Your Boarding Pass Barcode Can Reveal Your Future Flight Schedule

Illustration for article titled Your Boarding Pass Barcode Can Reveal Your Future Flight Schedule

When you pick up a boarding pass, it has many of your personal details splashed all over it. But the innocuous-looking barcode contains an even richer seam of information about your travel plans and habits — and it may pay to keep it hidden away from prying eyes.


Brian Krebs reports that one of his readers, named Cory, became curious about exactly what data was stored in a boarding pass barcode when a friend posted a picture of one of the cards on Facebook. So he did what any incredibly inquisitive person might do, and used an online barcode scanner to find out. The results are a little worrying, as Cory recounts:

“Besides his name, frequent flyer number and other [personally identifiable information], I was able to get his record locator (a.k.a. “record key” for the Lufthansa flight he was taking that day. I then proceeded to Lufthansa’s website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance.”

As Krebs points out, by this point Lufthansa’s site also shows the person’s phone number and the name of who booked the flight, along with providing the option to change seats and cancel flights. In other words, it’s fair to say that there exists somewhat of a security hole here.

It’s not the first time the contents of boarding pass barcodes has come into question: in 2012, a security vulnerability in US domestic airline boarding passes meant that travellers could scan the barcodes to reveal what kind of checks they were likely to face.

For the most part, if you keep your boarding pass quietly about your person your details are likely to remain safe. But it’s a reminder to be careful about what you post online — because even if the human brain doesn’t make much sense of a barcode, the internet sure can.

[Krebs on Security]

Image by Juli under Creative Commons license




Here’s a thought : don’t post pictures of your boarding card online. Krebs is normally spot-on with his articles but this one is a bit d’uh! I mean what did they think was going to be encoded in the barcode? The recipe for brownies? You wouldn’t post a photo of your drivers license, passport ID page or social security number online - why post pictures of boarding passes, event tickets or anything else that contains info about you?

But as there are people who still think this is the 1950’s and it’s safe to leave your doors unlocked, here’s another traveller tip: don’t ever, ever, EVER write your name and address on one of those luggage labels that allows everyone to see it. Turn it inside out, cover it up - do something. Because there are people in airports who loiter, photographing or reading those tags so they can make a shopping list of addresses that will be empty for the forseeable future because the occupants are leaving the airport for another destination. Burglar’s paradise.

And while I’m at it, try never to pay for anything with a c/c at an airport either. Anyone who works at an airport store can skim the details and empty your account while you’re in flight (assuming you still have the old-and-busted magstripes we’re all subjected to in the US). I had this happen to me when I left from London Gatwick a couple of years ago - the Dixons (as it was) electronics store there were skimming people’s cards and siphoning the money out while the passengers were in-flight. Because they also scan your boarding pass when you purchase anything, they also knew exactly how long they had before you’d be on the ground again too.