Thursday, 22 October 2015

Flying? Tips For A Secure Boarding Pass

Barcodes. QR codes. Little boxes containing so much information, they are used to purchase items, process orders and even check into flights. It’s hard to believe a person would go out of his way to share these little squares of personal data with the world, yet it happens all the time.

Earlier this month Brian Krebs reported on what Cory, a reader, could do with a friend's boarding pass barcode posted on Facebook: "I found a website that could decode the data and instantly had lots of info about his trip. Besides his name, frequent flyer number and other [personally identifiable information], I was able to get his record locator (a.k.a. "record key" for the Lufthansa flight he was taking that day). I then proceeded to Lufthansa's website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance."

With the frequent flyer account, Cory was able to not only see, but also modify upcoming flights, which included changing passengers’ seats and canceling flights altogether. Furthermore, he recognized that a quick Facebook search for his friend’s maternal relatives was all he needed to answer the not-so-secure security question “What is your Mother’s maiden name?” in order to reset his friend’s Star Alliance PIN number.

Krebs’ report is a good reminder of the insecurities we tend to overlook and of the need to make small changes in our daily routines in order to enhance our overall security. 

The ensuing news has come up with two solutions to this problem: either shred, burn or eat your boarding passes immediately following a flight or simply refuse to create the evidence that will later need to be destroyed; in other words, use an electronic boarding pass on your phone.

What few reports have mentioned is that, technologically-speaking, simplicity tends to lead to less security instead of more, as is the case with boarding passes. Airports from Brasil to the Netherlands to India entice travelers online with offers of free public Wi-Fi, but fail to mention the great risks that come with connecting. Before you pull out your phone in an airport, know that cybercriminals worldwide take advantage of travelers by creating unofficial Wi-Fi connections they can exploit as well as hacking into already-existing connections.

There are no easy answers when it comes to determining the safest way for you to reach your final destination, but above all else: 
  1. If you choose to use unsecured airport Wi-Fi, protect yourself with a VPN’s secure internet connection.
  2. Be creative—not honestwith your security question answers. See McSweeney’s list of Nihilistic Password Security Questions for inspiration if need be.
  3. And, whatever you do, don’t post your boarding pass to Facebook, no matter how much you want to brag about your travel adventures.
Krebs on Security, vulnerability, barcode, QR code, Inlite
A redacted example of the information contained in a barcode. [Source: Krebs on Security]
SumRando Cybersecurity is a South Africa-based VPN, Web Proxy and Secure Messenger provider. Surf secure and stay Rando!

No comments:

Post a comment