Don’t throw away your old Boarding Pass, it may contain personal information

Don’t throw away your old Boarding Pass, it may contain personal information that could allow attackers to run targeted attacks on you!

Don’t throw away your old Boarding Pass, it may contain personal information.

After finishing your trip, the boarding pass becomes useless, but does that mean that you should throw it in the garbage? Certainly not.

Have you ever thought about what information is contained inside a barcode? No ?

The popular investigator Brian Krebs has published an interesting post on the topic explaining that a Boarding Pass Barcode contains a lot of data.

Airlines use the boarding pass barcode for every single boarding pass, but what happen if someone tries to read the information it contains?

Krebs reported the attempt made by one of its readers, named Cory, who saw a friend posting his boarding pass on Facebook so decided to analyze it.

“I found a website that could decode the data and instantly had lots of info about his trip,” said Cory,  “Besides his name, frequent flyer number and other [personally identifiable information], I was able to get his record locator (a.k.a. “record key” for the Lufthansa flight he was taking that day,” “I then proceeded to Lufthansa’s website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance.”

It’s frightening what someone could do with this information, I used the barcode reader website myself to read an old boarding pass barcode, and the information I could get.

The boarding pass barcodes are widely available for years, the International Air Transport Association (IATA) published a details document  on how the barcode standards have been implemented by the organizations on the industry.

Coming back to Cory’s story, he was able to use the info available in the barcode to enter in Lufthansa website site and access his friend’s phone number, the name of the person who did the booking, and see future flights connected to the frequent flyer account.

What do you think about the possibility to conduct a targeted attack with this data? For example an attacker can send a spear phishing email to the victim reporting information on his flights.

The situation goes worse if we consider that accessing the list of future flights he is able to cancel them or change seats.

An attacker could also reset the PIN number associated with Star Alliance frequent flyer account, in the case of Cory, he tried to use the “Forgot Pin” reset and his friend question was, “What is your Mother’s maiden name?” An information like this, it’s not that difficult to extract and probably can be found in social media.

This is just an example of what can be done with a barcode, and the amount of information it can be extracted. Often people consider that the information revealed is harmless, but its because they don’t think like an criminal.

“Interested in learning what’s in your boarding pass barcode? Take a picture of the barcode with your phone, and upload it to this site. This blog on the same topic from several years back includes some helpful hints on how to decode the various information fields that get dumped by the barcode reader.” States Brian Krebs.

My advice to our dear reader are:

• Do not leave your old boarding pass in the airplane
• Avoid putting the boarding pass in the garbage in one piece
• Don’t publish the boarding pass in social media

I also advise you to read some more details in the Shaun.net.

About the Author Elsio Pinto

Edited by Pierluigi Paganini

(Security Affairs – Boarding Pass,  hacking)