Airplane boarding passes may seem like harmless pieces of cardboard, but security blog Kerbs on Security says not to let your guard down. Those boarding passes may not hold your entire life, but they do hold the key to some important parts of it. The barcode on those passes apparently include a unique code, often a frequent flyer ID, that can be used to unlock a passenger’s data, including his or her name, flight details, as well as both past and future flights, making them ripe targets for stalking or other kinds of unauthorized activities.
Barcodes are employed these days to give convenience both to passengers as well as airport personnel. No more need for typing into long forms or waiting for said typing to be finished. Simply scan the barcode or QR code and you’re done. The problem lies not with the barcode technology themselves but with how airlines use them to include special keys and even the passenger’s name and other details.
Airlines often have frequent flyer programs that reward customers for their continued patronage. Each customer is naturally assigned a unique ID to identify them. Airlines then embed that ID as part of the boarding pass barcode. That in itself is not really a problem. After all, there needs to be an automated way to scan that information. Sadly, some airlines use that same frequent flyer ID as a gate pass into the passenger’s online account.
With the passenger name and frequent flyer ID, some unscrupulous persons could log into an airline’s web site and access the person’s flight details. They can see future booked flights, for example, or see where the person has been. In some cases, airlines allow seats to be moved or even flights to be canceled from their web console, and the hacked customer will be none the wiser on who initiated the change.
Barcodes and QR codes are well documented and are easy enough to decipher. There are countless tools available that can crack the info embedded in them. The technology itself isn’t at fault, but perhaps airlines could opt to switch to a more secure option or better yet avoid including such personally identifiable pieces of information in their boarding passes.
VIA: Kerbs on Security