
Airport lounges will let anyone in, provided you can fake a QR code (2016) - rbanffy
https://boingboing.net/2016/08/05/airport-lounges-will-let-anyon.html
======
Spivak
What's the takeaway here? That they use a rudimentary security system as a
mild deterrent which is easily exploitable. That it's okay to commit fraud as
long as you use tech to do it?

You wouldn't see this kind of thing on a lockpicking forum, "Airport lounges
will let anyone in, provided you brink your kit."

~~~
iainmerrick
Exactly! Just because the flaw is there, that doesn't give you the right to
gratuitously exploit it. Do we really want to force people to implement super-
strict security for relatively trivial things like this?

~~~
eunoia
Oh the poor airlines! They would never, ever gratuitously exploit their
passengers. How could these mean awful people take advantage of them like
this?

It's pretty hard to root for a corporation when it's smart individual vs
faceless multinational ineptitude. Human nature perhaps?

~~~
mseebach
By that logic, shoplifting from sufficiently large stores is ok. Not stealing
bread to feed your family, just randomly grabbing stuff because you feel like
it (and it isn't locked down).

~~~
eunoia
Stealing physical items for fun != exploiting ineptitude to have a less
terrible layover. It's also harder to even begin to measure the economic cost.

I think it's more akin to buying terrible cheap seats to a show and moving
into a better yet unoccupied section once it starts.

The internet has always seemed to have a lot more moralists than the real
world.

~~~
mwfunk
Actually no, the internet is just where many people realize that the things
they think are OK sometimes aren't, because on the internet they're telling
the whole world what sketchy stuff they do, instead of just their buddies that
they do sketchy stuff with. You're much more likely to interact with people
you wouldn't normally cross paths with on the internet, and the audience is
much wider.

Tangentially, I really hate buying good seats and getting to a show to find
some cheapo sitting in them because they're proactively hoping no one shows
up. If you want good seats, buy good seats. Lots of people in the real world
feel that way, and respecting other people's wishes (even, and especially,
when you think it's unreasonable and can't relate) is a basic part of being a
grownup.

~~~
eunoia
Your first point is spot on and interesting. I would also argue that we all
have different flaws and it's easy to judge others for theirs while pretending
ours are somehow less bad. For example the most judgemental people I know are
also some of the "worst" people I know. Their morality matrix is just
incredibly biased towards looking favorably upon themselves vs others.

As for the tangent, if you can't be bothered to show up for a show by the time
it starts you can at least be bothered to say "Hey, these are my seats." I've
been on both sides of that interaction many times. Every time it's been
resolved immediately and amicably.

That might be too much human interaction though. Maybe we should get further
away from humans talking to each other and invent another app to solve this
"problem".

~~~
hueving
It sounds like you have no problem using services/goods you didn't pay for. I
don't think you're going to have any productive discussion trying to convince
other people that your moral position is correct because it directly results
in a terrible society that cannot operate on trust at all.

~~~
eunoia
You've been casting a lot of stones in the comments.

If you've really never torrented a song, used a friend's Netflix account,
snuck onto the floor of a concert, took an extra travel bottle of shampoo from
a hotel maid's cart etc. etc. etc... Then I truly commend you. The world needs
more people like you.

But I highly doubt that's the case. Meanwhile I'll be the monster over here
creating a terrible society by using some free wifi and a place to charge my
laptop to get some work done halfway through a long trip.

~~~
hueving
>But I highly doubt that's the case.

No, I stopped doing that kind of stuff around my second year of college after
some economics and ethics classes. I objectively evaluated these types of
actions and realized in nearly every case where I hand-waved away with "nobody
will notice because its trivial", I was basically justifying theft of small
amounts of resources by claiming it was negligible.

>Meanwhile I'll be the monster over here creating a terrible society by using
some free wifi and a place to charge my laptop to get some work done halfway
through a long trip.

I can tell you're trying to be sarcastic, but when people behave like you it
does make it miserable for everyone else. You increase the costs for honest
people or at a minimum deprive them of some of the value they would have
received if you weren't there (more seating, shorter bathroom queues, more
available outlets, less congested wifi).

Also, in most clubs it's not free wifi, it's wifi provided for people
legitimately allowed access to the club. You are just stealing it.

------
Dunnorandom
You don't even have to fake a QR code to get into a lounge: There was a case
in Germany a few years ago where someone bought a fully flexible business
class ticket, used it to enter the business lounge in Munich and then rebooked
it to another day from inside the lounge.

After doing that 36 times, Lufthansa noticed it and sent him a bill over 1980€
(55€ per lounge visit). He refused to pay, got sued and lost.

Source (in German):
[http://www.justiz.bayern.de/gericht/ag/m/presse/archiv/2014/...](http://www.justiz.bayern.de/gericht/ag/m/presse/archiv/2014/04407/index.php)

~~~
cfontes
There is also a Chinese case but he did it for a whole year.

