SAN FRANCISCO (KPIX 5) — Next time you fly here’s some advice: be careful about what you do with your boarding pass.
Obtaining a boarding pass is usually the first order of business when you get to the airport to catch a flight. But once you go through the gate, your boarding pass is often the last thing on your mind.
“If it’s a paper pass, I normally leave it in the bin in the back of the seat in front of me. Or it ends up in my pockets, in the wash — nowhere secure, that’s for sure!” said Tyler Potretzke of San Francisco.
“If I was traveling, I might have tossed it in the trash in my hotel room,” said Debbie Caporuscio from Denver.
People leave them on the plane or toss them at baggage claim.
But, aside from the printed information, there’s something potentially much more revealing on those slips of paper: the barcode.
Barcodes are technically easy to decipher. All you need is a good scanner app. This reporter used one from Manatee Works.
After I downloaded it to my cellphone, I held it over the ticket to reveal the barcode data. Many baggage claim tickets have similar barcodes.
We scanned three boarding passes and two baggage claim tickets and handed what we found over to cyber forensic security consultant Winston Krone.
“Each of the airlines we looked at was different,” Krone said.
While some, like Southwest, scramble the information on the barcode, others, like United, do not.
“On the ticket itself, it listed her air miles number but they had redacted out certain digits. If you look at the barcode the entire number is listed.”
With permission from the owner, a KPIX 5 employee, Winston and his team went to work and found it all too easy. Unlike other airlines that send a link to your e-mail for password recovery, United just asks for an answer to your security question.
“We simply had to guess her favorite sports team,” said Winston.
Once logged in “we could see her prior flights, her future flights, we could also see her home address, her personal telephone number, her e-mail address — all great stuff for further attacks. If we wanted to try to get into her personal bank account, this would have been a great start,” Winston told us.
In a statement to KPIX 5, the International Air Transport Association (IATA) said “each airline makes its own decisions with regard to security protocols for accessing member frequent flyer accounts.”
And IATA confirmed “there is no industry requirement that frequent flyer numbers be included in the BCBP (bar code), although there is a data field to include it at the airline’s option.”
For passengers, it’s a wakeup call. “It’s scary, because it seems like people make a living out of hacking, so yeah, I think that is a real scary thought, that someone could find my information that quickly, all of it! Pretty personal,” said Denver traveler Debbie Caporuscio.
Her solution is to keep the boarding pass on her phone.
“Mobile is much easier. It’s always on my phone, the worst thing would be if I lost my phone,” Caporuscio said.
A United Airlines spokesperson says the airline takes customers’ privacy seriously and sends customers an alert when their password gets changed. Our employee did get one. But the spokesperson wouldn’t comment on why United chooses to put the full account number on the barcode.