Information in Your Boarding Pass's Bar Code

There's a lot of information, including the ability to get even more information.

Posted on October 8, 2015 at 6:22 AM • 24 Comments

Comments

WmOctober 8, 2015 7:59 AM

What Boarding Pass? I stopped flying altogether in 2004 after Continental Airlines put me on their watch list because my alarm clock that had a phosphorus dial set off their bomb sniffer. I couldn't fly Continental or Northwestern (on the same computer system) thereafter without going through three security checks. That was enough for me. I quit that job that took me flying 1 to 3 times a week and haven't flown since. I had had all the arrogant little tyrant high school dropout GED security officer treatment I could stand.

jaysonOctober 8, 2015 8:12 AM

I submit that anyone who still uses their actual mother's maiden name for security deserves to get their flight cancelled.

BrianSOctober 8, 2015 8:24 AM

@jayson
I'd love to agree on this, but security questions in general are terribly implemented.

Often times I'm left with that being the only question of a handful of ones offered that's even relevant, let alone something I can remember.

Others are just as bad. Like "what state were you born in" or "what high school did you go to". Things that are just as easy, sometimes more so for a given person, than what their mothers maiden name is.

I hate the security questions as a rule, because I'd rather they do something like text or e-mail me a code to my registered phone or e-mail address if I forget my password.

If either/both of those was also compromised I'd have much more to worry about.

szigiOctober 8, 2015 9:08 AM

Can't we simply send all architects, programmers, etc. to 20 years of hard labor who design, implement or approve a security question, and at the same time demand a strong password.
The world would definitely be a safer place.

John MacdonaldOctober 8, 2015 9:18 AM

Security questions always seem to me to have many possible answers, and many ways of writing each possible answer.

"First Pet" - would that be the first one I've been told about (from when I was 2), the first I remember (when I was 5), or the first that I have fond memories of. Is the name capitalized, does it include the apostrophes and hyphens, is it the full official name or the shorter commonly used version of the name?

The key issue is, will I recreate the same sub-answers a year from now when I need to provide the same value I picked when I set the question?

rgaffOctober 8, 2015 9:32 AM

I like how one commenter pointed out that all the barcode info was also printed in plain text on the boarding pass... making the whole "omg, so much stuff is in the barcode" argument moot.... except that you may be trying to redact your PII on a picture of the boarding pass and forgetting to redact the barcode too....

ChelloveckOctober 8, 2015 9:53 AM

@BrianS: Why would you answer truthfully? I just generate and store unique security answers with the same program that stores all my passwords.

Mother's maiden name? *QQp.R.Zv8Anx1JW
What state were you born in? 8/qVB@XP@7b
What high school did you go to? 1@d16YYLW9=c@vrL

EvilKiruOctober 8, 2015 10:02 AM

You should never provide a "correct" answer to a security question. Make up a completely irrelevant answer and record that in the notes section of your password database for that web site, along with the security question.

ianfOctober 8, 2015 10:08 AM


@ Wmhas had all the arrogant little tyrant high school dropout GED security officer treatment I could stand.

I'm with you; haven't been banned from flying due to some stupid clock (I'm in EU, and the last time I went to the USA was in pre-2001 era, when it only felt like being part of a cattle market @ JFK, not yet an abattoir), but share your sentiments exactly, and thus try to limit my exposure to such thieving wannabe-cops as much as possible.

Then again, at around the time of the 2000 dotcom bubble, the packaged [flight + budget hotel + bus transfer] charters to EU capitals disappeared from the travel market, replaced by separate ultra cheap flights PLUS much more expensive hotel deals – all of which have to be researched and booked by oneself (packaged charters moved to Thailand, Dominican Republic & other far-away, bigger profit margin exotic destinations—only with no @sciencemuseum in sight). Thus now a week in, say, London/ Bayswater area hotel that used to be my staple, and left no big dent in my pocket, has "evolved" to become practically "a luxury" vacation: 3-to-5 times more expensive (by perception, not adjusted for inflation) as before. Well, fuck you very much, Mr. Ryan Air.

    Sadly, your & mine lowest-level opposition won't make a dent in this Al-Qaida-in-cahoots-with-DHS-everywhere perverted state of affairs… nothing short of (e.g.) periodic BOYCOTT FLYING DAYs which will hit airlines & airports where it counts: in their short-term quarterly & long-term yearly results, the worst kind of disasters that can befell commercial entities!

[If GED = Sussex County Airport, Delaware, then you just posted ICBM coordinates here ;-))]

BTW. I've been looking for cargo pants, my formal attire, that do not trigger airport sensors with their metal zippers—what's wrong with plastic ones?. I even wrote about this to 2 leisure clothing manufacturers, asked in various outlets, all to no avail. Apparently there's no demand for it, and/or male flyers like being groped on mere pretext of being a potential danger to the society!


