In honor of National Cyber Security Awareness Month, here’s one more thing to worry about: airplane tickets. Earlier this week, Brian Krebs reported on his blog that it’s possible to extract a surprising amount of information from the barcodes and QR codes on boarding passes.
Krebs explains that one of his readers wrote in with this information after realizing that he was able to use an online barcode reader to decode the information in a photo of a boarding pass that a friend had posted to Facebook. In addition to easily accessible data like the ticket holder’s name, the code yielded details such as his frequent flyer number and his travel record locator.
If this doesn’t sound like much, consider that Krebs’ reader was able to access his friend’s account with Lufthansa using the data he’d pulled. Coupled with some basic social hacking—using publicly available Facebook information to guess the answer to security questions—this allowed him far reaching access to, and control over, otherwise private resources. (I reached out to Lufthansa for comment but did not get a response.)
As some commenters on Krebs’ post point out, different airlines package different amounts of information into the scannable portions of their documents. Some apparently include nothing more than what’s already indicated in plain text. Nevertheless, it’s important to recognize that the seemingly illegible sections of our tickets may be disquietingly chatty to those in the know.
Krebs cites one researcher who proposes, “I would also recommend not leaving your boarding pass on the aircraft when you disembark.” Meanwhile, Krebs himself writes that you may want to “consider tossing the boarding pass into a document shredder.” Here at Slate, we fear that that may not be enough. We suggest that you instead eat your boarding pass as soon as you have found your seat. Chew thoroughly.
Who ever said airplane food was terrible?