APT / June 24, 2025

    China-linked APT Salt Typhoon targets Canadian Telecom companies

    APT / June 24, 2025

    U.S. warns of incoming cyber threats following Iran airstrikes

    Cyber warfare / June 24, 2025

    McLaren Health Care data breach impacted over 743,000 people

    Data Breach / June 23, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT