A boarding pass is a document provided by an airline during checkin, giving a passenger permission to enter the restricted area of an airport and to board
the airplane for a particular flight. At a minimum, it identifies the
passenger, the flight number, and the date and scheduled time for
departure. In some cases, flyers can check in online and print the
boarding passes themselves. A boarding pass may be required for a
passenger to enter a secure area of an airport. Most airports and airlines have automatic readers that will verify the validity of the boarding pass at the boarding gate. This also automatically updates the airline's
database that shows the passenger has boarded and the seat is used, and
that the checked baggage for that passenger may stay aboard. This speeds
up the paperwork process at the gate, but requires passengers with
paper tickets to check in, surrender the ticket, and receive the
digitized boarding pass. Source- https://en.wikipedia.org/wiki/Boarding_pass
According to “Krebs on Security” there is personal information encrypted
on your boarding pass. After someone took a screen shot of the bar code
on the ticket, you will be amazed of how much personal information that
person can get about you: home address, banking info, email address,
phone number. Source- https://krebsonsecurity.com/2015/10/whats-in-a-boarding-pass-barcode-a-lot/
QR Code:
QR code or Quick Response code is a matrix bar code
which can be read by an imaging device for example camera and then processed to read its
data. The QR code is simply an array of bits to be identified by a scanner.
Bits are reserved for the scanner to be able to identify and orient the image,
as well as for version and format information. QR codes are really useful and
help us to complete tasks faster in smartphones. You can quickly open a website
just by scanning a QR code and you do not need to manually type the URL in your
smartphone.
QR code has been successfully implemented in the global
payments industry, as well. Because it is easy to generate a QR code, the
system offers convenience to businesses and consumers, alike. It can be printed
on business cards, points of sale, and product labels which customers can
simply scan to pay for a product or service.
With the increase in usage of QR codes in the general
public, it is necessary to ensure that the data conveyed through the QR code is
not harmful to the user. There are currently two major attack vectors for
potential vulnerabilities: attacks on human interactions and automated attacks.
Attacks on human interactions:
Attacks on human interactions rely on the fact that
humans by themselves are unable to interpret what information is encoded in QR
codes, and thus rely on QR code readers to decode the information. Since the
information in the QR code is completely obfuscated, it is possible to trick
and attack users via phishing, pharming, and other social engineering attacks
by putting up fake QR codes. It is also possible to attack users by
manipulating and exploiting existing QR code readers that users use via command
injection or buffer overflows.
Phishing:
Phishing is the main security issue involved with QR
codes. It is also described as QRishing. QR codes are generally scanned by a
smartphone camera to visit a website. Now, many website advertisements put QR
code along with a URL so users can quickly scan QR code to visit the website.
Hackers or scammers try to change the QR code added in
the poster. They can also print the similar kind of fake posters and put in
public places.
Innocent customers will scan these fake QR codes to visit
the websites but they will be redirected to phishing websites. In mobile
devices, it is hard to check the full address in the browsers. Due to limited
space, browsers do not show the full address in the URL field. And most people
never try to check the full address, which makes users more vulnerable. When
they use this phishing page to login, their passwords are compromised.
In the same way, attackers can use QR codes to point to
malicious websites to distribute malware via drive by download attack. Drive by
download attacks are attacks in which a website forcefully downloads software
in your device when you visit the website.
Automated attacks:
Automated attacks often result from the assumption that
the encoded information in QR codes is sanitized. However, it is known that QR
codes themselves can easily be manipulated in order to change encoded
information, potentially producing attacks on backend software. Without QR code
input sanitation, it is possible to produce attacks such as SQL injection,
command injection, and fraud.
Best practices for Users:
QRishing & Drive by download attacks can be prevented
by following the below mentioned best practices.
Observe before Use:
If you find a QR code in any banner advertisement in a
public place, look at it closely. Most of the times, hackers stick their fake
QR code above the legitimate QR code in a legitimate poster. So try to see if
it is real or not. One can check by touching the poster. If it does not look
like it’s actually printed on the
poster, do not use it. If you are not sure, never scan that QR code.
Never provide personal or login information:
Always be suspicious of the page you land on via QR code.
Never share your personal information on these pages. Only do this if the QR
code is from a very trusted source and you trust the website. For login, always
enter the URL manually on the browser’s
address bar.
Look at URL before Clicking:
Looking at the QR code does not confirm whether it is
malicious or not.
Some QR Code readers let you see the URL and ask to
confirm whether you want to visit the URL before it links you to the
destination. You can use these QR code scanners to know what URL the QR code
will send you. Just remember that many QR Codes use shortened URLs so this
strategy won't always work.
Best practices for Merchants
- Include signage telling the user what
the code does. Otherwise the user has no way of knowing if the code should point to a URL,
phone number, or SMS.
- Print the URL near to the code. This
way if the code is hijacked and pointed to evil website
the user can see they're not visiting the correct site.
- Include https in the URL. Get users
used to checking for https before they interact with you.
- Every time you put out a QR code in a
public area, you should know where it is. If a code is on a billboard, on a
storefront, or anywhere else it can be accessed by the public, it could be at
risk. You will know your code is working correctly when you see
"normal" traffic through it. If the traffic suddenly stops, ensure
that the code is still there and hasn't been tampered with.
- Distinctive, branded QR codes with
special colours or other design features are far more likely to get attention, and it
will help people to know that they are dealing with a legitimate link to your
brand and not a counterfeit code. It will be much more difficult for a hacker
to simulate a highly designed and colourful code than a plain one.
Source-
https://courses.csail.mit.edu/6.857/2014/files/12-peng-sanabria-wu-zhu-qr-codes.pdf