Hacker News new | comments | ask | show | jobs | submit login
Airport lounges will let anyone in, provided you can fake a QR code (2016) (boingboing.net)
141 points by rbanffy on Aug 4, 2017 | hide | past | web | favorite | 128 comments

What's the takeaway here? That they use a rudimentary security system as a mild deterrent which is easily exploitable. That it's okay to commit fraud as long as you use tech to do it?

You wouldn't see this kind of thing on a lockpicking forum, "Airport lounges will let anyone in, provided you brink your kit."

Reminds me of the common joke life pro-tip: you can get stuff without paying for it by going to a store, picking something up, and just walking out with it!

Exactly! Just because the flaw is there, that doesn't give you the right to gratuitously exploit it. Do we really want to force people to implement super-strict security for relatively trivial things like this?

I mean, I see your point, but if that's what they have to do to stop fraud, and the fraud is something they really care about, then yeah, they should do that. Surely it's no great tragedy that stores have cash registers and bill checkers.

Most stores have far fewer controls than they could, because they'd rather be nice to their customers. This changes if the level of fraud/theft increases.

Stores places where few people steal are nice and open, have nobody watching the doors, and basically rely on the honor system to ensure that you pass by a cashier before you leave. Stores in places where theft is common have all sorts of unpleasant security measures.

Society only works because most of us behave. Look around you, and you'll see an incredible number of structures that only work because 99% of people are basically decent and honest. Don't be in the 1% who aren't, and definitely don't encourage that 1% to grow.

> Most stores have far fewer controls than they could, because they'd rather be nice to their customers. This changes if the level of fraud/theft increases.

Yep, and people can easily see this for themselves. It is incredibly telling to note the difference between going into the Rite Aid on Rainier Ave S in Seattle and the Rite Aid on 35th Ave NE in the same city. They're almost directly due north/south of each other and separated by less than ten miles.

However, the Rainier one has at least one visible store security guard, tags on the shopping trolleys to prevent leaving the store with them, locked-down shaving razor refills and baby formula and small electronics, and "you are being recorded" security televisions prominently placed.

The one on 35th has none of those. If there is a security guard or loss-prevention specialist, that person is often hidden. Shave refills are easily accessed (though do have removable security tags), there are corrals outside so customers can use the trolleys to load purchases into their vehicles, and the store simply feels more open and accessible.

> Most stores have far fewer controls than they could, because they'd rather be nice to their customers. ... 99% of people are basically decent and honest. Don't be in the 1% who aren't

This is dangerous thinking.

People don't generally steal because they're bad vs "nice", they steal because they have an incentive to do so (economically speaking). Heaping moral judgement on them is unhelpful and in many cases actively detrimental [because it obscures causal underlying issues and excuses bad policy designed to address symptoms].

'I mean, have you noticed that like, in white, "nice" places, where people are "nice", the stores are all open and nice and people are friendly, but in those dirty poor black neighborhoods the corner stores have got bars on the windows and grills in front of the cashiers, because blacks steal more and make up more of that nasty 1% obviously' </valleygirlvoice> I hope it's obvious where this line of reasoning leads. Dangerous places.

Theft controls are functions of behavioral economics, not how "nice" people are (store owners included). ALL stores suffer from some level of theft, and thus _could_ implement HYPER security to eliminate the problem. They don't, mostly because the costs (direct and indirect) outweigh the benefits of deterring a given level of theft. So for most stores, the expenditure on theft prevention comes down to the minimum spend necessary to reach a tolerable level of theft. And levels of theft have everything to do with a very careful balance of cost:benefit to do with economic and social incentives for the actors involved. This "most people are nice but 1% of people are bad and mess it up for everyone else" type thinking excuses awful systemic abuse and places blame in entirely the wrong place.

It's dangerous thinking to observe that stores in poor areas have more security, because there's a twisted line of thinking that leads from there to racism? How about, it's the racism that's dangerous thinking.

Haha, wow, you really missed the crux of my reply.

What exactly is the crux of your reply? Are you trying to claim it is a purely monetary relationship? As soon as the cost for the security controls is lower than the cost of the theft then it will be implemented? I don't think it is that simple as their is an intangible as well, part of the "niceness"of the op. If I had to choose between a place with high theft deterrent and one with low, I would choose the one with low. Yeah in the end it all comes down to profit. But being nice to your customers also had an impact on your bottom line.

> Are you trying to claim it is a purely monetary relationship?

No. "Cost" in behavioral economics is never purely monetary. It includes social, emotional, cultural, personal, moral and relational calculus too. The entire spectrum of the human condition really.

> As soon as the cost for the security controls is lower than the cost of the theft then it will be implemented?

Yes, but where "cost" includes the aforementioned factors. Consider it by way of example, you standing in front of the Airport Lounge, QR code cracker hand, asking yourself one critical question: "Is it worth it?" (what will my friends think, what if I don't and have to spend the next 4 hours in a plastic airport seat, I'm tired, what if I get caught, but oh man I could snapchat me in a biz class lounge and Sarah would see, etc etc).

Store owners and businesses in general have to ask the same question. "Is it worth it?"

> Yeah in the end it all comes down to profit.

Does it? Many of the comments here are people incensed by some version of _moral_ or _social-code_ violations by the QR cracker. Their sentiment and that of any prosecuting 'store owner' is not to do with the marginal "cost ($)" of his offense (which is likely close to zero, and arguably net positive).

> But being nice to your customers also had an impact on your bottom line.

I agree with you.

> What exactly is the crux of your reply?

Humans intuitively see correlation as causation and jump to apply moral judgements leading to (often devastating) social consequences to the wrong people because of it. The line of reasoning that "we're all nice, it's just a handful of bad people out there who are the problem" is the problem.

It's very difficult to pay attention to anything else when you basically accuse me of being racist in the middle of the comment.

mikeash - for the record, I am not calling you a racist, don't think you are a racist and in no way am implying you are one. It is a pity you drew that line back to yourself as that was not my intent.

I thank you for including the word "basically" in your assertion, as it infers you understand that it does require a leap to connect the dots in my reply to an accusation of racism.

To be clear, '</valleygirlvoice>' was specifically included to define that speech as being an example of someone-else confusing correlation with causation and (this is the critical bit) the ease with which we (all) jump from there to moral judgements and social consequences.

Oh the poor airlines! They would never, ever gratuitously exploit their passengers. How could these mean awful people take advantage of them like this?

It's pretty hard to root for a corporation when it's smart individual vs faceless multinational ineptitude. Human nature perhaps?

By that logic, shoplifting from sufficiently large stores is ok. Not stealing bread to feed your family, just randomly grabbing stuff because you feel like it (and it isn't locked down).

Apparently it's ok to create fake barcodes.

Stealing physical items for fun != exploiting ineptitude to have a less terrible layover. It's also harder to even begin to measure the economic cost.

I think it's more akin to buying terrible cheap seats to a show and moving into a better yet unoccupied section once it starts.

The internet has always seemed to have a lot more moralists than the real world.

Actually no, the internet is just where many people realize that the things they think are OK sometimes aren't, because on the internet they're telling the whole world what sketchy stuff they do, instead of just their buddies that they do sketchy stuff with. You're much more likely to interact with people you wouldn't normally cross paths with on the internet, and the audience is much wider.

Tangentially, I really hate buying good seats and getting to a show to find some cheapo sitting in them because they're proactively hoping no one shows up. If you want good seats, buy good seats. Lots of people in the real world feel that way, and respecting other people's wishes (even, and especially, when you think it's unreasonable and can't relate) is a basic part of being a grownup.

Your first point is spot on and interesting. I would also argue that we all have different flaws and it's easy to judge others for theirs while pretending ours are somehow less bad. For example the most judgemental people I know are also some of the "worst" people I know. Their morality matrix is just incredibly biased towards looking favorably upon themselves vs others.

As for the tangent, if you can't be bothered to show up for a show by the time it starts you can at least be bothered to say "Hey, these are my seats." I've been on both sides of that interaction many times. Every time it's been resolved immediately and amicably.

That might be too much human interaction though. Maybe we should get further away from humans talking to each other and invent another app to solve this "problem".

It sounds like you have no problem using services/goods you didn't pay for. I don't think you're going to have any productive discussion trying to convince other people that your moral position is correct because it directly results in a terrible society that cannot operate on trust at all.

You've been casting a lot of stones in the comments.

If you've really never torrented a song, used a friend's Netflix account, snuck onto the floor of a concert, took an extra travel bottle of shampoo from a hotel maid's cart etc. etc. etc... Then I truly commend you. The world needs more people like you.

But I highly doubt that's the case. Meanwhile I'll be the monster over here creating a terrible society by using some free wifi and a place to charge my laptop to get some work done halfway through a long trip.

>But I highly doubt that's the case.

No, I stopped doing that kind of stuff around my second year of college after some economics and ethics classes. I objectively evaluated these types of actions and realized in nearly every case where I hand-waved away with "nobody will notice because its trivial", I was basically justifying theft of small amounts of resources by claiming it was negligible.

>Meanwhile I'll be the monster over here creating a terrible society by using some free wifi and a place to charge my laptop to get some work done halfway through a long trip.

I can tell you're trying to be sarcastic, but when people behave like you it does make it miserable for everyone else. You increase the costs for honest people or at a minimum deprive them of some of the value they would have received if you weren't there (more seating, shorter bathroom queues, more available outlets, less congested wifi).

Also, in most clubs it's not free wifi, it's wifi provided for people legitimately allowed access to the club. You are just stealing it.

Maybe, as long as you don't touch any of the food or drink. How likely is that, though?

Did you know most airlines have absolutely awful inventory control over the supplies on their planes? If you make friends with a flight attendant they usually have the leeway to bring you just about anything you want for free. Is that stealing too?

Pro tip: Bring candy or snacks for flight attendants on long flights, they appreciate it and may even reciprocate in kind.

It's not stealing when they give it to you willingly without any fraud.

Are you that fuzzy on the concept of "stealing" that you don't see the difference here?

Airlines have fired staff for eating a sandwich or drinking a coke taken from the plane e en if it was going to be thrown away. It's the same concept as most food outlets. They have no discretion yo give away free things to people who give them candy.

Anecdotally, it's rampant. To the point where crews will take bags(!) of booze and certain snacks off planes for layovers / gifts etc.

And I didn't mean you should bring candy for the FA's solely in expectation of getting something in return. You should really do it because they work surprisingly stressful jobs with absurd hours. They often have to deal with the worst kind of people and could really use a metaphorical hug every once in a while.

Source: Dated a FA for a long time. Know many others.

Actually it is stealing, you're just not the one doing it.

I bet the airlines allow flight attendants to use their discretion here.

Forging a ticket is just not equivalent to asking nicely if you can have something.

>I think it's more akin to buying terrible cheap seats to a show and moving into a better yet unoccupied section once it starts.

And GP thinks otherwise.

You are merely stating an opinion.

Opposing stealing is now rooting for corporations?

Many/most forms of hacking could be construed as stealing if you squint hard enough. What was this community founded around again?

Do you think "disruption" is a peaceful, happy, 100% beneficial process for everyone involved? Is Uber stealing by taking business from incumbents that play by a different (regulated) rulebook?

This 'community' (to the extent that all the users of this site can be clubbed into one) was definitely not formed on any founding principle which would legitimize theft.

Not that sneaking into airport lounges is some huge theft, but acting like it's completely okay isn't cool either.

I agree, it's not 100% okay. I wouldn't feel bad doing it though. I also wouldn't do it in a situation where my presence hurts another paying customer (i.e. full lounge).

My personal ethics apply to how my actions impact other living things. I don't lose sleep worrying if I've wronged an entity created solely for the purpose of maximizing shareholder value.

I'm honestly surprised how many people don't agree with that. To each their own I suppose.

Edit: You're totally right about the futility of trying to shove all of us into any one descriptive bucket though. That was a mistake.

>I'm honestly surprised how many people don't agree with that. To each their own I suppose.

You're advocating for stealing from businesses. When enough people like you do this, it results in either higher prices for honest people or the loss of a service entirely.

> I'm honestly surprised how many people don't agree with that.

At some level, most people think everyone else thinks and behaves similarly to them, and are surprised when they find out that they don't. That's why projection is a thing.

I'm curious, what do you think about public services? E.g. is it ok to ride the bus without paying if you get away with it? What if it only takes a a fake QR code to do so?

Because in the end, even big evil mega-corporations have human stakeholders. For some of them that's their livelyhood. Not everyone is in it out of greed.

I really wish people would stop slapping the "theft" label on things that aren't. It's intellectual laziness that just cheapens the discussion.

Sitting in an airport lounge you shouldn't have access to isn't stealing. Piracy isn't stealing. Using ad blockers on a site that supports itself through ads isn't stealing.

They call it "theft" for the defensible reason that it maps to traditional theft in (what they regard as) the most important dimensions. Your disagreement with the validity of the (IMHO, obvious) mapping doesn't make it lazy.

Theft is wrong for well-known reasons. Most of those same reasons apply to these situations.

> Sitting in an airport lounge you shouldn't have access to isn't stealing.

What do you think of random people occupying your house while you are gone out to work or grocery store? Is that okay too?

> Using ad blockers on a site that supports itself through ads isn't stealing.

I agree with this because browsers are "user agents" not "website agents".

Airport lounges offer all kinds of drinks and snacks that I'm certain this person is not ignoring. They are also using the facilities and causing more congestion, making it less pleasant for the paying customers, so they are stealing the value that the lounge offers from other customers.

It may be classed as theft of services.

If curious, consult a qualified legal representative in the appropriate jurisdiction.

What about the food and drink that are offered in these lounges?

You may have a point.

So opposing trespass is now rooting for corporations?

Well, @eunoia seems to think so. I happen to disagree. But at least now we can discuss it without the emotional baggage of calling someone a thief. For whatever reason, people get worked up over that label more than "trespasser" or "squatter" or "moocher" ;)

I'm afraid we all might be wrong/right on some level. I.e.:

1. Getting into an area you don't have access to: Trespassing.

2. Tricking the security they have in place: Fraud.

3. Taking snacks from the lounge-area: Stealing.

> Sitting in an airport lounge you shouldn't have access to isn't stealing

You are consuming a resource that's finite. You are literally taking value from the provider without asking or paying for it. What do you propose we call this?

Physical space in a building is a limited resource. "IP" isn't.

I don't think it's rooting for a corporation, but a simple matter of ethics.

They have no ethics while exploiting you for as much money as possible, so you should be nice to them and treat them as you would another human?

Edit: sorry, this was kind of a flippant remark that I made without thinking a lot.

That's a vast exaggeration of things. "Exploiting" my ass. You know the reason why airlines are so shitty? Because people only buy the cheapest tickets to their destination. I'm guilty of this myself. The end result is a race to the bottom .

And yes, when the man refused to get off the United plane, he should not have been beaten. Big deal, hundreds of millions of people fly every year. The fact that that happened sucks, but the reality is that 99.99% of people will at worst just deal with incompetent customer service during a cancelled or heavily delayed flight. That doesn't give you justification to steal from the airliner.

This is a discussion I feel you would have with a teenager.

Don't they transport you and your luggage safely through the air at high speed for a sum of money that you agreed to pay? Where is exploitation coming from?

Capitalism, apparently.

Though, to be a bit more generous, I'd interpret that people hate airlines without really having a conscious reason, so they make something up that's visible and easy to be upset about. E.g. Cost of flying, leg-room, crappy service, "run by evil corporation". I'd posit that they somehow see something wrong with it, yet can't pin-point what that is. In my view, somehow they realize that a government-enabled and enforced monopoly makes the whole thing unfair. And if only we had no intervention and prevention of competition, they'd finally see "nice" airlines. But until they actively "see" that, they'll always think that it's the government that's preventing the really nice peachy happy people from running an airline that they'd enjoy using.

