Why Throwing Away Your Old Boarding Pass is so Risky
Don't throw away your old boarding pass
It's the holiday season and probably most of you will travel during the Christmas time. For this reason, I decided to propose again a topic that was in the headline a couple of months ago. Do you leave the boarding pass used for air travel anywhere after a trip? Do you know how much information it contains? Probably you are thinking, "If Pierluigi is asking me that, there is something to take care" … correct.
As we have seen, the old boarding pass may contain a lot of personal information that could be used by ill-intentioned against us, so don't throw away your old boarding pass!
Phishing simulations & training
After a trip the boarding pass becomes useless, but does that mean that we should throw it in the garbage? Taking a look to a boarding pass, you will notice the presence of a barcode, so let try to understand what information it contains and how a hacker could use it for illegal activities.
In October, the popular investigator Brian Krebs published an interesting post that explained the information stored in a boarding pass barcode.
The airlines use the boarding pass barcode for every single boarding pass. It contains a lot of data that could be read easily by everyone.
Brian Krebs reported the attempt made by one of its readers, a guy named Cory, who saw a friend posting his boarding pass on Facebook.
Cory, intrigued by the friend's post, began to search on the Internet some websites that could help him interpreting the boarding pass and he found what he was looking for.
The boarding pass barcodes are widely available for years. The International Air Transport Association (IATA) published a detailed document to explain how the barcode standards have been implemented by the organizations in the industry.
The Passing Board has been around since 2005 when the IATA launched a five-year project to deploy Bar Coded boarding passes (BCBP) across its member airlines. The project aimed to eliminate magnetic boarding passes, a change would allow the industry to save US$1.5bn annually and the possibility to enable new technologies such as web and mobile check-in.
Figure 1 - boarding pass
"I found a website that could decode the data and instantly had lots of info about his trip," said Cory, "Besides his name, frequent flyer number and other [personally identifiable information], I was able to get his record locator (a.k.a. "record key" for the Lufthansa flight he was taking that day," "I then proceeded to Lufthansa's website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance."
I used the same website discovered by Cory to read data present on an old boarding pass barcode I left in a book, I was surprised by the information I retrieved. It is frightening what someone could do with the information present on a boarding pass, and an Internet connection.
Cory used the info available in the barcode posted online by his friend to enter in the Lufthansa website and access his data, including the phone number and the name of the person who did the booking. In and same way Cory was able to see future flights connected to the frequent flyer account.
Probably for the majority of people, the disclosure of this data doesn't represent a threat, but let start thinking like a hacker. How can we use this information? Is it possible to use it in a targeted attack?
The response is affirmative. An attacker can use the data discovered by Cory to launch a spear phishing attack to the victim. The first attack scenario that comes my mind sees the victim receiving a phishing email reporting information on his flights. The email tricks the victim into revealing additional information, signing a bogus website controlled by attackers, providing financial information or visiting a website that is used to serve a malware.
In the specific case described by Cory, the man was able to access the list of future flights of his friend, he was also able to cancel them or change seats.
Cory discovered that an attacker could also reset the PIN associated with Star Alliance frequent flyer account, then he tried to use the "Forgot Pin" reset and his friend question was, "What is your Mother's maiden name?"
Such kind of recovery procedure is quite easy to bypass; we disclose an impressive amount of data online such as our mother's maiden name. Digging into social media it is simple to find a message or a picture that could reveal it.
This is just an example of what can be done with a barcode, and the amount of information it can be extracted. Often people consider that the information revealed is harmless, but it is because they don't think like a criminal.
"Interested in learning what's in your boarding pass barcode? Take a picture of the barcode with your phone, and upload it to this site. This blog on the same topic from several years back includes some helpful hints on how to decode the various information fields that get dumped by the barcode reader." States Brian Krebs.
A close look to a boarding pass
What information is available on a boarding pass? I have found an interesting post published by the expert Shaun Ewing, who found out more information on the barcode standard, and the information barcodes contain. Ewing analyzed a number of boarding passes available online by using freely available software utilities to decode the barcodes they contain.
In his post, Ewing used a boarding pass related to a Qantas flight, he decoded the barcode on the web check-in document extracting the following string:
M1EWING/SHAUN MR 1A11A1 BNESYDQF 551 107Y26J 37 00
- He the n parsed the string discovering which info were associated:
- M1: Format code 'M' and 1 leg on the boarding pass.
