Aztec Barcodes and Aviation Security

A week ago I wrote TSA’s 25,000 Security Lapses & How They Can Be Reduced and referenced the use of Aztec barcodes as a security feature stating “TSA has not worked with airlines to implement these impossible to forge barcodes.


I received a few comments and emails stating Aztec barcodes could be forged.  Some readers sent me Aztec bar codes containing links to Flying With Fish, or messages stating that Aztec bar codes can be forged … such as this QR barcode:

While an Aztec barcode can be created to link to any website, graphic or nearly anything else online, what those commenting on Aztec barcodes are missing the secure security procedures that need to be universally established, and implemented by an organization such as IATA, to make it virtually fool proof.

The Transportation Security Administration (TSA) and airlines have long since struggled with the boarding pass verification. The TSA seeks to implement boarding pass verification for passenger identification and security, while airlines seek options for passengers’ identification for the papooses of revenue protection.   Presently nearly all paper boarding passes have a standard 2D Bar Coded Boarding Pass (BCBP) that has been implemented as part of IATA’s Simplifying The Business Program and all mobile boarding passes utilize Aztec Code, also as part of IATA’s BCBP standardization program.   With these standard in place what is not in place is this …


… the Aztec or BCPB barcodes linking to a ‘live site.’   Some of these features are in place with the mobile boarding passes, a TSA Travel Document Checker scans the mobile boarding pass and a passengers name and flight information comes up from the airline, which is secure unless the system is hacked … but this security feature is presently limited to mobile boarding passes only.  This security limitation and a frequently relaxed attitude that results in incorrect identification matching leads to security lapses that should not occur.


Can someone create an Aztec barcode that links to a fake website? Yes, but if the scanner is only allowed to accept Aztec barcodes leading to a secure site, any forged barcode leading elsewhere simply won’t scan.


Is any network hack proof? No, not yet, but breaking into a network and inserting fake flight information is considerably more difficult than simply generating a fake Aztec barcode.


Happy Flying!


  1. Yes, but if I want to get through security, I’d generate the Aztec code that looks up someone else’s boarding pass.

    For example, my name is Jack. I’m not flying today, but I want to go through security with a fake boarding pass. I’ll put an Aztec code on it that looks up another passenger’s information, but has my own name on the pass itself. Those scanners at the airport (at least the ones that I have seen) just flash a green light if all is well.

    So, when I go through with the name “Jack” on my pass, and they check that against my ID, which works out, then scans my pass, it’ll turn green. Why? Because the Aztec code pointed to some other passenger’s legit info.

    They are fighting a losing battle when it comes to checking identification, and it is costing the taxpayers countless amounts of money. The worst part about it, though, is that it isn’t a security matter, it’s a revenue protection matter for the airline and they are asking the taxpayers to fund the people to run it.

  2. Jack,

    Your theory doesn’t work. You’d need to hack into a secure network, find the name of another Jack Doyle, gain access to their Aztec barcode, then board the same flight they are boarding.

    Say you get into the network, you manage to somehow duplicate the Aztec barcode for someone with the same name as you … what do you do when you both check in for the flight and its show who the ‘real’ Jack Doyle is? Oh … you go to jail.

    Happy Flying!


  3. Fish,

    The scanner at the airports (at least the ones I’ve been to) where the TDC checks the barcode, only shows a green light if it is validated. It doesn’t tell them who the passenger is.

    Therefore, the other person doesn’t need to have the same name as me. Only a flight on the same day that I do.

    In its current configuration, the TDC doesn’t see which passenger the barcode refers to, only that it is valid for *a* passenger. I guess this could be different in different airports.

    Last time I had an Aztec (on the Delta app) the TDC put it up to the reader, saw the green light, and let me through. They don’t know that the Aztec was mine, only that something confirmed that the person whom it did belong to must have had a flight that day.

  4. Or done away with all together. I just flew the other day and scratched my head (again) wondering how it makes me a single bit safer? Do they have some savant with a memorized list of the suspected terrorists in his head?

    While we’re at it.. if they really think that my 20 oz bottle of Pepsi Max could potentially blow up and airplane, then why do they *throw* it into a trash can? Wouldn’t that be a reckless thing to do with a potentially deadly device?

    Also, I flew on two different flights this past Saturday. One flight carried about sixty people, the other I think could carry about 200. Why are they so concerned about airplane security when someone with a bomb could kill more people at the security checkpoint than he could on a plane?

    It’s all theater, and it’s all it ever will be.

  5. Jack,

    Clearly you have never heard of Philippine Airlines 434 or Project Bojinka, one of which effectively used small amounts of liquids carried aboard in shampoo and saline containers to detonate a deadly bomb, and the other of which was a plan to do that over a dozen more times. You are so clueless…

    Blowing up a plane is far more sensationalistic than a bomb in security. There are thousands of places where a bomb could kill more people than the biggest plane, but it doesn’t happen.

  6. Kris,

    I’m not saying liquids can’t be dangerous. I’m saying that TSA just throws them. If they are dangerous, why throw them?

Leave a Reply

Your email address will not be published.