Shred Your Airline Boarding Passes-Truth! & Misleading!

/ Computers, Warnings / By /

Shred Your Airline Boarding Passes-Truth! & Misleading!
Summary of eRumor:
Airline travelers have been told to shred their boarding passes because scammers can retrieve personal information by scanning a barcode.
The Truth:
Bar codes on boarding passes do contain personal information, but not much more than is already printed on your boarding pass in plain text.
Calls for airline travelers to shred their boarding passes emerged in October 2015. That’s when security blogger Brian Krebs published a blog post headlined, “What’s in a Board Pass Barcode? A lot,” at KrebsonSecurity.com:

The next time you’re thinking of throwing away a used boarding pass with a barcode on it, consider tossing the boarding pass into a document shredder instead. Two-dimensional barcodes and QR codes can hold a great deal of information, and the codes printed on airline boarding passes may allow someone to discover more about you, your future travel plans, and your frequent flyer account.

Earlier this year, I heard from a longtime KrebsOnSecurity reader named Cory who said he began to get curious about the data stored inside a boarding pass barcode after a friend put a picture of his boarding pass up on Facebook. Cory took a screen shot of the boarding pass, enlarged it, and quickly found a site online that could read the data.

“I found a website that could decode the data and instantly had lots of info about his trip,” Cory said, showing this author step-by-step exactly how he was able to find this information.

Krebs wrote that the reader was able to retrieve the passenger’s name, frequent flier number and a “record key” for the Lufthansa flight. Then, with the record key, the reader was supposedly able to gain access to the traveler’s entire account and could have changed passwords and pin numbers.
That’s where the threat of boarding pas security gets murky, however. To gain access to a secured account, you need to enter a pre-set password and pin number, or answer security questions to reset them. That info isn’t in a boarding pass barcode. In Krebs example, the hacker knew his “victim” and knew the answer to the security question, “What’s your mother’s maiden name?” More often than not, that wouldn’t be the case.
Also, Brian Salzman, the VP of marketing for Inlite Research, the company that makes the online scanner cited by Krebs, said barcodes don’t have much more information that is already printed on the boarding pass, Fusion reports:

I also reached out to Inlite Research, the company that put the free barcode scanner online that Krebs pointed people to. The site got a surge of traffic last week said Michael Salzman, Inlite’s VP of Marketing. He was nonplussed by the privacy freak-out.

“Isn’t most of that information on the boarding pass itself?” Salzman said. “Barcodes are not inherently secure or insecure. Barcodes are a dumb way to package information into an image. The nature of the information is up to the people who use it.”

Fusion reporter Kashmir Hill scanned boarding passes from many different airlines and found in all cases that the frequent flier number was the only bit of personal information not already printed on the ticket.
Boarding pass barcodes have been in wide use since 2005. That year, the International Air Transport Association undertook a five-year long project to establish Bar Coded Boarding Passes (BCBP) in all of its member airlines.
Tech blogger Shaun Ewing delved into the science of BCBP and outlined exactly what information is “hidden” inside boarding pass barcodes on at his blog site, Shaun.net:

  • EWING/SHAUN: My name.
  • E1AAAAA: Electronic ticket indicator and my booking reference.
  • SYDBNEQF: Flying from SYD (Sydney) to BNE (Brisbane) on QF (Qantas).
  • 0524: Flight number 524.
  • 106: The Julian date. In this case 106 is April 16.
  • Y: Cabin – Economy in this case. Others including F (First) and J (Business).
  • 23A: My seat.
  • 0073: My sequence number. In this case I was the 73rd person to check-in.
  • 3: My “passenger status”.
  • 59: There is a various size field. This is the size
  • >: Beginning of the version number
  • 2: The version number.
  • 18: Field size of another variable field.
  • 0: My check-in source.
  • B: Airline designator of boarding pass issuer.
  • 2: Another variable size field.
  • 9: Airline code.
  • 0: International document verification. ’0′ as I presume is not applicable.
  • QF: The airline my frequent flyer account is with.
  • 1245678: My frequent flyer number.
  • 128: Airline specific data.

Ewing found that the barcode information was “harmless,” but he advised against leaving boarding passes behind in seat pockets or posting photos of them online.
To summarize, it’s true that there’s information in boarding pass barcodes, but the threat level has been overblown. And, no, you don’t need to shred your boarding passes.