Yes, I should be honest.

"Hotel breakfast buffets will let anyone in, provided you can say a room number."

The people who bring your food at Sonic do not make sure you've activated (removed) the coupon you told them you had. So you could use the coupon over and over...

I think the HN-framed takeaway here is that the developer building the system could have used a timestamp + HMAC and prevented the issue, but chose not to for whatever reason. Maybe they wanted to be able to generate barcodes from the app itself while offline, maybe they were getting the data from the server anyway and just didn't know any better.

Perhaps the developer saw an opportunity to make an app to distribute to friends to let them into the lounges.

the takeaway is that you can do it, as the title suggests :)

You don't even have to fake a QR code to get into a lounge: There was a case in Germany a few years ago where someone bought a fully flexible business class ticket, used it to enter the business lounge in Munich and then rebooked it to another day from inside the lounge.

After doing that 36 times, Lufthansa noticed it and sent him a bill over 1980€ (55€ per lounge visit). He refused to pay, got sued and lost.

Source (in German): http://www.justiz.bayern.de/gericht/ag/m/presse/archiv/2014/...

There is also a Chinese case but he did it for a whole year.


I keep meaning to do that someday, just so I can say I've done it, but if you think about it the hassle of traveling to the airport, going through security, paying $12 for a cocktail in a sterile room full of strangers, etc. would probably make for an overall crappy experience.

Edit: Oh, now that I clicked the link I see he got to eat for free. Hmmm...

Also useful if you have somewhere to fly on an economy ticket. Noteworthy is that often the alcohol is free, along with the food. Having flown business on a couple of trips I can tell you with 100% certainty that I'd rather wait in the lounge than out at the gates. Because, beds & showers.

FWIW, Emirates has free Alcohol on their flights for economy passengers. Don't know about the selection as I tend to sleep most of the flight, but they have at least red & white wine and Jack Daniels.

If you're going to do it, do it properly and get a first-class ticket on Lufthansa. At their hub in Frankfurt, first-class passengers get their own private terminal. Here's a sample:


It's quite nice. I scored that on an award ticket back when getting Lufthansa first class on United awards was easy to do. Being driven from the lounge to your plane in a Porsche is a pretty great way to start your flight.

Actually, the cocktail is more than likely free.

The sterility of airport lounges is also HIGHLY questionable.

Yes. AIUI, German law seems to draw heavily from the school of thought that "obviously you're not supposed to do that, jerk, now pay up". American law prefers to say, "oh, crud, you caught us. Add it to the ever-lengthening terms of service (that no one reads) so we can prove you agreed you wouldn't do it."

It goes both ways though. You can use the intent of a law as a defense in court. It gives more power to judges to interpret things, which can be seen as a disadvantage. Overall I'd still rather have that - in the American legal system I feel like the law being a sword of damocles over my head, constantly waiting for me to inadvertently walk into a trap, while with a European civil law system I get the feeling that the system works for me as long as I don't have bad intents (i.e. as long as my inner moral matches that of the culture I'm in).

Putting aside the obviously questionable ethics, this seems like a very poor use of a person's time...spending all this time mucking around with ticket changes, all just to get into a lounge.

Yeah, lounges are nice (I used to frequent the Emirates business class lounge in Dubai), but modern airports are more than comfortable for a <6hr layover.

My family spent 8+ hours in Atlanta airport, after getting up at 3AM in Kansas. We found an empty terminal with no scheduled flights for a few hours and had a decent nap.

Wouldn't that business class ticket cost thousands of dollars? You can usually buy a lounge pass for a yearly fee of a few hundred.

Yes, but business tickets often are 100% refundable

No they aren't. You can choose to buy refundable business fares, much as you can buy refundable economy fares. But the default is non-refundable tickets with hundreds of dollars high change fees.

