I love to travel. Travelling comes in all forms, but as of late, I have been flying back and forth from my country of Singapore to New Zealand where I am currently studying. Checking in at airport counters have become a routine for me and long queues are the norm.
However, more airlines have been implementing self check-in counters to speed up the process. One such seamless experience that I have encountered was when I purchased a ticket from Grabaseat to fly back to Auckland from Queenstown. In the Air New Zealand app, one will be issued an online boarding pass upon inserting their booking reference and family name. This online boarding pass includes a generated QR Code that can be scanned at any self service check-in kiosk in the airport; which in turn issues you a physical copy of your boarding passes as well as your bag tags.
The whole affair is fast and easy, but it occured to me that this convenience comes at a security cost: The QR Code itself
The QR Code (Quick Response Code) was first conceived by two Japanese engineers who were dealing with the limitations of barcodes which are only capable of holding 20 alphanumeric characters. The current version of the QR Code is capable of holding up to 4,296 alphanumeric characters. The operational basis of the QR code is the same as the barcode but with the added benefits of additional information storage space and the ease of scanning regardless of the scanner’s orientation.
First implemented for industrial uses, the QR Code has since proliferated to the consumer market due to the ease of acquiring a scanner (any mobile devices with a camera and the appropriate app). The most common commercial uses of QR Code are:
- URL redirection services (e.g. Mercedes, Ralph Lauren)
- Payment information exchange (e.g. Paypal, Bitcoin)
- Electronic boarding passes
The security issues of using the QR Code for the boarding pass comes in several forms.
First off, the myriad of information stored on the QR Code of the boarding pass can be easily decoded. This can be done easily with a visual copy of the QR Code and a compatible scanner. This means that the personal information on a person’s boarding pass can be acquired and abused by unscrupulous individuals or groups.
“Two-dimensional barcodes and QR codes can hold a great deal of information, and the codes printed on airline boarding passes may allow someone to discover more about you, your future travel plans, and your frequent flyer account,” Brian Krebs
The next issue with QR codes is the lack of encryption. QR Codes that are utilised in commercial purposes are made to be easily accessible to the end user. Encrypted QR Codes (EQR) are available for use but it has not seen widespread use as the basic QR Code suffice in most commercial scenarios due to the simplistic nature of its application.
In addition, humans are unable to visually identify the QR Code. QR Codes are indiscernible to the human eye due to their complex design. Any identity thief can assume the characteristics of their target, check-in and board a plane without the staff detecting if anything is amiss.
Given the mentioned risks, a worst case scenario might look like this:
Person A is going to an overseas holiday that was planned months ago. In his/her excitement, A decided to take a photo of their boarding pass and put it on Instagram to share the news. Person B happened to come across the photo and decided to scan the QR codes shown and steal the identity of B. Person B. With the personal information of A acquired, B abuses it for monetary gains at the expense of A and gets away with it. The happy holiday turns out to be a total nightmare for A by becoming a victim of identity theft.
There are two measures to prevent the boarding pass QR Code from being abused. The most important method is to not take any photos of your own boarding pass that displays the QR Code and put it online. Without a visual reference, no personal information can be gleaned by any means possible. The other method requires the airline industry to start implementing security features like EQRs and additional two-factor verification to ensure the security of the passenger’s personal details while maintaining the convenience of using the QR code.
Through the constant vigilance on the part of both the airline industry and individuals, checking in and flying can be made into a more efficient and safe experience.