@ jayson … actual mother's maiden name

    you have more than one mother to pick from? RESPECT

szigiOctober 8, 2015 10:12 AM

@Chelloveck, @EvilKiru:
So basically security questions waste your time by having to come up with a strong enough answer and maybe store that answer. Which is completely useless, since if you are recording your password, you won't forget it, if not, then you will also forget the security question.
Not to mention that I'm pretty sure, most of the websites don't handle the security question with the same precaution as the password. Heck, they often can't even handle the password with proper encryption.
Since security question practically overrides the password, and adds additional complexity to the whole system to have yet an other thing to break or be broken into, they are completely and utterly useless and considered harmful.

EvilKiruOctober 8, 2015 10:59 AM

@szigi: It's not completely useless. I stopped allowing my web browser to memorize my passwords after losing access to a web site because my account name and password were only recorded in the browser's password database and my hard drive died.

So now all of my passwords are in my password database and having to look up the answer to a security question isn't that much of a burden on top of having to look up the password in the first place. And web sites rarely ask the security question unless they detect that you're accessing the site from a new computer or after performing a significant system upgrade.

BrianSOctober 8, 2015 11:03 AM

@Chelloveck

Depends on how you look at it.
Security questions are supposed to be a "crap, I can't get into the account, I no longer know the password, and I need to get back in" kind of thing.

In a situation like that, I'd assume the PW manager I normally use is no longer accessible/available and thus the random answer to the security question is now lost as well.

This is why I'd much prefer a reset request go to a phone or e-mail account to validate. That way no matter what information they knew, they would need to have access to my phone or e-mail in order to reset the password.

And if they had access to those, then they would have far more access to my information than some random web page anyways.

MaxOctober 8, 2015 11:20 AM

Brian, the problem with using phone# or email is that those can be reassigned (especially email since many accounts expire automatically after a period of non-use). Much better to use snail mail for anything important and/or non-urgent.

BrianSOctober 8, 2015 11:33 AM

@Max

For very important things like bank accounts, sure.
But for your average web site? Not a chance.

Most people now, especially in the age of cell phone number portability, can have the same phone number for decades, if not their entire life.

Same with e-mail as well unless you use one tied to your ISP. Most won't delete it provided you actually log into it and use it at least once every few months.

I've had my current phone number for almost 20 years, and I've moved 3 times across 2 different states.
I've had one of my e-mail addresses even longer than that.

John Galt IVOctober 8, 2015 12:01 PM


the boarding pass problem has been around for a while

http://hasbrouck.org/articles/watching.html

"Against stupidity the gods themselves contend in vain"

You may from time to time ask or be asked, "Are they stupid or are they malicious?" It's a trick question. They are both stupid and malicious.

AJWMOctober 8, 2015 12:53 PM

@BrianS

"what state were you born in"

Naked

"what high school did you go to"

Ridgemont High

The latter actually happens to be true (to most people's surprise), although it's not the only high school I attended, let alone went to. (Since I dated a girl at a different HS, I often went to that school, just didn't take any classes there.)

Never use the obvious answer, but if you're totally making stuff up, better use some kind of password manager to remember it.

BrianSOctober 8, 2015 1:01 PM

@AJWM

That's kind of the point someone else was making however. These questions are often subject to interpretation.

If you put those answers down now, and came back to them in 5+ years without ever having had to see them, would you come up with the same answers?

If you're not reading them as straightforward questions and coming up with novel or non standard answers, you are not as likely to remember exactly which responses you gave to them at some point in the future.

It's more secure, but less reliable. Whereas the straight answers are more reliable, but less secure, at least in regard to the canned questions most pages will give you.

If you could provide your own questions and answers both, it can be as reliable and secure as you are willing to make it.

That aside, I prefer a 2 factor reset as I've mentioned. It just makes things easier so long as you keep your information up to date on your various profiles.

If you fall into a coma or get stuck somewhere with 0 access to technology for the next 2 years or something, then you will probably have far more to worry about than password reset difficulties.

AOctober 8, 2015 1:26 PM

I guess it comes down to "will I remember the obvious (to me) smart-ass answer I gave five years ago?" If that answer is based on truth, and I'm in the habit of making smart-ass answers (unless I'm under oath or something), then probably yes -- although they may also be vulnerable to somebody who knows me well enough.

But in general, yes, "security" questions are a very poor way to go, although you can get pretty creative and personal (thus secure and memorable) if you make up your own.