Some business travellers do buy mostly refundable tickets, but they specifically have to select them regardless of class of travel. Tickets bought on day of travel also tend to be refundable since that's often the only fare that can be sold close to departure.

Yes, but if you're keeping the ticket active so you can access the lounge, you have that several thousand dollars still tied up in the ticket. You could just buy a yearly pass for a small fraction of that, so it makes no sense.

Since most - if not all - airport lounges are behind security, you'd still need a valid boarding pass (and thus a ticket) to be able to reach them. And even if you don't, most lounges require that you present a boarding pass for same day travel together with your paid membership card to get access.

In this case, I assume the goal was to eventually cancel and fully refund the dollars in the ticket so that all lounge access could be had for free.

I know people who have done this too, just not abusing it like that guy. If it's a 100% refundable ticket you can get into the airport and so long as you reschedule or cancel before boarding you're good.

"Life hacks" like this are part of the larger category "crimes that Americans like to brag about".

There's some strange cultural thing where people are proud of telling others how much they can get away with. You hear this all the time when talking about taxes, "yeah I figure out how to put all my personal travel down as a business expense". It's especially egregious with warranty/insurance fraud, such as when people drop their phone in water and then pretend it's a manufacturer's defect.

None of this really bothers me, but we wonder why companies look to nickel and dime us all the time. It's because we can't be trusted! Give the american consumer an inch, and he takes a mile. We have an adversarial relationship with almost everyone we buy from / sell to, which I think is a big source of pain and inefficiency.

I think you have the cause/effect reversed. People don't want to fuck over their local coffee shop. But companies have consolidated into giant monopolistic mega corps with no humanity that try to fuck you over, which makes returning the favor an enticing idea.

> There's some strange cultural thing where people are proud of telling others how much they can get away with.

I am not a fan of many aspects of American culture, but I certainly disagree with your assertion.

In fact I would go farther and say that in my experience Americans are less likely to do this than the majority of other countries. It's why you can buy a trainer full of grain sight unseen or sell something on eBay. Kind of amazing, actually.

We focus more intensely, as we should, on the bad news or violations. But overall Americans don't have a zero-sum mentality and stick to their word, which is why the society and economy have done as well as they have.

Americans? From the article:

>traveller Przemek Jaroszewski found that he couldn't enter an airline lounge in Warsaw

From a Wired article[0]:

>As the head of Poland’s Computer Emergency Response Team, Przemek Jaroszewski flies 50 to 80 times a year

and from the original article: ... >He also hasn't tried his attack against US airport lounges.

So, he's not an American and didn't do any of this in America. Why don't you stop being such a bigot?


Then there's the time United cancelled my early morning flight from SFO to LHR and rerouted me home via an 8pm flight to Dulles and refused to let me use the lounge when I suggested it would be a nice gesture ('some people have paid an annual fee for the lounge you know...') so I spent the whole day moving between restaurants and seats in the departure lounge.

That was the last time I flew with them.

/Not bitter..

//Hell, yes, I was sooo pissed.

I pay $400/yr for United Club access specifically so that I can go there when there's a flight delay or cancelation. Like, that is specifically the reason I pay it. As a regular business traveler, it is worth it to have access to better and less busy agents, and a nicer place to sit, when something goes wrong. Letting in people for free when something goes wrong would eliminate the benefit in it (because the most important thing is the lack of lines/crowds).

United lounges are unfortunately pretty full already with their awards programs plus their "tens of dollars" upgrades. If they let every person they rerouted or canceled in, it'd be even worse. Though it doesn't mitigate how crappy it must have been for you.

TOD upgrades don't get lounge access since domestic F doesn't get lounge access.

There's plenty of light international travel that TOD applies to though. Not US-EU but CA/MX/Central America?

If you had flown BA and they cancelled your flight you'd have been in for a nice amount of cash in compensation due to EU law.

Entitled anyway. That delay compensation applies to all flights starting or ending in the EU.

Almost, but not quite. It does apply on all flights departing from the EU, but only on flights arriving in the EU if they are operated by a carrier from an EU country. It's a small but important distinction.

