Interested in learning what’s in your boarding pass barcode?
Take a picture of the barcode with your phone, and upload it to this site.
Woah! We are talking about private information being easily accessed from our boarding passes and there is a passage on uploading it to some site online. Wouldn't that be ill-advised.
Krebs has some pretty awesome stuff, but i came here to say this as well. inlitedataresearch.com doesn't seem like the place to do this and while he probably assumes you understand the risks/used a google image instead, it did not flow well.
The barcode is PDF417 and there are phone apps that scan and convert it to text (http://www.pdf417.mobi/) - in case you do not want to send this to some website. I played with it, decoding my own boarding passes, but did not find anything that was not already printed on the pass. Granted there was a lot of abbreviated gibberish which may have been something sensitive.
How exactly is using a random app any safer than using a random website? Or, what other benefit could it have? Both an app and a website are somebody else's code running on your local machine and (often) communicating with a remote server. A random app could just as easily grab your info from the barcode.
1. If the app doesn't have permissions to use the internet (possibly Android only, although the Android 6 discussion seems to suggest that there's ways round this).
2. If you use the app while disconnected from the internet and ensure that it isn't running when you reconnect.
Neither of those is possible when you upload the image to be parsed online.
Those are both hypothetical that are very far from typical ways that people use apps on their phones.
An app might upload the image to a remote server. A website might parse it locally through JS - maybe disabling your connection, submitting your image, parsing it, then wiping your cached website data would be just as "safe".
The problem is the knee-jerk reaction that "some random website" is dangerous while some random app is not. You have to assume both are equally risky in this situation.
This barcode is normally used as input to ACP (IBM Airline Control Program, also called TPF or z/TPF) in plaintext to a TCP/IP TN3270-based terminal emulator running under Windows (with or without any SSH encryption). But the barcode text is visible to anyone facing the terminal. At least it's how it happened in all my latest flights.
> IBM Airline Control Program, or ACP, was an operating system developed by IBM beginning about 1965.
> TPF evolved from the Airlines Control Program (ACP), a free package developed in the mid-1960s by IBM in association with major North American and European airlines. In 1979, IBM introduced TPF as a replacement for ACP — and as a priced software product.
Holy fuck. I don't want to be the poor guy maintaining code that is likely to be older than himself...
"IBM designed the IMS with Rockwell and Caterpillar starting in 1966 for the Apollo program"
"Vern Watts was IMS's chief architect for many years. Watts joined IBM in 1956 and worked at IBM's Silicon Valley development labs until his death on April 4, 2009. He had continuously worked on IMS since the 1960s."
https://en.wikipedia.org/wiki/IBM_Information_Management_Sys...
> "IBM designed the IMS with Rockwell and Caterpillar starting in 1966 for the Apollo program"
I've come across IMS before, and I absolutely love this line. This is a database built for the Apollo program by a tractor company. That's a kind of old-school solidity we don't see much anymore (mostly for the better, but still).
Vern Watts was the first IBM Distinguished Engineer, and was responsible for some of the technologies that went into DB2 and other SQL databases. Some info about his career at [1] and [2].
Yeah, I know someone who had a consulting job for some obscure IBM mainframe "thing" and she basically got to do whatever she wanted with an amazing salary because she was one of 3 people in the world who knew anything about it.
I worked with ACP/TPF in the distant past. All programs were written in S/370 macro assembler. My department tested C, but it was dismissed as too slow, generating code that was too inefficient. But if you are maintaining this software now, you're definitely not poor.
Also, I probably wouldn't mind doing that now, it certainly wasn't the worst code I ever encountered, by far.
Some of this old software is indeed very creaky. Look at all the problems associated with merging the Continental and United systems. (Which, from my understanding, still aren't 100% resolved.) However, this old software also needs to touch a huge number of other systems. You're not going to rewrite it in Go using a microservices architecture over a few months.
Makes me wonder what'd happen by fuzzing it. It's probably all fixed length, but the data is probably assumed safe and not escaped. Though I suppose getting access to a system to figure this out would be the hard step.
If it's truly handled as fixed-length then there won't be any need for escaping; that's only a concern when values are embedded into other delimited strings, like SQL.
A lot of these systems definitely predate SQL. Even with SQL, using parameters is the usual way to operate on large amounts of data with fixed queries, and it avoids escaping issues entirely.
I mean escaping as in "the scanned data's FF number is then sent to a shell shell script for crediting the flight". And since it's expected that the data is just 8 alphanumeric chars, it doesn't handle anything else well.
You're right there's ways to do this properly, of course. But in practise, with huge systems, people end up hooking in things here and there and forget at some point eh?
But from a social/human perspective: some semi-data-conscious people have been known to upload pictures with only the human readable print redacted, but with the barcode left intact.
Also oome people might tear the boarding pass into many pieces so that name, flight,... can't be associated. But the barcode is relatively small. It might still be readable in one piece.
Virgin Australia prints the PNR and frequent flyer number in plaintext.
I scanned a recent VA boarding pass with a PDF417 scanner, and amongst all the other stuff is 16 characters without an obvious meaning. The boarding pass in the article had a similar region, and another longer one. It would have been interesting for the article to have pulled those apart.
Virgin's security is a joke. Their Flying Club (frequent flyer points) website stores passwords in plaintext! Not to mention the ridiculous restrictions they put on the username / password fields in the first place.
US-based airlines tend to require an actual password to access the account and see future flights, spend miles on redemptions, and so on (I have accounts, currently, with four different US-based carriers, and all of them require a password for account access).
The confirmation code and passenger name are enough to make changes to that reservation, though; if you know someone's code + name you can cancel the return segment of their journey, for example.
I'm wondering if the person being quoted was confused by seeing the return segments of a multi-segment trip (which are part of a single reservation, and would come up with just the information on the boarding pass), and thought it was actually full account access.
I'm wondering if the person being quoted was confused by seeing the return segments of a multi-segment trip
I wondered that too. I'm a Miles & More member via Swiss (which is part of the Lufthansa group) and you definitely need a password / pin to access your FF account.
Accessing a specific booking via booking code / surname is a whole different issue.
Even if the FF number were not printed on the boarding pass, the booking reference/PNR and surname are generally enough to log in and retrieve the FF number from the booking.
I had tried that before using Mathematica instead of a website and I was also surprised to see the data in the barcode is not really signed in any way. IIRC it was a European low cost like Ryan air, and I thought it was scary that I could have generated the same exact bar code just by knowing my name and the flight.
Of course there is an extra step of validation, because the airline has the passenger list, so you can't just add yourself to a flight.
The boarding pass format spec linked in the article [1] shows the support for signing (page 49, fields 25 onwards)
The boarding pass data is still plaintext as explained, but a signature is appended to validate that the content has not been tempered with, and who generated it.
I think boarding pass signing is mandatory on all U.S. airlines at least but I have no source for that
It's probably not VAT-specific and not necessarily done for the advantage of the retailers. At least, I understand the concept of duty-free stores to be that the retailer doesn't have to collect tax, so they can make the customer's overall price lower, and the customer can dodge import tax by either consuming in the airport or being below tax-free value thresholds. On the other hand, in this article one retailer claims it's a "practical impossibility" to have duty-free prices, so maybe they're all gaming the customer.
I think the concern here is what happens if someone finds your paper boarding pass and scans it.
That's less likely to happen with a boarding pass on your phone.
(though in general, the problem of airlines requiring very little information -- all of which is on the boarding pass -- to be able to access an itinerary and make changes or cancel it is somewhat well-known among frequent flyers)
