
What’s in a Boarding Pass Barcode? - snowy
http://krebsonsecurity.com/2015/10/whats-in-a-boarding-pass-barcode-a-lot/
======
myth_buster

      Interested in learning what’s in your boarding pass barcode? 
      Take a picture of the barcode with your phone, and upload it to this site.
    

Woah! We are talking about private information being easily accessed from our
boarding passes and there is a passage on uploading it to some site online.
Wouldn't that be ill-advised.

~~~
ellisv
I basically read this as "Worried someone has your credit card information?
Enter your credit card number to find out!"

~~~
rmc
Someone has sorta done that
[http://ismycreditcardstolen.com/](http://ismycreditcardstolen.com/)

(Try to submit bogus data to see the results :) )

------
mynegation
The barcode is PDF417 and there are phone apps that scan and convert it to
text ([http://www.pdf417.mobi/](http://www.pdf417.mobi/)) - in case you do not
want to send this to some website. I played with it, decoding my own boarding
passes, but did not find anything that was not already printed on the pass.
Granted there was a lot of abbreviated gibberish which may have been something
sensitive.

~~~
skewart
How exactly is using a random app any safer than using a random website? Or,
what other benefit could it have? Both an app and a website are somebody
else's code running on your local machine and (often) communicating with a
remote server. A random app could just as easily grab your info from the
barcode.

~~~
leoedin
Using an app can be safer than a website.

1\. If the app doesn't have permissions to use the internet (possibly Android
only, although the Android 6 discussion seems to suggest that there's ways
round this).

2\. If you use the app while disconnected from the internet and ensure that it
isn't running when you reconnect.

Neither of those is possible when you upload the image to be parsed online.

~~~
skewart
Those are both hypothetical that are very far from typical ways that people
use apps on their phones.

An app might upload the image to a remote server. A website might parse it
locally through JS - maybe disabling your connection, submitting your image,
parsing it, then wiping your cached website data would be just as "safe".

The problem is the knee-jerk reaction that "some random website" is dangerous
while some random app is not. You have to assume both are equally risky in
this situation.

------
emersonrsantos
This barcode is normally used as input to ACP (IBM Airline Control Program,
also called TPF or z/TPF) in plaintext to a TCP/IP TN3270-based terminal
emulator running under Windows (with or without any SSH encryption). But the
barcode text is visible to anyone facing the terminal. At least it's how it
happened in all my latest flights.

~~~
mschuster91
> IBM Airline Control Program, or ACP, was an operating system developed by
> IBM beginning about 1965.

> TPF evolved from the Airlines Control Program (ACP), a free package
> developed in the mid-1960s by IBM in association with major North American
> and European airlines. In 1979, IBM introduced TPF as a replacement for ACP
> — and as a priced software product.

Holy fuck. I don't want to be the poor guy maintaining code that is likely to
be older than himself...

~~~
Maxious
IBM IMS (Information Management System, predating DB2) failed for some large
banks in Australia over the weekend. [http://www.smh.com.au/it-pro/business-
it/st-george-bank-of-m...](http://www.smh.com.au/it-pro/business-it/st-george-
bank-of-melbourne-and-banksa-outage-to-be-fixed-on-monday-night-st-george-
says-20151005-gk1u3z.html)

"IBM designed the IMS with Rockwell and Caterpillar starting in 1966 for the
Apollo program" "Vern Watts was IMS's chief architect for many years. Watts
joined IBM in 1956 and worked at IBM's Silicon Valley development labs until
his death on April 4, 2009. He had continuously worked on IMS since the
1960s."
[https://en.wikipedia.org/wiki/IBM_Information_Management_Sys...](https://en.wikipedia.org/wiki/IBM_Information_Management_System)

~~~
mseebach
> "IBM designed the IMS with Rockwell and Caterpillar starting in 1966 for the
> Apollo program"

I've come across IMS before, and I absolutely love this line. This is a
database built for the Apollo program by a tractor company. That's a kind of
old-school solidity we don't see much anymore (mostly for the better, but
still).

