SlideShare a Scribd company logo

Barcode Metadata & Privacy - What is the risk really?

Murray Security Services
Murray Security Services

A presentation on scanners that can pull data from barcodes and QR code types

Technology
1 of 17
Download to read offline
1 Barcode Metadata & Privacy What is the risk really? A presentation on scanners that can pull data from barcodes and QR code types Dr. Shawn P. Murray, C|CISO, CISSP, CRISC, FITSP-A, C|EI Presented 18 Jan 2017 - ISSA Colorado Springs Chapter
2 Agenda • Types of Barcodes • Types of Images • Boarding Passes • Scanners (online) • Analysis • Other Card & Data Sources • Mobile Application Scanners • Findings and Determinations • References & Questions
3 Types of Bar Codes • There are lots of different bar codes.  Some bar codes are numeric only  (i.e. UPC, EAN, GS1 DataBar, ITF Interleaved 2 of 5).  Some bar codes are fixed length  (i.e. UPC-A is 12 digits, UPC-E is 6 digits, EAN-13 is 13 digits, EAN-8 is 8 digits, and GS1 DataBar is 14 digits).  Some bar codes can have numbers and alphabetic characters  (i.e. Code 93, Code 128, and Code 39).  One bar code allows you to encode all 128 characters  (Code 128)  While 2D bar codes allow you to encode a lot of data into a small space  (PDF417, Data Matrix, QR, and MaxiCode). NOTE: Many readers have to comply with their customer's or industry's bar coding specifications; no choice is possible, just compliance. Look at the following samples of printed bar codes: http://www.barcodehq.com/primer.html
4 Types of Images PDF417 PDF417 is a stacked linear barcode symbol format used in a variety of applications, primarily transport, identification cards, and inventory management. PDF stands for Portable Data File. The 417 signifies that each pattern in the code consists of 4 bars and spaces, and that each pattern is 17 units long. The PDF417 symbology was invented by Dr. Ynjiun P. Wang at Symbol Technologies in 1991. (Wang 1993) It is represented by ISO standard 15438. PDF417 is one of the formats (along with Data Matrix) that can be used to print postage accepted by the United States Postal Service. PDF417 is also selected by the airline industry's Bar Coded Boarding Pass standard (BCBP) as the 2D bar code symbolism for paper boarding passes. PDF417 is the standard selected by the Department of Homeland Security as the machine readable zone technology for RealID compliant driver licenses and state issued identification cards. It is also used by FedEx on package labels. https://en.wikipedia.org/wiki/PDF417 PDF417 is a multi-row, variable-length symbology with high data capacity and error-correction capability. PDF417 offers some unique features which make it the widely used 2D symbology. A PDF417 symbol can be read by linear scanners, laser scanners or two-dimensional scanners. PDF417 is capable of encoding more than 1100 bytes, 1800 text characters or 2710 digits. Large data files can be encoded into a series of linked PDF417 symbols using a standard methodology referred to as Macro PDF417.
5 Hundreds of images of boarding passes for airline flights (Google)
6 Scanners “Inlite's Barcode scanner software is the best barcode recognition solution for your product, Web Site or IT department.” They sell technology that can extract data which can produce much more detailed information off of drivers licenses and other forms of government issued IDs.
7 Scanners “ Enable your Windows application or Web Service to read barcodes from any image file, database, mobile phone camera, scanner or fax.”
8 Scanners http://zxing.org/w/decode.jspx
9 Can retrieve date of travel, record locater, seat number, name of traveler, flight number.
10
11 Scanned a membership card which revealed my membership number. The scanner also provided the details regarding the barcode type and parameter data.
12 Mobile device scanners on iTunes & Android
13 Findings & Determinations The data and information found on boarding passes is mostly the same that is stored on the barcode or QR Code which may include: • Traveler Name – First & Last • Record Locater & Confirmation information • Flight Information (flight number, date of travel & seat number) • Frequent flyer miles and rewards status (silver, gold, platinum) What data is not stored on boarding passes in the barcodes or QR codes: • Address • Credit Card information • Contact information (email, telephone etc..)
14 Findings & Determinations Data stored on other card or name tag types can be more concerning. Examples: • I scanned a QR Code for several conferences name tags that I had to register for and found that all of the information I provided when I registered on the site was able to be retrieved using one of the scanners shown previously. This included:  Name (preferred name)  Address  Phone Number (if provided upon registration)  Email contact  Company information • Data retrieved from membership cards did not include any data that was not presented in plain text on the card. (IE: membership number)
15 Findings & Determinations Data can be used by an adversary to identify and collect additional information that could be used to target the victim in the future. • Used social media & open source tools to track down one person in the U.S. & retrieved  Address  Phone Numbers  Email contact  Spouse, Children and friends names & social profiles  Employer information  Property records & home purchase information  Gained knowledge of hobbies, favorite sports teams and political & religious affiliations QR Codes may be distributed my malicious actors to links with sites that contain malware! • As with normal phishing methods, don’t open links or attachments from people you don’t know.
16 References What’s in a Boarding Pass Barcode? A Lot https://krebsonsecurity.com/2015/10/whats-in-a-boarding-pass-barcode-a-lot/ PDF417 Fontware & Writer SDK 4.1 User Manual http://www.morovia.com/manuals/PDF417-Font-ware-Writer-SDK-4/chapter.overview.php The hidden data on a boarding pass http://www.economist.com/blogs/gulliver/2015/10/security-check Why You Should Eat Your Airplane Boarding Pass Once You Take Your Seat http://www.slate.com/blogs/future_tense/2015/10/08/barcodes_and_qr_codes_on_airplane_boarding_passes_are_eas y_to_hack.html What’s contained in a boarding pass barcode? https://shaun.net/whats-contained-in-a-boarding-pass-barcode/ Airlines Complete Move to Bar-Coded Boarding Passes http://www.iata.org/pressroom/pr/Pages/2010-12-15-01.aspx You don’t need to tear up your boarding pass and eat it after you fly http://fusion.net/story/214993/boarding-pass-barcode-privacy-scare/ Privacy Impact Assessment for the Boarding Pass Scanning System https://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_tsa_bpss.pdf Staying Three Beeps ahead of TSA PreCheck https://www.travelcodex.com/2013/01/staying-three-beeps-ahead-of-tsa-precheck/ A Bar Code Primer, ©1997-2015 Worth Data http://www.barcodehq.com/primer.html
17 Questions?

