Add airline boarding passes to the list of items that should go into the paper shredder.
A recent report by security expert and former Washington Post security reporter Brian Krebs revealed a wealth of data hidden in airline boarding passes that makes it easy for hackers to glean personal information about travelers, learn where they're headed and even take over their airline accounts.
Krebs said he began researching security flaws in boarding passes after a reader contacted him about a friend who had posted an image of his boarding pass on Facebook. The reader enlarged the image, then set to work on prying out the data embedded in the boarding pass's bar codes and QR codes. QR, short for Quick Response, are those square codes made popular by advertising and apps for the ease with which people can scan them with smartphones to get more information about products and services.
“I found a website that could decode the data and instantly had lots of info about his trip,” the reader told Krebs. “Besides his name, frequent flier number and other [personally identifiable information], I was able to get his record locator (a.k.a. “record key”) for the Lufthansa flight he was taking that day,”
The reader told Krebs he used that information to crack his friend's account with the airline, where he was able to pull up details about future flights booked on the account. Data within the account itself could arm hackers with the tools to do even more damage, including potential identity theft. The airline account included personal details like the account holder's phone number and full name.
Some airlines are better than others about protecting data embedded in boarding passes, Krebs noted. United Airlines, for example, "seems to treat its customers’ frequent flier numbers as secret access codes," Krebs wrote, and gaining access to customer accounts with the airline would be more difficult than using boarding passes from other companies.
In a recent CBS Miami report, forensic security expert Michael Burgess demonstrated how free smartphone apps can be used to read personal data from discarded boarding passes.
“Every single one of them had information that we could use to steal someone’s information," he told CBS after scanning several passes.
Security experts recommend travelers treat boarding passes the same way they do bank statements and other sensitive documents, and say passes should be shredded after flights.