- EWING/SHAUN MR: His name.
- 1A11A1: Hei booking reference.
- BNESYDQF: Flying from BNE (Brisbane) to SYD (Sydney) on QF (Qantas).
- 551: Flight number 551.
- 107: The Julian date. In this case 107 is April 17.
- Y: Cabin – Economy in this case. Others including F (First) and J (Business).
- 26J: His seat.
- 37: His sequence number. In this case he was the 37th person to check-in.
- 00: Field size of airline specific data message. 00 as there isn't any.
Now that he succeeded in translating the information stored in the boarding pass he decided to analyze another real boarding pass issued at the airport. Below the information extracted from the barcode.
That translates into:
- M1: Format code 'M' and 1 leg on the boarding pass.
- EWING/SHAUN: My name.
- E1AAAAA: Electronic ticket indicator and my booking reference.
- SYDBNEQF: Flying from SYD (Sydney) to BNE (Brisbane) on QF (Qantas).
- 0524: Flight number 524.
- 106: The Julian date. In this case 106 is April 16.
- Y: Cabin – Economy in this case. Others including F (First) and J (Business).
- 23A: My seat.
- 0073: My sequence number. In this case I was the 73rd person to check-in.
- 3: My "passenger status".
- 59: There is a various size field. This is the size
- >: Beginning of the version number
- 2: The version number.
- 18: Field size of another variable field.
- 0: My check-in source.
- B: Airline designator of boarding pass issuer.
- 2: Another variable size field.
- 9: Airline code.
- 0: International document verification. '0′ as I presume is not applicable.
- QF: The airline my frequent flyer account is with.
- 1245678: My frequent flyer number.
- 128: Airline specific data.
Ewing also discovered that that the same information is used by the mobile boarding pass. The boarding pass documents are a mine of data. Also in this case, Ewing highlighted possible abuses of this information. For example, the booking reference could be used by ill-intentioned to manipulate the owner's booking.
The opinion of the expert
Michael Born, security expert at the Solutionary firm, discovered that boarding pass documents from multiple top airlines contain precious information that when used together allows ill-intentioned posing as you to manage, change, or cancel your flight reservation without authentication.
Also in this case, Born criticized the bad habit to publish online the pictures of a boarding pass just to inform friends and colleagues on our next trip.
Born examined a number of boarding passes of the major airlines discovering the information they include and explaining how they can pose serious risk to the unaware holiday traveler.
Let's start comparing the boarding pass of the Delta Airlines, American Airlines and United Airlines.
Figure 2 - Delta Airlines boarding pass
Figure 3 - American Airlines boarding pass
Figure 4 -United Airlines boarding pass
Each boarding pass contains pieces of information that could be very useful for a hacker, for example, visiting the website of the Delta Airlines (http://www.delta.com) it is possible to verify that a user just needs the confirmation number or ticket number in order to manage, change, or cancel his flight. The same information gives the access to the traveler's first name and last name, and the remaining data present in the Delta boarding pass.
Figure 5 - Website www.delta.com 'My Trips'
The experts noticed many similarities with American Airlines and United Airlines, although United only requires users to know the confirmation number and traveler's last name, both information present of a boarding pass.
Figure 6 - United Airlines
The experts explained that on the boarding pass of the American Airlines there is the "Record Locator" an information that is similar to the confirmation number used by the other airlines he has analyzed.
Michael Born also raised many other questions about the security of the mobile boarding pass, in particular the experts warn users in connecting open Wi-Fi network and also highlighted the risk of theft of the mobile device.
Born looked at the Delta mobile app and discovered that the application stores more than just the flight information. The mobile app accesses the frequent traveler account number, user' financial data (i.e. credit card information), personally identifiable billing information and flight information.
Conclusions
Summarizing, don't disclose more information than necessary, especially when dealing with boarding pass. If you want to share a picture of your boarding pass online don't forget to blur the barcode if you want to avoid problems.
Most of the information contained within the barcode is harmless, but you cannot underestimate the risk of a cyber-attack. The data could be used by attackers to act in your behalf or to target you with spear-phishing emails.
I would also recommend not leaving your boarding pass on the aircraft. Unfortunately this is a common habit.
We now understand that a boarding pass is a mine of information for an attacker or a scammer. In order to reduce security risks associated with holiday travel, I suggest you to follow a few useful tips:
- Always print paper boarding pass at home, or at any other secure place.
