In various FB-feeds I see people posting warnings about not throwing away your boarding pass or showing it to others before you’ve returned home. This all because the barcodes on your boarding pass supposedly contain ‘all your personal information’ which hackers can then steal by scanning.
Sounds scary right, evil hackers having scanning apps and getting your personal information?
Well, there’s nothing scary about bar code scanners, you can download any number of them (Android, iOS). And if you do, you can scan your own boarding pass, just like the ominous hypothetical hacker in the video!
When you do that you realize: there is usually nothing in that barcode, that is not already printed on the boarding pass itself for all to read in clear text. So if you weren’t worried before that the info on your boarding pass might be useful to someone else, the barcode does not change that.
Taking a look at my own boarding passes
Here are two of my recent boarding passes.
Please note that the first boarding pass is an exception: usually the airline keeps the large part, that contains the barcode, when you board. In other cases such as self-printed boarding passes that’s not the case.
I scanned them with my phone, to reveal the information that the barcode contains.
boarding pass, and scanned barcode
As you can see the barcode reveals:
M1ZIJLSTRA/ANTONARNOLDE CDGAMSAF 1640 343Y015F0048 147>1181OO5343BEY 2979690574758 0
You can find the standard used for boarding pass barcodes from the International Air Transport Association (IATA). The UN Agency ICAO has a (2009) version of that bpbc standard (PDF) available online. I have used page 39 for reference.
Let’s compare the contents of the barcode with what is already visible on the boarding pass. The barcode reads:
M: format code
1: 1 leg of my trip is on this boarding pass
ZIJLSTRA>ANTONARNOLD: my name
E: ticket electronically issued
CDGAMS: flight from CDG (Paris Charles de Gaulle) to Amsterdam
AF: Air France
1640: flight number
343: date (Julian calendar), 9 December
Y: Economy class
015F: my seat
0048: my check-in number
1: passenger status
47: Field size of following variable size field
>: beginning of version number
1: version number
18: size of following structured message
1: passenger description
OO5: Source of check-in, source of boarding pass issuance
343: date of issue of boarding pass, 9 December
B: document type (boarding pass)
EY:airline designator for boarding pass issuer
29: field size of following message
79690574758: airline numeric code (7) and document serial number (ticket number)
0: selectee indicator
All of this is also on the boarding pass.
Interestingly some readable information on the boarding pass itself, a reference number (BEG4AP) is not in the barcode. This however is the one piece of info, in combination with my name, that could be used before a flight, e.g. to change seating. So here the boarding pass contains more information than the barcode on it.
Let’s look at another boarding pass, a mobile boarding pass from another part of the same trip, Paris to Belgrade a few days earlier.
Scanning the QR-code reveals
M1ZIJLSTRA/A E6Y933Y CDGBEGJU 0315 338Y014C0002
What is noticable is that it does not give my first name (it does on the boarding pass itself) and it mentions a different airline and flight number (JU 0315) than the boarding pass itself (AF6292). This because it was a code share with JU 0315 the ‘real’ flight carrier and number.
Here the barcode does contain one piece of information that isn’t on the boarding pass: the booking reference 6Y933Y. With it and my name one could change my bookings for the other parts of the trip (such as return flights), before they were made. Both the booking reference and PNR number on the other boarding pass are only useful before flights have taken place. As they are short, 6 positions, they get recycled quickly afterwards.
Other boarding passes I had
I have checked several other boarding passes I had,from various airlines and flights. A lot have the booking reference printed on it (e.g. Easyjet). I noticed that Lufthansa encodes my frequent flier number into the barcode, which is not always on the boarding pass (although often it is, Malaysia Airlines prints my freq flier number on the boarding pass). This too is one piece of information that might be used, in combination with the booking reference or a weak password or PIN-code to log into your frequent flyer account. Much depends on how ‘easy’ your airline makes it for ‘you’, and thus for others. KLM does not encode my frequent flier number as far as I can tell, but usually I don’t add my frequent flier number to my bookings at the point of booking.
In summary, scanning your barcode does not expose ‘all your personal information’, usually just what is printed on your boarding pass already. Sometimes your booking reference is encoded and not on the boarding pass, and sometimes your frequent flier number is encoded and not on the boarding pass, But not always by far, often they are also printed on your boarding pass already.
Booking references can potentially be used to change aspects of your flights, which is a risk if parts of your booking are still in the future (such as return flights). Frequent flier numbers can be used to attempt to login to your profile at the airline, which can be a risk if your account is only guarded with a PIN number or a weak password. The weakness there is in the airline’s website. [UPDATE Sept 2020: See Edward Hasbrouck’s post on the why/what of airline system’s vulnerabilities, and their lack of responsiveness in addressing it.
So throwing away your boarding passes only after your entire trip is generally a good idea. But not because of the barcodes per se, because of the information that is usually already readable on it (reference codes and frequent flier numbers).
Oh and of course if you post a boarding pass somewhere and have made some information invisible, then don’t forget to also make the barcode unscannable as it contains the same information.