For example, if you were travelling from London to New York, it would always apply regardless of the airline. In the other direction, however, it would apply on BA but not on AA.

I don't see the problem. If you want lounge access pay for it. Flights get cancelled and delayed, especially in SFO.

There is no early morning flight from SFO to LHR. In fact there are no morning flights (on United) from SFO to LHR. It just doesn't make any sense in terms of timings.

And random flight cancellations happen on any airline (and rebooking options can be limited depending on time of year). Its part of flying, deal with it.

  > There is no early morning flight from SFO to LHR.
It took about 20 seconds to have Google Flights show me a 6:40am departure from SFO to LHR via ORD.

I assume OP meant that there are no early morning nonstop flights from SFO to LHR.

Fair play - I have just checked this out and my memory wasn't too accurate - it was UA901, which leaves around 12:55 (when it's not cancelled!), and I was probably basing my comment on the fact that I was getting to the airport around 9.30am to allow for returning the rental and security etc., so I would have been on the road to the airport around 8am.

>deal with it

Why is his solution (suggesting the behavior is poor) a better implementation of "dealing with it" than your implied implementation (doing nothing)?

I'm just pointing out that disruptions are nothing unexpected if you travel often - you can't really expect extraordinary treatment. (Sure, in the EU at least you get food and lodging by law - but lounge access is a completely different beast.)

After all do you expect to be put in first class just because a weather or security issue caused your flight to be cancelled? You aren't the only person affected, airlines can't handle everyone like a snowflake.

Weather and security issue, maybe not, but otherwise, they're liable to pay 600€ in indemnity for a 3h+ delay on such a long flight. I think that should cover a few hours of lounge access.

No. They. Aren't. EU regulations only affect EU carriers, or flights departing the EU. (And also Switzerland, possibly Norway.) Not applicable here.

And if they had to pay that compensation (as explained they don't in this case), they definitely won't want to add bonus lounge access.

Right, I was talking about the EU rights, since you brought it up. Sorry for not being clear.

Up until relatively recently, there was an iOS tweak (if you were jailbroken) that would inject status signifiers into your Delta/United/America/Airline app. Or something. Via the "Flex" jailbreak app, you could tweak and change all sorts of flags in your current apps – e.g. "Infinite Skips" in Pandora, or "Remove banner ads" in Candy Crush – and one of the most widely abused one was a tweak that would put, say, "Diamond Status" on your device's boarding pass.

I don't know if this got you into lounges, but users reported it did at least get them into expedited security lines.

They can still check by requiring either that your ticket corresponds to the "fast lane" or that you have the status card indicated

From a security standpoint, I'm actually relieved that 3rd party operated airport lounges don't have direct apis to match passengers to flights.

I'm sure there's some middle ground solution that protects info, but I'd prefer this situation to the polar opposite of unfettered API access.

This seems to be a deliberate case of light protection on purpose...not much is lost if you grant access. I can sneak into a local gym easy enough as well by catching the door before it shuts.

This is a case where the airline should sign the information in the QR code. Lounges get the airlines' public keys and pick the one for the passenger's flight and, after verifying the signature, can trust the information in the QR code. No API access necessary.

Don't over think, just use HMAC. It's disturbing how often that advice is needed.

Yes, that's a solution, but the boarding pass is used by different entities like the TSA. So it's unsurprisingly a big political event to change what's encoded.

It's similarly surprising how often devs think the problem is solely technical :)

AFAIK the portion of the barcode related to the TSA actually is signed in some cases. That's part of the integration required for airlines to let their passengers use TSA PreCheck.

Here's the text from the QR code in the YouTube video:


Looks like XYZ123 is the PNR and TK 1965 is the flight number. I haven't looked at how the 099... field is encoded yet, but it appears to be date + class of service + checkin sequence number.

Looks like page 27 has the format: http://www.iata.org/whatwedo/stb/Documents/BCBP-Implementati...

Starts with M1.

