{"id":8911,"date":"2017-08-24T16:17:00","date_gmt":"2017-08-25T00:17:00","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/08\/24\/news-2684\/"},"modified":"2017-08-24T16:17:00","modified_gmt":"2017-08-25T00:17:00","slug":"news-2684","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/08\/24\/news-2684\/","title":{"rendered":"Why It’s Still A Bad Idea to Post or Trash Your Airline Boarding Pass"},"content":{"rendered":"

Credit to Author: BrianKrebs| Date: Thu, 24 Aug 2017 22:55:47 +0000<\/strong><\/p>\n

An October 2015 piece published here about the potential dangers of tossing out or posting online your airline boarding pass remains one of the most-read stories on this site. One reason may be that the advice remains timely and relevant: A talk recently given at a Czech security conference advances that research and offers several reminders of how being careless with your boarding pass could jeopardize your privacy\u00a0or even cause trip disruptions\u00a0down the road.<\/p>\n

In What’s In a Boarding Pass Barcode? A Lot<\/a>, KrebsOnSecurity told the story of a reader whose friend posted a picture of a boarding pass on Facebook. The reader was able to use the airline’s Web site combined with data printed on the boarding pass to discover additional information about his friend. That data included details of future travel, the ability to alter or cancel upcoming flights, and a key component need to access the traveler’s frequent flyer account.<\/p>\n

\"A<\/p>\n

A search on Instagram for “boarding pass” returned 91,000+ results.<\/p>\n<\/div>\n

More recently, security researcher\u00a0Michal \u0160pa\u010dek<\/a>\u00a0gave a talk at a conference in the Czech Republic in which he explained how a few details gleaned from a picture of a friend’s boarding pass posted\u00a0online\u00a0give him the ability to\u00a0view passport information on his friend via the airline’s Web site, and to change the password for another friend’s United Airlines<\/strong> frequent flyer account.<\/p>\n

Working from a British Airways<\/strong> boarding pass that a friend posted to Instagram<\/strong>, \u0160pa\u010dek found he could log in to the airline’s passenger reservations\u00a0page using the six-digit\u00a0booking code<\/strong>\u00a0(a.k.a. PNR<\/strong> or p<\/strong>assenger n<\/strong>ame r<\/strong>ecord) and the last name of the passenger (both are displayed on the front of the BA boarding pass).<\/p>\n

Once inside his friend’s account,\u00a0\u0160pa\u010dek saw he could cancel future flights, and view or edit his friend’s passport number, citizenship, expiration date and date of birth. In my 2015 story, I showed how\u00a0this exact technique permitted\u00a0access to the same information on Lufthansa<\/strong> customers (this still appears to be the case).<\/p>\n

\u0160pa\u010dek also reminds readers about the dangers of posting boarding pass barcodes or QR codes<\/a> online, noting there are several barcode scanning apps and Web sites that can extract text data stored in bar codes and QR codes. Boarding pass bar codes and QR codes usually contain all of the data shown on the front of a\u00a0boarding pass, and some boarding pass barcodes actually conceal even\u00a0more<\/em> personal information than what’s printed on the boarding pass.<\/p>\n

As I noted back in 2015,\u00a0United Airlines<\/strong>\u00a0treats its customers\u2019 frequent flyer numbers as secret access codes. For example, if you\u2019re looking for your\u00a0United Mileage Plus<\/strong>\u00a0number, and you don\u2019t have the original document or member card they mailed to you, good luck finding this information in your email correspondence with the company.<\/p>\n

When United does include this code in correspondence, all but the last three characters are replaced with asterisks. The same is true with United\u2019s boarding passes. However, the customer’s full Mileage Plus number is available if you take the time to decode\u00a0the barcode on any United boarding pass.<\/p>\n

Until very recently, if you knew the\u00a0Mileage Plus number and last name of a United customer, you would have been able to reset their frequent flyer account password simply by guessing the multiple-choice answer to two secret questions<\/a> about the customer. However, United has since added\u00a0a third step — requiring the customer to click a link in an email that gets generated when someone successfully guesses\u00a0the multiple-choice answers to the two secret questions.<\/span><\/p>\n

It’s crazy how many people post pictures of their boarding pass on various social networking sites, often before and\/or during their existing trip. A search on Instagram<\/strong> for the term “boarding pass”<\/a>, for example, returned more than 91,000 such images. Not all of those images include the full barcode or boarding record locator, but plenty enough do and that’s just one social network.<\/p>\n

For anyone interested in how much of today’s airline industry still relies\u00a0on security by obscurity, check out this excellent talk<\/a>\u00a0from last year’s Chaos Communication Congress<\/strong>\u00a0(CCC) in Berlin by security researchers Karsten Nohl<\/strong> and Nemanja Nikodijevic<\/strong>. Nohl notes that the six digit booking code\u00a0or PNR is essentially a temporary password issued by airlines that is then\u00a0summarily printed\u00a0on all luggage tags and inside all boarding pass barcodes.<\/span><\/p>\n

“You would imagine that if they treat it as a password equivalent then they would keep it secret like a password,” Nohl said. “Only, they don’t, but rather print it on everything you get from the airline. For instance, on every piece of luggage you have your last name and the six-digit (PNR) code.”<\/p>\n

In his talk, Nohl showed how these PNRs are used in code-sharing agreements between and among airlines, meaning that gaining access to someone else’s frequent flyer account may reveal information associated with that customer’s accounts at other airlines.<\/p>\n

Nohl and his co-presenter also demonstrated how some third-party travel sites do little to prevent automated programs from rapidly submitting the same last name and changing the PNR, essentially letting an attacker brute-force<\/a> a targeted customer’s PNR.<\/p>\n

My advice: Avoid the temptation to brag online about that upcoming trip or vacation. Thieves looking to rob someone in your area will be delighted\u00a0to see this kind of information posted online.<\/p>\n

Don’t\u00a0post online pictures of your boarding pass or anything else with a barcode in it (e.g., there are currently 42,000 search results<\/a> on Instagram for “concert tickets”).<\/p>\n

Finally, avoid leaving your boarding pass in the trash at the airport or tucked into that seat-back pocket in front of you before deplaning. Instead, bring it home and shred it.<\/p>\n

https:\/\/krebsonsecurity.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: BrianKrebs| Date: Thu, 24 Aug 2017 22:55:47 +0000<\/strong><\/p>\n

An October 2015 piece published here about the potential dangers of tossing out or posting online your airline boarding pass remains one of the most-read stories on this site. One reason may be that the advice remains timely and relevant: A talk recently given at a Czech security conference advances that research and offers several reminders of how being careless with your boarding pass could jeopardize your security or even cause trip disruptions down the road.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10642],"tags":[14078,14079,5872,14080,14081,10644,14082],"class_list":["post-8911","post","type-post","status-publish","format-standard","hentry","category-independent","category-krebs","tag-boarding-pass-barcode","tag-boarding-pass-hacking","tag-british-airways","tag-lufthansa","tag-michal-spacek","tag-other","tag-united-airlines"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8911","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=8911"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8911\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=8911"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=8911"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=8911"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}