Last week, security blogger Brian Krebs freaked the Internet out with a vulnerability in a simple technology that most of use all the time: plane boarding passes.
“What’s in a boarding pass barcode? A Lot,” Krebs titled his post, which warned that someone could pick up your discarded boarding pass and use one of the barcode readers available online to scan it and see what information was encoded in it. His post set off a flurry of articles, tweets, and Facebook posts telling people to burn, shred, or eat their boarding passes after flying. One article warned the barcode could be scanned by “hackers, identity thieves, or stalkers.”
Krebs pointed to a barcode scanner from Inlite Research at several points in his post and showed how uploading a photo of a United Airlines pass to it revealed a person’s name, where they were flying from and to, when, what seat they were in, and, if they had one, their frequent flyer number. Yes, it’s true there’s a lot of information there, but it’s not much more than what someone sees by simply looking at your boarding pass, sans barcode scanner.
I asked a bunch of people to send me discarded boarding passes so I could scan them for juicy tidbits. I scanned boarding passes from United, Delta, Jetblue, Aeroflot, Virgin, and others; over and over again I found the same thing. The only bit in the barcode that wasn’t on the ticket itself was a frequent flyer number. In the case of Delta, the airline had taken pains to obscure my colleague Anna Holmes’ frequent flyer number on her boarding pass, showing it as a series of x’s with just the last 4 numbers of her frequent flyer number visible, but when I scanned it, it gave me her full number.
So yes, this is a security screw-up. There is information in the scan that the airlines otherwise try to keep hidden. Why is it hidden? Because as Krebs says, some airlines treat “frequent flyer numbers as secret access codes”—they’re one piece of information you use to log into a site to check your account, see future trips, and make changes to itineraries. Much like social security numbers, it’s a piece of identity information that now has an outsized security role.
However, much like an email address, they’re just one piece of information that gets you into an account. Every airline site I checked also required a password or pin, and while you can reset those things if you have someone’s frequent flyer number, in every case I saw, it required knowing the answer to a person’s security question or their home address. These things are not impossible to get but you’re not immediately pwned once someone has your frequent flyer number.
Still, it does seem like it would be better were this not included. When I asked a number of airlines why they were embedding frequent flyer numbers in their barcodes, most ignored the question. American Airlines said their “boarding pass barcodes are aligned with International Air Transport Association (IATA) standards and comply with TSA regulations relating to the integrity of the data housed within the barcode.” (Those IATA standards from 2009 are online by the way, and explain the need to move from a magnetic strip on boarding passes to barcodes, but don’t mandate the inclusion of a frequent flyer number.)
American Airline’s spokesperson suggested I ask TSA and IATA about the issue. TSA told me to ask the FAA (Federal Aviation Administration) who told me to ask DOT (Department of Transportation). After going full-circle on that federal agency acronym merry-go-round, I never got a straight answer. IATA got back to me and said its concern was just that the barcodes have the same information whether on paper or mobile (mobile, of course, being the better option for airport check-ins if you don’t want to worry about leaving a boarding pass behind).
So it seems the real answer may be that the airlines’ decision to put frequent flyer numbers in barcodes was a screw-up that they should probably fix.
I also reached out to Inlite Research, the company that put the free barcode scanner online that Krebs pointed people to. The site got a surge of traffic last week said Michael Salzman, Inlite’s VP of Marketing. He was nonplussed by the privacy freak-out.
“Isn’t most of that information on the boarding pass itself?” Salzman said. “Barcodes are not inherently secure or insecure. Barcodes are a dumb way to package information into an image. The nature of the information is up to the people who use it.”
I asked Salzman how long it keeps the scans and the information they reveal that comes in through Inlite’s free tool. He said it got deleted “periodically” once the data takes up too much space.
“We don’t normally look at the data,” he said. “We monitor the site for errors and if it’s not performing well, we look at it.”
So all those people who read Krebs’ post and were worried enough about what was revealed by their boarding passes to perform a scan had handed the data in their boarding passes over to this company they knew nothing about.
“Most barcodes are boring,” said Salzman. “They’re just numbers.”