[http://nypost.com/2014/01/29/man-uses-first-class-plane-
tick...](http://nypost.com/2014/01/29/man-uses-first-class-plane-ticket-to-
eat-free-for-a-year/)

~~~
13of40
I keep meaning to do that someday, just so I can say I've done it, but if you
think about it the hassle of traveling to the airport, going through security,
paying $12 for a cocktail in a sterile room full of strangers, etc. would
probably make for an overall crappy experience.

Edit: Oh, now that I clicked the link I see he got to eat for free. Hmmm...

~~~
bdamm
Also useful if you have somewhere to fly on an economy ticket. Noteworthy is
that often the alcohol is free, along with the food. Having flown business on
a couple of trips I can tell you with 100% certainty that I'd rather wait in
the lounge than out at the gates. Because, beds & showers.

~~~
Semaphor
FWIW, Emirates has free Alcohol on their flights for economy passengers. Don't
know about the selection as I tend to sleep most of the flight, but they have
at least red & white wine and Jack Daniels.

------
habosa
"Life hacks" like this are part of the larger category "crimes that Americans
like to brag about".

There's some strange cultural thing where people are proud of telling others
how much they can get away with. You hear this all the time when talking about
taxes, "yeah I figure out how to put all my personal travel down as a business
expense". It's especially egregious with warranty/insurance fraud, such as
when people drop their phone in water and then pretend it's a manufacturer's
defect.

None of this really bothers me, but we wonder why companies look to nickel and
dime us all the time. It's because we can't be trusted! Give the american
consumer an inch, and he takes a mile. We have an adversarial relationship
with almost everyone we buy from / sell to, which I think is a big source of
pain and inefficiency.

~~~
berberous
I think you have the cause/effect reversed. People don't want to fuck over
their local coffee shop. But companies have consolidated into giant
monopolistic mega corps with no humanity that try to fuck you over, which
makes returning the favor an enticing idea.

------
linker3000
Then there's the time United cancelled my early morning flight from SFO to LHR
and rerouted me home via an 8pm flight to Dulles and refused to let me use the
lounge when I suggested it would be a nice gesture ('some people have paid an
annual fee for the lounge you know...') so I spent the whole day moving
between restaurants and seats in the departure lounge.

That was the last time I flew with them.

/Not bitter..

//Hell, yes, I was sooo pissed.

~~~
toweringgoat
There is no early morning flight from SFO to LHR. In fact there are no morning
flights (on United) from SFO to LHR. It just doesn't make any sense in terms
of timings.

And random flight cancellations happen on any airline (and rebooking options
can be limited depending on time of year). Its part of flying, deal with it.

~~~
kps

      > There is no early morning flight from SFO to LHR.
    

It took about 20 seconds to have Google Flights show me a 6:40am departure
from SFO to LHR via ORD.

~~~
asclepi
I assume OP meant that there are no early morning _nonstop_ flights from SFO
to LHR.

------
hbosch
Up until relatively recently, there was an iOS tweak (if you were jailbroken)
that would inject status signifiers into your Delta/United/America/Airline
app. Or something. Via the "Flex" jailbreak app, you could tweak and change
all sorts of flags in your current apps – e.g. "Infinite Skips" in Pandora, or
"Remove banner ads" in Candy Crush – and one of the most widely abused one was
a tweak that would put, say, "Diamond Status" on your device's boarding pass.

I don't know if this got you into lounges, but users reported it did at least
get them into expedited security lines.

~~~
raverbashing
They can still check by requiring either that your ticket corresponds to the
"fast lane" or that you have the status card indicated

------
tyingq
From a security standpoint, I'm actually relieved that 3rd party operated
airport lounges don't have direct apis to match passengers to flights.

I'm sure there's some middle ground solution that protects info, but I'd
prefer this situation to the polar opposite of unfettered API access.

