What that barcode on your boarding pass reveals about you

What that barcode on your boarding pass reveals about you

About to snap a photo of your airline boarding pass and share it on Facebook, Twitter or Instagram?

Don't be so hasty, at least not if you value your privacy. That slip of paper – or more correctly, the innocuous barcode on it – can reveal a wealth of information about you.

Freely-available software lets anybody 'decode' the barcode from a photo and extract this data, as Australian Business Traveller contributor Shaun Ewing reveals.

What's hidden in your boarding pass barcode?

Here's what a 'barcode decoder' app found from the barcode on a web check-in document from one of my Qantas flights.

M1EWING/SHAUN MR       1A11A1 BNESYDQF 551  107Y26J 37    00

That information translates to:

  • M1: Format code ‘M’ and 1 leg on the boarding pass.
  • EWING/SHAUN MR: My name.
  • 1A11A1: My booking reference.
  • BNESYDQF: Flying from BNE (Brisbane) to SYD (Sydney) on QF (Qantas).
  • 551: Flight number 551.
  • 107: The 'Julian' date, In this case 107 is April 17.
  • Y: Class of service: economy in this case. Others include F (first) and J (business).
  • 26J: My seat.
  • 37: My sequence number. In this case I was the 37th person to check-in.
  • 00: The field size of an airline-specific data message ('00' as there isn’t any message).

That's the minimum amount of data.

The next step was to try a real boarding pass issued at the airport, this time from Australian Business Traveller journalist Chris Chamberlin.

M1CHAMBERLIN/CHRISTOPHE7LFYZH BKKBNETG 0473

202C019A0153     37F>532      0      B          2A        0 UA

ABC12345         2319

There’s more information in this boarding pass barcode, which is as follows:

  • M1: Format code ‘M’ and 1 leg on the boarding pass.
  • CHAMBERLIN/CHRISTOPHE: The passenger’s (truncated) name.
  • 7LFYZH: Electronic ticket indicator and the booking reference.
  • BKKBNETG: Flying from BKK (Bangkok) to BNE (Brisbane) on TG (Thai Airways).
  • 0473: Flight number 473.
  • 202: The Julian date. In this case 202 is July 21.
  • C: Cabin of service – business class in this case as Thai Airways uses 'C' instead of the usual 'J' for business class. Others include F (first) and Y (economy).
  • 019A: The seat number.
  • 0153: The sequence number. In this case the passenger was the 153rd person to check-in.
  • 3: The “passenger status”.
  • 7F: There is a various size field. This is the size
  • >: Beginning of the version number
  • 5: The version number.
  • 32: Field size of another variable field.
  • 0: The check-in source.
  • B: Airline designator of boarding pass issuer.
  • 2: Another variable size field.
  • A: Airline code.
  • 0: International document verification. ’0′ as I presume it's not applicable.
  • UA: The airline the frequent flyer account is with.
  • ABC12345: The frequent flyer number. (The barcode shown above has been modified to remove the number).
  • 2319: Airline-specific data, which in this case matches the boarding time.

What could you do with that information?

Most of the information contained within the boarding pass is fairly mundane, although the booking reference could be used by someone to manipulate your booking (if you have more flights to go), access your contact information or even to see your passport details if they’ve been entered into the APIS system.

The main point to this exercise is this: if you’re going to post a photo of your boarding pass online and use Photoshop to remove your name, you should also remove the barcode.

I would also recommend not leaving your boarding pass on the aircraft when you disembark.

Who is Eddy Chiu?

Qantas have an example boarding pass on their website for “FYSH/WILLIAM MR” – a name frequently seen on the sample Qantas cards and other literature:

William Hudson Fysh was one of the founders of Qantas, but intriguingly the barcode on this boarding pass doesn’t match up with the details, and instead shows:

M1CHIU/EDDY MR         3XQ2QK SYDCBRQF 807  155Y22A 15    00

While Mr Chiu is on the same flight as on the boarding pass, he is not sitting in the same seat as Mr Fysh yet shares the same sequence number.

I suspect this is an 'Easter egg' or calling card from a developer!

Follow Australian Business Traveller on Twitter: we're @AusBT

Shaun Ewing

Shaun Ewing (swewing)

A 'cloud computing' engineer by day and an aficionado of good food and wine on a 24x7 basis, Shaun's travel habits earned him the nickname "Mr Business Class" from his colleagues. Of course, they're all just jealous.
 

10 Comments

  • eminere

    eminere

    16 Jan, 2015 10:02 am

    Fascinating reading and great advice.

    No member give thanks

  • Stephen Gillies

    Stephen Gillies

    16 Jan, 2015 10:03 am

    Actually even worse than that, some airlines print your passport number on the boarding pass. This seems totally crazy to me, and perhaps without the expiry date is not a primary identifier, but it's still a really poor security choice. Air New Zealand is such an airline, and I've often found boarding passes in the seat pocket of the previous traveller. 

    No member give thanks

  • eight10man

    eight10man

    16 Jan, 2015 12:34 pm

    Cool!

    So could the reverse also be true: could someone come up with their own new barcode and use it to gain entry to flights they aren't booked on, or something worse? Or won't that work as it'll be cross checked with the database..??

    No member give thanks

  • watson374

    watson374

    16 Jan, 2015 06:11 pm

    In theory you might be able to do it, but in practice I'm not sure about the cross-checking with the database. There is a precedent for ticket manipulation in Australia, though.

    Way back in 1997 it was discovered that government ferry employees at Manly Wharf were manipulating the system to produce valid tickets for sale that could be used by passengers but which were not recorded as sales.

    The fact that parallel tickets could be created and sold without being recorded meant that employees could print and sell valid tickets to passengers but keep the ticket revenue entirely for themselves (or alternatively create tickets for free for friends and family). It was discovered that the five employees responsible had effectively misappropriated up to $200,000 of government ferry funds.

    It was only discovered and reported to ICAC after there was an unusual spike in refund claims, leading to investigation of the computerised records. It was noted that nobody actually understood how the system worked, hence how the practice went unnoticed for so long.

    Obviously, this was considered dishonest conduct and the employees were found to be corrupt.

    No member give thanks

  • gippsflyer

    gippsflyer

    16 Jan, 2015 10:01 pm

    Cracker, and a revealing anecdote about reoccurring tropes in governmental administration.

    No member give thanks

  • TheRealBabushka

    TheRealBabushka

    16 Jan, 2015 02:26 pm

    Thank you Shaun! Very very interesting!

    No member give thanks

  • Serg

    Serg

    16 Jan, 2015 09:10 pm

    There are far easier ways to steal info about you than searching abandoned boarding passes in pockets of front seats.

    No member give thanks

  • gippsflyer

    gippsflyer

    16 Jan, 2015 10:03 pm

    Enlightening and entertaining Shaun :-)

    No member give thanks

  • Rishi Kataria

    Rishi Kataria

    17 Jan, 2015 01:43 pm

    Please help, I can't find a Boarding Pass decoder. I tried mostly everything on the App Store, please help me, many thanks!

    - Rishi

    Member who gave thanks

    Ads1969

  • Andrew Barkery

    Andrew Barkery

    21 Jan, 2015 12:10 pm

    Rishi, maybe not on the Appstore, but I am sure of our "African friends" who regularly offer to send us fake/doctored cheques/checks/money orders etc, can get one for you.

    They (the Africans) seem to/can even print QR codes.

    No member give thanks

Guest

6 Dec, 2016 01:31 am

×
×

Forgot Password

If you’ve forgotten your password, simply enter your email address below, then click 'Submit'. We’ll send you an email to re-activate your account and enter a new password.

×