Recommended

Mobile Phone Examiner Plus Information
Mobile Phone Examiner Plus InformationMobile Phone Examiner Plus Information
Mobile Phone Examiner Plus InformationJames Dabbagian
 
Detection of Forgery and Fabrication in Passports and Visas Using Cryptograph...
Detection of Forgery and Fabrication in Passports and Visas Using Cryptograph...Detection of Forgery and Fabrication in Passports and Visas Using Cryptograph...
Detection of Forgery and Fabrication in Passports and Visas Using Cryptograph...acijjournal
 
IT Position of Trust Designation
IT Position of Trust DesignationIT Position of Trust Designation
IT Position of Trust DesignationMurray Security Services
 
The Accidental Insider Threat
The Accidental Insider ThreatThe Accidental Insider Threat
The Accidental Insider ThreatMurray Security Services
 
Countering the Cyber Espionage Threat from China
Countering the Cyber Espionage Threat from ChinaCountering the Cyber Espionage Threat from China
Countering the Cyber Espionage Threat from ChinaMurray Security Services
 
ToR - Deep Web
ToR - Deep Web ToR - Deep Web
ToR - Deep Web Murray Security Services
 
SlideShare 101
SlideShare 101SlideShare 101
SlideShare 101Amit Ranjan
 
Qr codes
Qr codesQr codes
Qr codesjaiksolanki
 

Recommended

Mobile Phone Examiner Plus Information
Mobile Phone Examiner Plus InformationMobile Phone Examiner Plus Information
Mobile Phone Examiner Plus InformationJames Dabbagian
 
Detection of Forgery and Fabrication in Passports and Visas Using Cryptograph...
Detection of Forgery and Fabrication in Passports and Visas Using Cryptograph...Detection of Forgery and Fabrication in Passports and Visas Using Cryptograph...
Detection of Forgery and Fabrication in Passports and Visas Using Cryptograph...acijjournal
 