Its Bart Simpson

Needs a (2016) on it; the article is almost a year old.

Also, per the comments, seems very YMMV.

I know United checks your ticket and flight info before they let you in. That's been my experience in the U.S. at least.

It's worth noting that most airlines can view most tickets given the name and ticket number (you can use the saudia website to view the gory details of tickets issued by most TAs and airlines yourself if you wish). Whether or not they do is a separate question, but United certainly do check (partly since the itinerary can grant lounge access even if the flight you are taking next doesn't).

Same with Delta. Whenever I check in they pull more information than what's on the ticket. I would be amazed if they don't do simple validation to see that the PNR/name/etc... match their systems.

When I have a physical ticket, and change my seat on the app, they usually re-print my boarding pass with the new seat number on it.

This might work for some non-airline run partner lounges without flight data access, but usually those have "coupons" given by the check in agent for access. The video shows someone entering a Star Alliance lounge, using self serve scanners. They probably aren't network connected like a normal check in agent stand

I've never been in one of those lounges... Do they contain anything worth committing fraud for? Cool trick either way, though.

Domestic US lounges, eh. They're better than the terminal but not worth going out of your way for. Exceptions are the Amex Centurion lounges and certain lounges run by foreign airlines, like the OneWorld first class lounge at LAX run by Qantas—cook-to-order food, full bar, nice showers, etc. All complimentary. Good tacos.

Internationally, it's a different story. At Lufthansa's first class terminal in Frankfurt (yes terminal, not lounge) you have private security and passport control and get driven to your plane in a Porsche across the tarmac. Thai Airway's first class lounge in Bangkok has complimentary sixty minute massages (not that kind). Cathay Pacific's lounges in Hong Kong have full cook-to-order restaurants, foot massages, etc. all complimentary. All Nippon's first class lounges in Tokyo have 17-year-old scotch just sitting out for whoever wants it. Japan Airlines offers a sushi bar—with the sushi chefs right in front of you—and complimentary massages.

Not a bad way to travel. So far I've managed all on award tickets.

For the most part, Western lounges just feel like hotel lobbies, but with free booze and buffets. Significantly quieter than the main terminals, genuinely helpful staff, clean bathrooms, etc.

Great if you have access, but nothing I'd go out of my way to pay for.

One exception: Showers. Holy hell is it an amazing feeling to take a shower half-way through a 20+ hour itinerary. Worth their weight in gold.

They have good food and alcohol. They also have unusually nice fellow passengers that are worth talking to.

A friend of mine took me into airport lounges a few times, and they were all pretty nice experiences.

It really depends. In the USA, the biggest benefit is that you can set your bags down and go to the can without worrying they are going to get stolen or carted off by bomb disposal. Also, you get free WiFi.

In other countries, airports tend to be more spartan, and the lounges nicer. Many of the Asian carriers offer sushi, noodle bars, top-shelf drinks, and showers.

The one in the video (IST) is actually very nice, there is lots of space (especially compared to the rest of the airport, which is usually very crowded), free food and drinks (including alcohol and decent, non-drip coffee).

That's nothing compared to the state of PNR security: https://www.youtube.com/watch?v=n8WVo-YLyAg

It's been years

Question: can a member bring in a guest?

I assume yes as my spouse accompanied me.

So? Why not create a way (app) to have members already in the lounge come and let in their "guest/SO"?

"Im available / not available for "guesting" flag

Uber for airport lounges! It's like a temporary AirBnB. First we can...

I suddenly feel terrible about myself.

In most cases, you can bring in a guest as long as they're also traveling on the same day, on the same alliance.

The FlyerTalk forums have reasonably active threads to arrange this sort of thing on an ad-hoc basis.

To wit: If anyone's flying Delta and in ATL at 2:30 PM on Wednesday... email's in my profile.

Sounds like a good answer to "When have you most successfully hacked some (non-computer) system to your advantage?"


I mean they aren't hacking a computer system, they're hacking airport lounge security... with a computer. Still counts!

Couldn't this have been simply prevented by salting the name?

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact