How with the help of boarding passes can hack frequent flyer accounts

Despite the fact that in our age of smartphones the need to print various documents disappears, nevertheless, there are still documents that we are obliged to print, because there are no other options. This is true for boarding passes, and it turns out that they contain a lot of different personal information that should not fall into the hands of strangers if you do not want to run into problems.

As a rule, after returning from vacation, many simply throw tickets and boarding passes into the bin, not even assuming that someone will delve into your trash to find an expired ticket. Unfortunately, this is exactly whatand they will make various suspicious types who know that these discarded pieces of paper can become the key to a whole series of personal information.

However, even worse is to photograph your boarding pass and post it on Facebook or Twitter. By uploading these seemingly innocent photos to please or annoy your friends, you unwittingly provide your data to any other Internet users who may use this information in the photo for potential benefits.

“Barcodes on boarding passes can allow anyone to find out information about you, your vacation plans, and your frequent flyer account,” said IT security expert Brian Krebs .

In some cases, the barcode can turn into a potential storehouse of personal information that can be used to attack your user account on the airline’s website. And information encoded in barcodes can be extracted using the free utilities available .



The real danger associated with these boarding passes is the frequent flyer number, which can be used to access your user account on the airline’s website. Knowing the passenger’s name and surname together with this number is, according to Krebs, “the first step to obtaining a password.”

Below is an example of how, with the help of special free utilities to decrypt data from barcodes, you can get additional information about a passenger. In this case, it turned out to know the name and surname of the passenger, a 6-digit record key, airport of departure and arrival, as well as the airline code for the IATA classification (in this case, Lufthansa) and the frequent flyer number.


Example of information obtained after decoding the boarding pass barcode using free utilities (screenshot edited)

Having access to your account, you can get various critical personal information about a person (phone numbers or information about accompanying passengers), as well as change or cancel upcoming flights , use the accumulated bonuses of a frequent flyer(there have already been similar cases in Russia). Also, a hacker can change access settings by picking up the answer to a security security question .

This vulnerability, according to Krebs, "created a black market for hacked accounts of frequent flyers." If, ultimately, if you do not want to be the next victim, the best thing you can do is to destroy your boarding passes before you throw them in the bin.