IT Position of Trust Designation
IT Position of Trust DesignationIT Position of Trust Designation
IT Position of Trust DesignationMurray Security Services
 
The Accidental Insider Threat
The Accidental Insider ThreatThe Accidental Insider Threat
The Accidental Insider ThreatMurray Security Services
 
Countering the Cyber Espionage Threat from China
Countering the Cyber Espionage Threat from ChinaCountering the Cyber Espionage Threat from China
Countering the Cyber Espionage Threat from ChinaMurray Security Services
 
ToR - Deep Web
ToR - Deep Web ToR - Deep Web
ToR - Deep Web Murray Security Services
 
SlideShare 101
SlideShare 101SlideShare 101
SlideShare 101Amit Ranjan
 
Qr codes
Qr codesQr codes
Qr codesjaiksolanki
 
DETECTION OF FORGERY AND FABRICATION IN PASSPORTS AND VISAS USING CRYPTOGRAPH...
DETECTION OF FORGERY AND FABRICATION IN PASSPORTS AND VISAS USING CRYPTOGRAPH...DETECTION OF FORGERY AND FABRICATION IN PASSPORTS AND VISAS USING CRYPTOGRAPH...
DETECTION OF FORGERY AND FABRICATION IN PASSPORTS AND VISAS USING CRYPTOGRAPH...acijjournal
 
devices and methods for automatic data capture
devices and methods for automatic data capturedevices and methods for automatic data capture
devices and methods for automatic data capturehina6349
 
6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery Process
6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery Process6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery Process
6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery ProcessVISTA InfoSec
 
Jo3417381741
Jo3417381741Jo3417381741
Jo3417381741IJERA Editor
 
Published pdf-2072-6-2072 kajal
Published pdf-2072-6-2072 kajalPublished pdf-2072-6-2072 kajal
Published pdf-2072-6-2072 kajalMOHAMED RIYAZUDEEN
 
QR Codes seminar
QR Codes seminarQR Codes seminar
QR Codes seminarUmsh23
 
E voting authentication with qr-codes
E voting authentication with qr-codesE voting authentication with qr-codes
E voting authentication with qr-codesMd. Hasibur Rashid
 
Rfi dtechnology.doc
Rfi dtechnology.docRfi dtechnology.doc
Rfi dtechnology.docArtechno7
 
Barcodes (WHW) What ? How ? Why ?
Barcodes (WHW) What ? How ? Why ?Barcodes (WHW) What ? How ? Why ?
Barcodes (WHW) What ? How ? Why ?Arie Terner
 
Use of QR Code: A Step Towards Development in India
Use of QR Code: A Step Towards Development in IndiaUse of QR Code: A Step Towards Development in India
Use of QR Code: A Step Towards Development in IndiaIRJET Journal
 
Qr codes
Qr codesQr codes
Qr codesLasher1
 
Qr codes
Qr codesQr codes
Qr codesLasher1
 
IRJET- Securing E-Medical Documents using QR Code
IRJET- Securing E-Medical Documents using QR CodeIRJET- Securing E-Medical Documents using QR Code
IRJET- Securing E-Medical Documents using QR CodeIRJET Journal
 
Re-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity ManagementRe-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity ManagementMartijn Oostdijk
 
Qr code in education
Qr code in educationQr code in education
Qr code in educationVasil Dimitrov
 
What is a QR Code?
What is a QR Code?What is a QR Code?
What is a QR Code?Michael Sauers
 
DESIGN AND IMPLEMENTATION OF E-PASSPORT SCHEME USING CRYPTOGRAPHIC ALGORITHM ...
DESIGN AND IMPLEMENTATION OF E-PASSPORT SCHEME USING CRYPTOGRAPHIC ALGORITHM ...DESIGN AND IMPLEMENTATION OF E-PASSPORT SCHEME USING CRYPTOGRAPHIC ALGORITHM ...
DESIGN AND IMPLEMENTATION OF E-PASSPORT SCHEME USING CRYPTOGRAPHIC ALGORITHM ...ijait
 
QR CODES IN BUSINESS.
QR CODES IN BUSINESS.QR CODES IN BUSINESS.
QR CODES IN BUSINESS.RobbySahoo
 
Enterprise Digital Writing
Enterprise Digital WritingEnterprise Digital Writing
Enterprise Digital Writingmcrussell
 
PPT_Template for Idea_Innovation qr code.pptx
PPT_Template for Idea_Innovation qr code.pptxPPT_Template for Idea_Innovation qr code.pptx
PPT_Template for Idea_Innovation qr code.pptxdiivyaaa20
 
Cybersecurity Maturity Model Certification
Cybersecurity Maturity Model CertificationCybersecurity Maturity Model Certification
Cybersecurity Maturity Model CertificationMurray Security Services
 
Accidental Insider Threat - 2018 Version
Accidental Insider Threat - 2018 VersionAccidental Insider Threat - 2018 Version
Accidental Insider Threat - 2018 VersionMurray Security Services
 

More Related Content

Similar to Barcode Metadata & Privacy - What is the risk really?

DETECTION OF FORGERY AND FABRICATION IN PASSPORTS AND VISAS USING CRYPTOGRAPH...
DETECTION OF FORGERY AND FABRICATION IN PASSPORTS AND VISAS USING CRYPTOGRAPH...DETECTION OF FORGERY AND FABRICATION IN PASSPORTS AND VISAS USING CRYPTOGRAPH...
DETECTION OF FORGERY AND FABRICATION IN PASSPORTS AND VISAS USING CRYPTOGRAPH...acijjournal
 
devices and methods for automatic data capture
devices and methods for automatic data capturedevices and methods for automatic data capture
devices and methods for automatic data capturehina6349
 
6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery Process
6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery Process6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery Process
6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery ProcessVISTA InfoSec
 
Published pdf-2072-6-2072 kajal
Published pdf-2072-6-2072 kajalPublished pdf-2072-6-2072 kajal
Published pdf-2072-6-2072 kajalMOHAMED RIYAZUDEEN
 
QR Codes seminar
QR Codes seminarQR Codes seminar
QR Codes seminarUmsh23
 
E voting authentication with qr-codes
E voting authentication with qr-codesE voting authentication with qr-codes
E voting authentication with qr-codesMd. Hasibur Rashid
 
Rfi dtechnology.doc
Rfi dtechnology.docRfi dtechnology.doc
Rfi dtechnology.docArtechno7
 
Barcodes (WHW) What ? How ? Why ?
Barcodes (WHW) What ? How ? Why ?Barcodes (WHW) What ? How ? Why ?
Barcodes (WHW) What ? How ? Why ?Arie Terner
 
Use of QR Code: A Step Towards Development in India
Use of QR Code: A Step Towards Development in IndiaUse of QR Code: A Step Towards Development in India
Use of QR Code: A Step Towards Development in IndiaIRJET Journal
 
Qr codes
Qr codesQr codes
Qr codesLasher1
 
Qr codes
Qr codesQr codes
Qr codesLasher1
 
IRJET- Securing E-Medical Documents using QR Code
IRJET- Securing E-Medical Documents using QR CodeIRJET- Securing E-Medical Documents using QR Code
IRJET- Securing E-Medical Documents using QR CodeIRJET Journal
 
Re-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity ManagementRe-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity ManagementMartijn Oostdijk
 
DESIGN AND IMPLEMENTATION OF E-PASSPORT SCHEME USING CRYPTOGRAPHIC ALGORITHM ...
DESIGN AND IMPLEMENTATION OF E-PASSPORT SCHEME USING CRYPTOGRAPHIC ALGORITHM ...DESIGN AND IMPLEMENTATION OF E-PASSPORT SCHEME USING CRYPTOGRAPHIC ALGORITHM ...
DESIGN AND IMPLEMENTATION OF E-PASSPORT SCHEME USING CRYPTOGRAPHIC ALGORITHM ...ijait
 
QR CODES IN BUSINESS.
QR CODES IN BUSINESS.QR CODES IN BUSINESS.
QR CODES IN BUSINESS.RobbySahoo
 
Enterprise Digital Writing
Enterprise Digital WritingEnterprise Digital Writing
Enterprise Digital Writingmcrussell
 
PPT_Template for Idea_Innovation qr code.pptx
PPT_Template for Idea_Innovation qr code.pptxPPT_Template for Idea_Innovation qr code.pptx
PPT_Template for Idea_Innovation qr code.pptxdiivyaaa20
 

Similar to Barcode Metadata & Privacy - What is the risk really? (20)

DETECTION OF FORGERY AND FABRICATION IN PASSPORTS AND VISAS USING CRYPTOGRAPH...
DETECTION OF FORGERY AND FABRICATION IN PASSPORTS AND VISAS USING CRYPTOGRAPH...DETECTION OF FORGERY AND FABRICATION IN PASSPORTS AND VISAS USING CRYPTOGRAPH...
DETECTION OF FORGERY AND FABRICATION IN PASSPORTS AND VISAS USING CRYPTOGRAPH...
 
devices and methods for automatic data capture
devices and methods for automatic data capturedevices and methods for automatic data capture
devices and methods for automatic data capture
 
6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery Process
6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery Process6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery Process
6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery Process
 
Jo3417381741
Jo3417381741Jo3417381741
Jo3417381741
 
Published pdf-2072-6-2072 kajal
Published pdf-2072-6-2072 kajalPublished pdf-2072-6-2072 kajal
Published pdf-2072-6-2072 kajal
 
QR Codes seminar
QR Codes seminarQR Codes seminar
QR Codes seminar
 
E voting authentication with qr-codes
E voting authentication with qr-codesE voting authentication with qr-codes
E voting authentication with qr-codes
 
Rfi dtechnology.doc
Rfi dtechnology.docRfi dtechnology.doc
Rfi dtechnology.doc
 
Barcodes (WHW) What ? How ? Why ?
Barcodes (WHW) What ? How ? Why ?Barcodes (WHW) What ? How ? Why ?
Barcodes (WHW) What ? How ? Why ?
 
Use of QR Code: A Step Towards Development in India
Use of QR Code: A Step Towards Development in IndiaUse of QR Code: A Step Towards Development in India
Use of QR Code: A Step Towards Development in India
 
Qr codes
Qr codesQr codes
Qr codes
 
Qr codes
Qr codesQr codes
Qr codes
 
IRJET- Securing E-Medical Documents using QR Code
IRJET- Securing E-Medical Documents using QR CodeIRJET- Securing E-Medical Documents using QR Code
IRJET- Securing E-Medical Documents using QR Code
 
Re-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity ManagementRe-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity Management
 
Qr code in education
Qr code in educationQr code in education
Qr code in education
 
What is a QR Code?
What is a QR Code?What is a QR Code?
What is a QR Code?
 
DESIGN AND IMPLEMENTATION OF E-PASSPORT SCHEME USING CRYPTOGRAPHIC ALGORITHM ...
DESIGN AND IMPLEMENTATION OF E-PASSPORT SCHEME USING CRYPTOGRAPHIC ALGORITHM ...DESIGN AND IMPLEMENTATION OF E-PASSPORT SCHEME USING CRYPTOGRAPHIC ALGORITHM ...
DESIGN AND IMPLEMENTATION OF E-PASSPORT SCHEME USING CRYPTOGRAPHIC ALGORITHM ...
 
QR CODES IN BUSINESS.
QR CODES IN BUSINESS.QR CODES IN BUSINESS.
QR CODES IN BUSINESS.
 
Enterprise Digital Writing
Enterprise Digital WritingEnterprise Digital Writing
Enterprise Digital Writing
 
PPT_Template for Idea_Innovation qr code.pptx
PPT_Template for Idea_Innovation qr code.pptxPPT_Template for Idea_Innovation qr code.pptx
PPT_Template for Idea_Innovation qr code.pptx
 

More from Murray Security Services

Cybersecurity Maturity Model Certification
Cybersecurity Maturity Model CertificationCybersecurity Maturity Model Certification
Cybersecurity Maturity Model CertificationMurray Security Services
 
Global Shortage on Cyber Security Workforce - An Analysis of a Complex Issue
Global Shortage on Cyber Security Workforce - An Analysis of a Complex IssueGlobal Shortage on Cyber Security Workforce - An Analysis of a Complex Issue
Global Shortage on Cyber Security Workforce - An Analysis of a Complex IssueMurray Security Services
 
