What Information is Hiding in Your Boarding Pass?
Frequent flyers are familiar with the embedded 2D barcode that appears on any boarding pass, whether it’s issued on a flimsy piece of paper or scanned through your smartphone. Whichever method you prefer to utilize—high-tech or old-school—you can be sure that the airline is taking note of the information that’s contained within that barcode.
In a recent article published on KrebsOnSecurity, reporter/computer security expert Brian Krebs investigated just what kind of personal information those barcodes reveal about a passenger. In 2005, the International Air Transport Association (IATA) issued a mandate to replace magnetic strips with bar-coded boarding passes (BCBP) for travelers around the globe, and by 2010 they had completed that task. As the IATA's website states, barcodes “offer more convenience for the passenger. Because they don’t need to be printed on expensive paper stock and facilitate off-airport check-in, they save the industry up to $1.5 billion every year.”
If you want to see what personal data is actually stored in your barcodes, Inlite Research’s website allows you to upload pictures of your boarding pass (as well as your driver’s license, military ID, postal barcode, and QR codes) and decodes it, using HTML. The results aren’t exactly shocking: Your name, seat number, departing and arriving airports, sequence number (what number person were you to board), record locator, and frequent flyer number are revealed to whomever reads the barcode. And while it’s hardly the type of secure personal information that could lead to identity theft, you do leave yourself open to some limited information exposure if you happen to leave your boarding pass in your seat pocket, like so many of us do, or throw it in the trash after deplaning—particularly when it comes to your frequent flyer number.
Using this number (which can and should be kept private), it would be simple for anyone to log into your account and gain access to your contact information and future flights. Yes, they’d first have to know your password, but this can be changed rather easily as they have the frequent flyer number itself and can bypass a security question. (Getting into your account would also give them the power to cancel or change any upcoming flights.)
Another blog, Fusion, researched Krebs’ post and contacted various airlines as to why one’s full frequent flyer number appears in the barcode, but no representative would give a definitive answer. “Barcodes are not inherently secure or insecure,” Inlite Research’s vice president of marketing told Fusion. “Barcodes are a dumb way to package information into an image. The nature of the information is up to the people who use it. Most barcodes are boring.”
For those who prefer to err on the safe side while traveling this holiday season and beyond, it’s best to use your smartphone at check-in so that you don’t have to worry about someone lifting secure information from a paper boarding pass—and moving you right next to the lavatory for your next flight.