As for 2FA, the VPN system at work sends an auth code to my work email or my work (desktop) phone, which was frustrating as hell trying to get in from home until I remembered that the work email also has a web client (at least it uses https).

JBOctober 8, 2015 1:55 PM

I prefer the ones that let you make up your own question to answer.

That way, you can be certain to ask a question that would make no sense to anyone else, with an answer that wouldn't either but which you can remember without any need for smart-alec answers. E.G. (nonsense words changed for security) "What color is the Snanj?" "Glavr." "What is the 4th member of the category containing Sxlix, Svamp, and Turval?" "Lwex."

GJOctober 8, 2015 5:35 PM

> "what state were you born in"

beryllium-etats-oxide-6word

> or "what high school did you go to"

beryllium-loohcs-oxide-7word

> or "what color is your car"

beryllium-roloc-oxide-5word

easy to remember, can be easily adjusted to any question. It's the only recipe that I can consistently remember without writing stuff down.

Note: compound name changed to protect the innocent.

EvilKiruOctober 8, 2015 5:45 PM

@JB: With sites that require a security question and answer and let you make up your own question, I still provide an answer that has nothing to do with my invented question.

@ Brian S: You don't have backup copies of your password manager database?

If technology is so far gone that I don't have access to my password manager, then there's almost no chance that I'll have a need to access any web site that might have cause to ask me a security question.

@Brian S, @A: Of course I'm not going to remember my answers to the security questions. Which is why they are safely stowed in my password manager database.

65535October 9, 2015 9:22 AM

If you have worked or Symbol/zebra/Motorola/etc., you will quickly learn about the information that can be stored/accessed by a GTIN-12/GTIN-13, Aztec, Quick Response Code’s.

You will realize the information stored in said codes lead to pointers and/or hooks to data bases => which lead to vast data bases.

https://en.wikipedia.org/wiki/Barcode

If you have ever programmed a bar code machine you will learn that a series of quick scans of barcodes can re-encode and entire bar code system [barcodes themselves can be an like an executable program]. This is good or bad.

This maybe why the US Post Office, and all major transport services, including airlines use barcodes of various/multiple types. The information back-end data bases produce huge amounts of information on people.

If you have a barcode on you package at your abode, you are in a database. If you send a handwritten letter that your post office assigns a bar code you are in a database, and so on.

If you buy anything with a barcode and use your credit card you are in a database. Use the barcode sticker from your tax return label to send your tax return in, you are in a database.

The USPS collects all that information and puts it into a data base – as does may corporate partners.

The same goes for retail coupons to aircraft boarding passes. Once you are connected to solid data base and individual identifier via a barcode the government has your information [whether it is good or bad is inconsequential]

Simply put, if you are “barcoded” the government has your information. Barcodes are not your friend. End of story.

navigatorNovember 10, 2015 12:00 PM

In the light of recent Russian let crash in Egypt I'm just thinking. In several news reports it is designated as one of the most probable scenarios for an act of terror to bring an explosive device on board in a piece of luggage. The device could be equipped with some trigger that will initiate detonation once the jet rises to certain altitude (and pressure drops below some preset level). Or temperature goes below some level. Or something else happens what happens in a flight.

So why don't we take all the luggage after check in is closed and prior to loading it on board do some flight conditions simulation? Just put it all into some container, place the container into some kind of chamber and make it 'feel like flying'? Reduce pressure, lower the temperature etc. Behind still plates and concrete walls. One could even try to imitate different kinds of remote-control signals, electro-magnetic pulses and whatever else can be thought of in order to make potential explosive device to blow in controlled conditions.

If there is one- well, so much for the luggage. It will be totally destroyed of cause. But nobody gets killed.

Just a rough idea but why not...

ianfNovember 10, 2015 3:02 PM


@ navigator

Your "rough idea" of pre-under-pressurizing all luggage in some safely at a distance from terminals placed "airplane hold-sized vacuum/ freezing container" in order to trigger potential hidden barographic and temperature bomb fuses is not only impractical and ineffectual, but unworkable in practice. (Also you forgot to add testing for vibration pattern and preset time triggers).

YOU HAVE NO IDEA of the logistical flow in an airport; I sometimes wonder that it works at all. I suggest you visit the nearest regional airport, and observe the workings of luggage handlers in a smaller, less stressful than major airports setting (where you wouldn't be able to see all that anyway), and then GO BACK TO THE THINKING BOARD, DO NOT PASS "POST," DO NOT COLLECT $200.

PS. print this out & carry in your pocket in case of being questioned by airport security or the police "for what purpose do you research luggage handling here." Better not do it at all if you could pass for an Arab (bad airport vibes). Above all however, do not post more airport security ideas of whatever shape.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.