Internet of things, New Challenges in Cyber Crime
Internet of things, New Challenges in Cyber CrimeInternet of things, New Challenges in Cyber Crime
Internet of things, New Challenges in Cyber CrimeMurray Security Services
 

More from Murray Security Services (11)

Cybersecurity Maturity Model Certification
Cybersecurity Maturity Model CertificationCybersecurity Maturity Model Certification
Cybersecurity Maturity Model Certification
 
Accidental Insider Threat - 2018 Version
Accidental Insider Threat - 2018 VersionAccidental Insider Threat - 2018 Version
Accidental Insider Threat - 2018 Version
 
Manufacturing Hacks
Manufacturing HacksManufacturing Hacks
Manufacturing Hacks
 
Spectre & Meltdown
Spectre & MeltdownSpectre & Meltdown
Spectre & Meltdown
 
Global Shortage on Cyber Security Workforce - An Analysis of a Complex Issue
Global Shortage on Cyber Security Workforce - An Analysis of a Complex IssueGlobal Shortage on Cyber Security Workforce - An Analysis of a Complex Issue
Global Shortage on Cyber Security Workforce - An Analysis of a Complex Issue
 
Cybersecurity for Small Business
Cybersecurity for Small BusinessCybersecurity for Small Business
Cybersecurity for Small Business
 
Bring Your Own Device (BYOD)
Bring Your Own Device (BYOD)Bring Your Own Device (BYOD)
Bring Your Own Device (BYOD)
 
Information & Cyber Security Risk
Information & Cyber Security RiskInformation & Cyber Security Risk
Information & Cyber Security Risk
 
How to Write Good Policies
How to Write Good PoliciesHow to Write Good Policies
How to Write Good Policies
 
Internet of things, New Challenges in Cyber Crime
Internet of things, New Challenges in Cyber CrimeInternet of things, New Challenges in Cyber Crime
Internet of things, New Challenges in Cyber Crime
 
Social Engineering 2.0
Social Engineering 2.0Social Engineering 2.0
Social Engineering 2.0
 

Recently uploaded

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 

Recently uploaded (20)

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 

Barcode Metadata & Privacy - What is the risk really?

