When you pick up a boarding pass, it has many of your personal details splashed all over it. But the innocuous-looking barcode contains an even richer seam of information about your travel plans and habits — and it may pay to keep it hidden away from prying eyes.
Brian Krebs reports that one of his readers, named Cory, became curious about exactly what data was stored in a boarding pass barcode when a friend posted a picture of one of the cards on Facebook. So he did what any incredibly inquisitive person might do, and used an online barcode scanner to find out. The results are a little worrying, as Cory recounts:
“Besides his name, frequent flyer number and other [personally identifiable information], I was able to get his record locator (a.k.a. “record key” for the Lufthansa flight he was taking that day. I then proceeded to Lufthansa’s website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance.”
As Krebs points out, by this point Lufthansa’s site also shows the person’s phone number and the name of who booked the flight, along with providing the option to change seats and cancel flights. In other words, it’s fair to say that there exists somewhat of a security hole here.
It’s not the first time the contents of boarding pass barcodes has come into question: in 2012, a security vulnerability in US domestic airline boarding passes meant that travellers could scan the barcodes to reveal what kind of checks they were likely to face.
For the most part, if you keep your boarding pass quietly about your person your details are likely to remain safe. But it’s a reminder to be careful about what you post online — because even if the human brain doesn’t make much sense of a barcode, the internet sure can.
Image by Juli under Creative Commons license