How using boarding passes can hack frequent flyer accounts

Despite the fact that in our age of smartphones there is no need to print various documents, nevertheless, there are still documents that we must print, because there are no other options. This is also true for boarding passes, and they, it turns out, contain quite a lot of various personal information that should not fall into the hands of unauthorized people if you don’t want to run into problems.

As a rule, after returning from vacation, many simply throw air tickets and boarding passes into the trash can, even without assuming that someone will dig in your garbage to find an overdue air ticket. Unfortunately, this is exactly what and will make various suspicious types who know that these discarded pieces of paper can be the key to a whole range of personal information.
')
Worse, however, is to take a picture of your boarding pass and post it on Facebook or Twitter. By uploading these seemingly innocent photos to please or annoy your friends, you unwittingly share your data with any other Internet users who can use this information in a photo for potential gain.

“Barcodes on boarding passes can allow anyone to find out about you, your vacation plans, and your frequent flyer account,” says IT security expert Brian Krebs .

In some cases, a barcode can turn into a potential well of personal information that can be used to attack your user account on the airline's website. And information encoded in bar codes can be extracted using free, available utilities .



The real danger associated with these boarding passes is the frequent flyer number that can be used to access your user account on the airline's website. Knowing the name and surname of the passenger along with this number is, according to Krebs, “the first step to get the password”.

Below is an example of how you can get additional information about the passenger with the help of special free utilities for decoding data from bar codes. In this case, it turned out to know the name and surname of the passenger, the 6-digit record key, the airport of departure and arrival, as well as the airline's IATA classification code (in this case, Lufthansa) and the number of the frequent flyer.


An example of information obtained after decoding the barcode of the boarding pass using free utilities (screenshot edited)

Having access to your account, you can receive various critical personal information about a person (phone numbers or data on accompanying passengers), as well as change or cancel upcoming flights, use the accumulated frequent flyer bonuses (there have already been similar cases in Russia). Also, a hacker can change the access settings, finding the answer to the security question .

This vulnerability, according to Krebs, “created a black market for hacked frequent flyer accounts”. If, ultimately, if you do not want to be the next victim, the best thing you can do is destroy your boarding passes before you throw them in the trash.