Airline boarding passes are full of personal data that you might not want total strangers to know. Many travelers simply toss their used boarding passes in the trash, or leave them in the pocket of the seat in front of them when they fly, unaware that the information stored in their boarding pass barcode could leave them open to identity theft. While some airlines, like Southwest, scramble the information on the barcode, others, like United, currently do not.
Recently, Kivu was asked by KPIX-TV in San Francisco to help research the type of information that a data thief could glean from a typical commercial airline-boarding pass. Kivu was provided with three sample boarding passes. The specific information available from each boarding pass barcode depended on the airline. Kivu looked at barcodes for three major airlines – United Airlines, Southwest Airlines, and Virgin America. Here’s what we uncovered.
What’s on the Barcode?
Barcodes are technically easy to decipher. With a good scanner app, information that is not available in plain text on a boarding pass can be uncovered. There are several different types of barcodes that one can find on a variety of items. Boarding pass barcodes are encoded as PDF417 barcodes. This barcode type contains multiple modes to represent text, numeric, and binary data.
If a customer purchases a flight using a Frequent Flier account or with Frequent Flier miles, (depending on the airline), their personal frequent flyer information is displayed when the barcode is scanned. If the customer did not purchase or reserve the flight using Frequent Flier miles, that information is not available by scanning the barcode.
For example, with her permission we decoded the QR Code and identified the Frequent Flyer number used by a recent traveler on United Airlines. With this information, we were able to log on to the passenger’s United Airlines account. We then knew her address, personal email, and telephone number. Going further, we knew when her next flights were scheduled and had the option to cancel them or change her seat. We also knew her date of birth, middle name, and the username for her account. Lastly, we could access her Miles Rewards and have them transferred to our own personal account in the form of cash.
All of this easily available information leaves travelers open for further data hacks. If we wanted to try to get into her personal bank account, this information would have provided a great start.
Less data is available if a passenger is not using a Frequent Flyer number. Still, a data thief could learn from a boarding pass barcode the passenger’s name, where they flew, the date and the airline.
For airline passengers, this should be a wakeup call. One solution to this problem is to keep your boarding pass on your phone rather than print a copy.
Kivu’s forensic investigators are experienced in protecting organizations against compromise of data, theft of trade secrets and unauthorized access to data. Author, Katherine Delude, is a Digital Forensic Analyst at Kivu Consulting in San Francisco, California. For more information, please contact Kivu.