What do you do with your boarding pass when you get home from holiday? Most likely, it involves shoving it in a bag or chucking it in a bin at the airport in a pique of post-holiday gloom. Maybe you ceremonially burn it on your first day back at work – in which case well done, you’re actually doing the right thing; security guru Brian Krebs reckons that your boarding pass could be telling a dangerous story.
In a recent blog post, Krebs suggested that destroying your boarding pass was a smart move when it comes to your data security. Apparently two-dimensional barcodes and QR codes combined with the code printed on the pass can hold the key to a whole host of information that you don’t want to give away.
One of Krebs’ readers – a man called Cory – contacted him saying his mate put a shot of his boarding pass up on Facebook (probably showing off for those of us stuck in the rain still) and within minutes Cory had found a website that could decode the data. He then instantly had loads info about his trip.
“Besides his name, frequent flyer number and other [personally identifiable information], I was able to get his record locator a.k.a. “record key” for the Lufthansa flight he was taking that day,” Cory said. “I then proceeded to Lufthansa’s website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance.”
“The access granted by Lufthansa’s site also included his friend’s phone number, and the name of the person who booked the flight. More worrisome, Cory now had the ability to view all future flights tied to that frequent flyer account, change seats for the ticketed passengers, and even cancel any future flights,” said Krebs.
He also reckons that in some cases there’s enough info for attackers to potentially reset flyers’ PINs and get into their frequent flyer account. He gives the example of United Airlines, which apparently treats frequent flyer numbers like secret access codes – you can get the full Mileage Plus number if you decode the barcode.
It may not be a massive deal in all cases, but anything that gives access to your data is probably worth limiting – next time you come back from holiday, destroy the barcode and keep the memories!
For more information on how we help keep data security take a look at our security solutions.