QR Codes on Boarding Passes

A modern boarding pass (plane ticket) has a QR or Bar Code on it. Quickly scanning that code makes it easy for an airport employee to check you in and get you on your plane. But some people warn about those QR codes and their security.

USA Today and other news stories have been circulating for years, warning of the dangers of discarded boarding passes. Supposedly, hackers could pick up your tossed ticket, scan the QR code themselves, and glean your information. Then that info could be used against you in a scam or money-making scheme.

Basically True, But…

The basic info presented in these stories and articles is true. Most QR and Bar Codes on boarding passes contain your name and other PII, and that information is stored there in an insecure manner. Anyone can zap that code to read it, with the right, freely available tool.

You can test it for yourself, next time you have a boarding pass in hand. There are numerous free QR-Code-Reading apps you can download to your phone. Use one to scan your ticket, to see what lay underneath that strange sigil. Or there are websites that do the same thing: Simply upload a picture and it will regurgitate what’s in the QR code as plain text.

Reader’s Digest has reported on this. Kim Komando, as well. Krebs on Security did way back in 2015. That’s makes this a big deal, right?

Not That Big of a Deal

Nah. I can agree this is worth discussing, but I don’t think it’s worth the hype and paranoia that the news media would have you adopt.

First, the QR codes often contain the same info that is printed in plain English on your ticket. There’s a chance of other info, like your seating preference or your frequent flier number, being stored in the code. But there won’t be anything super-secret, like your account password or bank account, in there.

Next, while the potential for information abuse is there, it hasn’t become widespread. Notice that as you watch or read these news items, they report on what could happen, what hackers might do with your boarding pass. The reporting is largely hypothetical. That’s because the hackers are going after lower-hanging fruit. There are easier ways for scammers to target their victims than picking up trash and boot-strapping into one person’s accounts and identity.

You should still treat your boarding pass as a sensitive document. Like a utility bill or library card, you should store your boarding pass safely or shred it when you are done with it. You shouldn’t be careless with any document that reveals information about your identity. Don’t tempt fate. That said, this risk with boarding passes is low, and the news media are largely stirring the pot and cashing in on the attention economy.

Leave a Comment