------
pcl
It's worth noting that everything mentioned in the article except the full
frequent flyer number is also printed in ASCII on the boarding pass.

~~~
monochromatic
The frequent flyer number seems to be the piece that gives away the keys to
the kingdom.

~~~
ubernostrum
Depends on the airline.

US-based airlines tend to require an actual password to access the account and
see future flights, spend miles on redemptions, and so on (I have accounts,
currently, with four different US-based carriers, and all of them require a
password for account access).

The confirmation code and passenger name are enough to make changes to that
reservation, though; if you know someone's code + name you can cancel the
return segment of their journey, for example.

I'm wondering if the person being quoted was confused by seeing the return
segments of a multi-segment trip (which are part of a single reservation, and
would come up with just the information on the boarding pass), and thought it
was actually full account access.

~~~
CaptainZapp

      I'm wondering if the person being quoted was confused by seeing the return segments of a multi-segment trip
    

I wondered that too. I'm a Miles & More member via Swiss (which is part of the
Lufthansa group) and you definitely need a password / pin to access your FF
account.

Accessing a specific booking via booking code / surname is a whole different
issue.

------
carlob
I had tried that before using Mathematica instead of a website and I was also
surprised to see the data in the barcode is not really signed in any way. IIRC
it was a European low cost like Ryan air, and I thought it was scary that I
could have generated the same exact bar code just by knowing my name and the
flight.

Of course there is an extra step of validation, because the airline has the
passenger list, so you can't just add yourself to a flight.

~~~
scrollaway
Cynical me wonders if it's like this on purpose for the benefit of law
enforcement. But then again, Hanlon's razor...

~~~
carlob
I think the only purpose that code bar serves is so that the person at the
gate doesn't have to strike a line on a printed list.

------
peter303
Thats like googling your social security number to see if any website is using
it. I've done this with range-search however.

~~~
callesgg
Tried it, it was also a isbn number of some book :)

------
ajdlinux
Since the article doesn't actually say - the barcode is PDF417.

------
kawsper
Is this the reason why you need to scan your boarding-card if you buy
something in the airport? Is it regulation or are these companies data-mining?

Edit: Apparently it has something to do with VAT:
[http://www.telegraph.co.uk/travel/travelnews/11794109/The-
re...](http://www.telegraph.co.uk/travel/travelnews/11794109/The-real-reason-
airport-shops-want-to-see-your-boarding-pass.html)

~~~
scintill76
It's probably not VAT-specific and not necessarily done for the advantage of
the retailers. At least, I understand the concept of duty-free stores to be
that the retailer doesn't have to collect tax, so they can make the customer's
overall price lower, and the customer can dodge import tax by either consuming
in the airport or being below tax-free value thresholds. On the other hand, in
this article one retailer claims it's a "practical impossibility" to have
duty-free prices, so maybe they're all gaming the customer.

And even if they have a tax reason to collect boarding passes, I wonder if
they are prohibited from doing their own analytics on it. Apparently merchants
can with credit card numbers: [https://www.quora.com/Can-businesses-use-
credit-card-data-fo...](https://www.quora.com/Can-businesses-use-credit-card-
data-for-customer-analytics)

------
jjulius
This just reinforced why I use smartphone boarding passes.

~~~
skeoh
From my own testing on the matter I have found that digital boarding passes
just encode the same data in a different barcode format.

~~~
ubernostrum
I think the concern here is what happens if someone finds your paper boarding
pass and scans it.

That's less likely to happen with a boarding pass on your phone.

(though in general, the problem of airlines requiring very little information
-- all of which is on the boarding pass -- to be able to access an itinerary
and make changes or cancel it is somewhat well-known among frequent flyers)

~~~
skeoh
Fair enough, that makes sense. Thanks for the clarification.

------
kristopolous
So upon the actual boarding process, is the actual flight reservation checked
with the name or is it susceptible to fraud?

I can see how fraud can be prevented with this schema, but I wonder if it's
implemented.

------
eagle1
That's a little irresponsible on the part of airlines.

