There’s a problem with the way airlines manage passenger information — and Instagram is making it worse. After decades of technological progress, airline’s proof that you are who you say you are still boils down to a single six-digit number, encoded in the barcode on your boarding pass. And because of Instagram (particularly #boardingpass), those bar codes are easy to find.
The vulnerability itself is old news, but a presentation at this year’s Chaos Computer Club reminded the world of exactly how broken the system remains. Onstage, researcher Karsten Nohl pulled a barcode directly off the hashtag, then used it to log into the Lufthansa website as the unlucky traveler. From there, he could see all the traveler’s personal details (including frequent flier number) and reschedule booked flights at will. If an attacker used other tricks to get into the agent side of the system, they could use the same password to get a flier’s credit card number.
The systems are complicated, but the larger takeaway is simple: your boarding pass has a lot of private information coded onto it. You shouldn’t put pictures of it on the internet. That’s true even after the flight itself has taken place, since a lot of personal detail is still extractable.
The good news is, there’s no evidence yet that criminals are exploiting these vulnerabilities at scale — but there’s no reason to wait until they do. Now that phones are allowed to power on during takeoff, maybe just take a picture of that instead?
VIA: Kaspersky Lab