This seems to be a deliberate case of light protection on purpose...not much
is lost if you grant access. I can sneak into a local gym easy enough as well
by catching the door before it shuts.

~~~
curun1r
This is a case where the airline should sign the information in the QR code.
Lounges get the airlines' public keys and pick the one for the passenger's
flight and, after verifying the signature, can trust the information in the QR
code. No API access necessary.

Don't over think, just use HMAC. It's disturbing how often that advice is
needed.

~~~
tyingq
Yes, that's a solution, but the boarding pass is used by different entities
like the TSA. So it's unsurprisingly a big political event to change what's
encoded.

It's similarly surprising how often devs think the problem is solely technical
:)

~~~
saryant
AFAIK the portion of the barcode related to the TSA actually is signed in some
cases. That's part of the integration required for airlines to let their
passengers use TSA PreCheck.

------
pcl
Here's the text from the QR code in the YouTube video:

> M1SIMPSON/BARTHOLOMEWMEXYZ123 ISTLGWTK 1965 099C005A0015 100

Looks like XYZ123 is the PNR and TK 1965 is the flight number. I haven't
looked at how the 099... field is encoded yet, but it appears to be date +
class of service + checkin sequence number.

~~~
mittermayr
Looks like page 27 has the format:
[http://www.iata.org/whatwedo/stb/Documents/BCBP-
Implementati...](http://www.iata.org/whatwedo/stb/Documents/BCBP-
Implementation-Guide-5th-Edition-June-2016.pdf)

Starts with M1.

------
syntheticnature
Needs a (2016) on it; the article is almost a year old.

Also, per the comments, seems very YMMV.

------
joeblau
I know United checks your ticket and flight info before they let you in.
That's been my experience in the U.S. at least.

~~~
toweringgoat
It's worth noting that most airlines can view most tickets given the name and
ticket number (you can use the saudia website to view the gory details of
tickets issued by most TAs and airlines yourself if you wish). Whether or not
they do is a separate question, but United certainly do check (partly since
the itinerary can grant lounge access even if the flight you are taking next
doesn't).

------
AlexCoventry
I've never been in one of those lounges... Do they contain anything worth
committing fraud for? Cool trick either way, though.

~~~
saryant
Domestic US lounges, eh. They're better than the terminal but not worth going
out of your way for. Exceptions are the Amex Centurion lounges and certain
lounges run by foreign airlines, like the OneWorld first class lounge at LAX
run by Qantas—cook-to-order food, full bar, nice showers, etc. All
complimentary. Good tacos.

Internationally, it's a different story. At Lufthansa's first class terminal
in Frankfurt (yes terminal, not lounge) you have private security and passport
control and get driven to your plane in a Porsche across the tarmac. Thai
Airway's first class lounge in Bangkok has complimentary sixty minute massages
(not that kind). Cathay Pacific's lounges in Hong Kong have full cook-to-order
restaurants, foot massages, etc. all complimentary. All Nippon's first class
lounges in Tokyo have 17-year-old scotch just sitting out for whoever wants
it. Japan Airlines offers a sushi bar—with the sushi chefs right in front of
you—and complimentary massages.

Not a bad way to travel. So far I've managed all on award tickets.

------
TazeTSchnitzel
That's nothing compared to the state of PNR security:
[https://www.youtube.com/watch?v=n8WVo-
YLyAg](https://www.youtube.com/watch?v=n8WVo-YLyAg)

------
losteverything
It's been years

Question: can a member bring in a guest?

I assume yes as my spouse accompanied me.

So? Why not create a way (app) to have members already in the lounge come and
let in their "guest/SO"?

"Im available / not available for "guesting" flag

~~~
MBCook
Uber for airport lounges! It's like a temporary AirBnB. First we can...

I suddenly feel terrible about myself.

------
lexicality
The talk in question:
[https://www.youtube.com/watch?v=qnq0UfOUTlM](https://www.youtube.com/watch?v=qnq0UfOUTlM)

------
arasmussen
Sounds like a good answer to "When have you most successfully hacked some
(non-computer) system to your advantage?"

~~~
ikeboy
>non-computer

~~~
a13n
I mean they aren't hacking a computer system, they're hacking airport lounge
security... with a computer. Still counts!

------
grondilu
Couldn't this have been simply prevented by salting the name?