- Don't post pictures of your boarding document online.
- In case you lose the boarding pass at the airport, notify a gate agent immediately and request a new copy of the boarding pass.
- In case you are using a mobile boarding pass instead, take care of your mobile device.
- Never use open Wi-Fi network to access the Internet, use the cellular data connection instead.
- At the end of the trip shred all boarding documents, do not leave your old boarding pass in the airplane
- Don't publish the boarding pass in social media
Enjoy your holidays and stay safe, and don't forget that criminals are always ready to take advantage of every mistake you make.
References
http://securityaffairs.co/wordpress/40807/digital-id/boarding-pass-personal-information.html
http://online-barcode-reader.inliteresearch.com/default.aspx
https://www.solutionary.com/resource-center/blog/2015/11/holiday-travel-security-tips/
http://www.iata.org/whatwedo/stb/documents/bcbp_implementation_guidev4_jun2009.pdf
http://krebsonsecurity.com/2015/10/whats-in-a-boarding-pass-barcode-a-lot/
https://shaun.net/posts/whats-contained-in-a-boarding-pass-barcode
Get six free posters
Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.
http://fox42kptm.com/news/local/cyber-experts-warn-against-taking-pictures-of-your-boarding-pass
In this Series
- Why Throwing Away Your Old Boarding Pass is so Risky
- Tax scam season: How to protect your data from common scams in 2024
- Security awareness for kids: Tips for safe internet use
- Celebrate Data Privacy Week: Free privacy and security awareness resources
- Consumer data, who owns it and who protects it?
- Human error is responsible for 74% of data breaches
- What is a social engineering attack?
- Biggest cybersecurity mistakes by large organizations
- 4 common social media scams (and how to avoid them)
- From theory to practice: Designing a successful security awareness training program
- Understanding cyberattacks: Types, risks and prevention strategies
- Securing digital frontiers: The importance of information and IT security awareness training
- Optimizing your corporate security awareness training: Strategies and techniques
- What is security awareness: Definition, history and types
- Top 10 security awareness training topics for your employees in 2023 and beyond
- AI best practices: How to securely use tools like ChatGPT
- Connecting a malicious thumb drive: An undetectable cyberattack
- 5 ways to prevent APT ransomware attacks
- 4 mistakes every higher ed IT leader should avoid when building a cybersecurity awareness program
- ISO 27001 security awareness training: How to achieve compliance
- Run your security awareness program like a marketer with these campaign kits
- Deepfake phishing: Can you trust that call from the CEO?
- Fake shopping stores: A real and dangerous threat
- 10 best security awareness training vendors in 2022
- How to hack two-factor authentication: Which type is most secure?
- Malicious push notifications: Is that a real or fake Windows Defender update?
- Free Cybersecurity and Infrastructure Security Agency (CISA) ransomware resources to help reduce your risk
- How IIE moved mountains to build a culture of cybersecurity
- At Johnson County Government, success starts with engaging employees
- How to transform compliance training into a catalyst for behavior change
- Specialty Steel Works turns cyber skills into life skills
- The other sextortion: Data breach extortion and how to spot it
- Texas HB 3834: Security awareness training requirements for state employees
- SOCs spend nearly a quarter of their time on email security
- Security awareness manager: Is it the career for you?
- Risks of preinstalled smartphone malware in a BYOD environment
- The ROI of security awareness training
- 5 reasons to implement a self-doxxing program at your organization
- What is a security champion? Definition, necessity and employee empowerment [Updated 2021]
- Excel 4.0 malicious macro exploits: What you need to know
- Worst passwords of the decade: A historical analysis
- ID for Facebook, Twitter and other sites? Not so fast, says security expert
- 3 surprising ways your password could be hacked
- Fake online shopping websites: 6 ways to identify a fraudulent shopping website
- All about carding (for noobs only) [updated 2021]
- Password security: Complexity vs. length [updated 2021]
- What senior citizens need to know about security awareness
- 55 federal and state regulations that require employee security awareness and training
- Brand impersonation attacks targeting SMB organizations
- How to avoid getting locked out of your own account with multi-factor authentication
- Breached passwords: The most frequently used and compromised passwords of the year
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
Security awareness
Tax scam season: How to protect your data from common scams in 2024
Security awareness
Security awareness
Celebrate Data Privacy Week: Free privacy and security awareness resources
Security awareness