Uncovering Boarding Pass Hacking Techniques: What You Need to Be Aware Of
Are you aware that your boarding pass contains sensitive information that can be hacked? Boarding pass hacking is a growing concern for travelers.
The barcode on your boarding pass contains personal information that can be used to compromise your identity.
In this article, we’ll explain how boarding pass hacking works, the risks involved, and how you can protect yourself.
By now we should all be (more or less) aware that the internet can be a dangerous place and sharing personal information might not always be the best idea.
However, it might not always be clear what the possible threats might be in a given situation or how much damage a hacker with malicious intent can do with very limited information.
BCBP (bar-coded boarding pass) is the name of the standard used by more than 200 airlines. BCBP defines the 2-Dimensional (2D) bar code printed on a boarding pass or sent to a mobile phone for electronic boarding passes.
BCBP was part of the IATA Simplifying the Business program, which issued an industry mandate for all boarding passes to be barcoded.
What is Boarding Pass Hacking?
Boarding pass hacking is the process of extracting personal information from a boarding pass’s barcode. When you check in for your flight, you are issued a boarding pass that contains a barcode that identifies you and your flight details.
This barcode can be easily scanned to access your personal information, including your full name, frequent flyer number, and flight details.
Hackers can easily access this information using readily available software and use it to steal your identity or hack into your online accounts. They can also use it to gain access to restricted areas in the airport or even board a flight under your name.
At least once a week I come across someone’s Facebook or Instagram story, sharing their excitement about their trip to a foreign country.
The photo usually includes the passport, boarding pass, and an airplane in the background. Let me explain why it is not the best idea to post such content…
Let’s take “Image 1” as our example for investigation.
Although the name, destination, gate, and other information may not be visible on the photo, we can see the barcode present on the boarding pass.
The barcode on the boarding pass contains a wealth of information that can be scanned using a smartphone or barcode reader. This information can be used to access your details, such as your travel itinerary, seat information, and more!
If we do some expert-level cropping, we get a clearer image of the barcode for further analysis.
Great! Now that we have a well-readable barcode let’s see what information we can get out of it.
With a quick google search, we can find the right tool for the job.
In our case, I will use the Free Online Barcode Reader by Inlite.
There are multiple different Barcode Types but by no means do you have to be a barcode expert to figure out which one you need to use. Just by visual analysis, we can see our barcode looks like PDF417.
Time to get some information!
Nice! We were able to successfully read the barcode and extract the information.
M1ROE/BRIAN EIA4258 LHRLASBA BA275215F012A000 11 00
Time to dive a little deeper to see what information the barcodes actually contain. For this, I will break down the previously extracted information into smaller pieces.
- M1 — Format code ‘M’ and 1 leg on the boarding pass
- ROE/BRIAN — Passenger’s name
- EIA4258 — Booking Reference
- LHRLASBA — Flying from LHR (Heathrow) to LAS (Las Vegas) on BA (British Airways)
- BA275 — Flight Number
- 215 — The Julian Date (August 3rd)
- F — Frist class in our case (Y for Economy, J for Business)
- 12A — Seat Number
- 11 — Sequence number (11th to check in)
- 00 — Field Size of the airplane’s specific data message. 00 means there is not any.
Are you scared yet?
In this case, the boarding pass barcode only contains the minimum data fields as required by the IATA BCBP standard. The information can be more detailed for other boarding passes, for example even containing information about the frequent flyer number. Your frequent flyer number and loyalty program information is included on the boarding pass. This information can be used by hackers to access your rewards program account and steal your miles.
The booking information and reference number combined with your first and last name are often sufficient for making changes to your itinerary. So if you want to avoid some prankster hacker canceling your flight ticket minutes before you board the plane, do not post the photo of your boarding pass on the internet. However, if you absolutely have to, make sure you obfuscate the sensitive information (including the barcode).
How to Protect Yourself
Protecting yourself from boarding pass hacking is relatively simple. Here are some tips to keep in mind:
- Do not post your boarding pass online. This includes social media, blogs, or any other public platform.
- Do not leave your boarding pass lying around. Always keep it with you, and make sure to dispose of it securely.
- Use a virtual boarding pass on your phone. Many airlines offer the option to use an electronic boarding pass that you can save on your phone.
- Shred your boarding pass after your flight. Make sure to destroy your boarding pass before throwing it away.
- Monitor your online accounts regularly. Keep an eye on your bank statements, credit reports, and online accounts for any suspicious activity.
Your boarding pass may seem like a harmless piece of paper, but it contains sensitive information that can be used against you by hackers. By following the tips outlined in this article, you can protect yourself from boarding pass hacking and ensure that your personal information stays safe. Remember, always be cautious with your personal information and think twice before sharing it with others.