  • 1. 1 Barcode Metadata & Privacy What is the risk really? A presentation on scanners that can pull data from barcodes and QR code types Dr. Shawn P. Murray, C|CISO, CISSP, CRISC, FITSP-A, C|EI Presented 18 Jan 2017 - ISSA Colorado Springs Chapter
  • 2. 2 Agenda • Types of Barcodes • Types of Images • Boarding Passes • Scanners (online) • Analysis • Other Card & Data Sources • Mobile Application Scanners • Findings and Determinations • References & Questions
  • 3. 3 Types of Bar Codes • There are lots of different bar codes.  Some bar codes are numeric only  (i.e. UPC, EAN, GS1 DataBar, ITF Interleaved 2 of 5).  Some bar codes are fixed length  (i.e. UPC-A is 12 digits, UPC-E is 6 digits, EAN-13 is 13 digits, EAN-8 is 8 digits, and GS1 DataBar is 14 digits).  Some bar codes can have numbers and alphabetic characters  (i.e. Code 93, Code 128, and Code 39).  One bar code allows you to encode all 128 characters  (Code 128)  While 2D bar codes allow you to encode a lot of data into a small space  (PDF417, Data Matrix, QR, and MaxiCode). NOTE: Many readers have to comply with their customer's or industry's bar coding specifications; no choice is possible, just compliance. Look at the following samples of printed bar codes: http://www.barcodehq.com/primer.html
  • 4. 4 Types of Images PDF417 PDF417 is a stacked linear barcode symbol format used in a variety of applications, primarily transport, identification cards, and inventory management. PDF stands for Portable Data File. The 417 signifies that each pattern in the code consists of 4 bars and spaces, and that each pattern is 17 units long. The PDF417 symbology was invented by Dr. Ynjiun P. Wang at Symbol Technologies in 1991. (Wang 1993) It is represented by ISO standard 15438. PDF417 is one of the formats (along with Data Matrix) that can be used to print postage accepted by the United States Postal Service. PDF417 is also selected by the airline industry's Bar Coded Boarding Pass standard (BCBP) as the 2D bar code symbolism for paper boarding passes. PDF417 is the standard selected by the Department of Homeland Security as the machine readable zone technology for RealID compliant driver licenses and state issued identification cards. It is also used by FedEx on package labels. https://en.wikipedia.org/wiki/PDF417 PDF417 is a multi-row, variable-length symbology with high data capacity and error-correction capability. PDF417 offers some unique features which make it the widely used 2D symbology. A PDF417 symbol can be read by linear scanners, laser scanners or two-dimensional scanners. PDF417 is capable of encoding more than 1100 bytes, 1800 text characters or 2710 digits. Large data files can be encoded into a series of linked PDF417 symbols using a standard methodology referred to as Macro PDF417.
  • 5. 5 Hundreds of images of boarding passes for airline flights (Google)
  • 6. 6 Scanners “Inlite's Barcode scanner software is the best barcode recognition solution for your product, Web Site or IT department.” They sell technology that can extract data which can produce much more detailed information off of drivers licenses and other forms of government issued IDs.
  • 7. 7 Scanners “ Enable your Windows application or Web Service to read barcodes from any image file, database, mobile phone camera, scanner or fax.”
  • 9. 9 Can retrieve date of travel, record locater, seat number, name of traveler, flight number.
  • 10. 10
  • 11. 11 Scanned a membership card which revealed my membership number. The scanner also provided the details regarding the barcode type and parameter data.
  • 12. 12 Mobile device scanners on iTunes & Android
  • 13. 13 Findings & Determinations The data and information found on boarding passes is mostly the same that is stored on the barcode or QR Code which may include: • Traveler Name – First & Last • Record Locater & Confirmation information • Flight Information (flight number, date of travel & seat number) • Frequent flyer miles and rewards status (silver, gold, platinum) What data is not stored on boarding passes in the barcodes or QR codes: • Address • Credit Card information • Contact information (email, telephone etc..)
  • 14. 14 Findings & Determinations Data stored on other card or name tag types can be more concerning. Examples: • I scanned a QR Code for several conferences name tags that I had to register for and found that all of the information I provided when I registered on the site was able to be retrieved using one of the scanners shown previously. This included:  Name (preferred name)  Address  Phone Number (if provided upon registration)  Email contact  Company information • Data retrieved from membership cards did not include any data that was not presented in plain text on the card. (IE: membership number)
  • 15. 15 Findings & Determinations Data can be used by an adversary to identify and collect additional information that could be used to target the victim in the future. • Used social media & open source tools to track down one person in the U.S. & retrieved  Address  Phone Numbers  Email contact  Spouse, Children and friends names & social profiles  Employer information  Property records & home purchase information  Gained knowledge of hobbies, favorite sports teams and political & religious affiliations QR Codes may be distributed my malicious actors to links with sites that contain malware! • As with normal phishing methods, don’t open links or attachments from people you don’t know.
  • 16. 16 References What’s in a Boarding Pass Barcode? A Lot https://krebsonsecurity.com/2015/10/whats-in-a-boarding-pass-barcode-a-lot/ PDF417 Fontware & Writer SDK 4.1 User Manual http://www.morovia.com/manuals/PDF417-Font-ware-Writer-SDK-4/chapter.overview.php The hidden data on a boarding pass http://www.economist.com/blogs/gulliver/2015/10/security-check Why You Should Eat Your Airplane Boarding Pass Once You Take Your Seat http://www.slate.com/blogs/future_tense/2015/10/08/barcodes_and_qr_codes_on_airplane_boarding_passes_are_eas y_to_hack.html What’s contained in a boarding pass barcode? https://shaun.net/whats-contained-in-a-boarding-pass-barcode/ Airlines Complete Move to Bar-Coded Boarding Passes http://www.iata.org/pressroom/pr/Pages/2010-12-15-01.aspx You don’t need to tear up your boarding pass and eat it after you fly http://fusion.net/story/214993/boarding-pass-barcode-privacy-scare/ Privacy Impact Assessment for the Boarding Pass Scanning System https://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_tsa_bpss.pdf Staying Three Beeps ahead of TSA PreCheck https://www.travelcodex.com/2013/01/staying-three-beeps-ahead-of-tsa-precheck/ A Bar Code Primer, ©1997-2015 Worth Data http://www.barcodehq.com/primer.html