Sharing Your Boarding Pass Is A Bad Idea

Last Friday we covered some of the security issues travelers can face when staying at a hotel.  Today we are going to look at air travel – specifically the bad things that can happen to you if you carelessly discard or foolishly post a picture online of your airline boarding pass.

For some reason, people like to post images of their boarding passes on Facebook, Instagram, and other social networks.  Probably a hipster version of “wish you were here – not!”  Brian Krebs reported that a recent search on Instagram for “boarding pass” returned 91,000 results!  There are also smartphone and smart watch apps for capturing the bar code.  This is supposed to help you board more easily, but it is another great way to lose the information in the bar code.

Your boarding pass, especially the bar coded information, can reveal more information about you than you might expect.  This includes things such as:

  • Name
  • Address
  • Phone Number
  • Passport Number
  • Frequent Flyer Number
  • 6-digit Booking Code

Czech security researcher Michael Spacek recently gave a talk at a cybersecurity conference.  He described how:

“…he was able to get from a picture of a British Airways boarding pass that a friend of his posted on Instagram before a trip to Hong Kong with his wife.

All he had to do was enter the booking reference on the BA website and find out his friend’s birth date (which was on his Facebook profile) to get his passport number, to be allowed to change the details on his account – cancel future flights, edit the passport number, citizenship, expiration date and date of birth…”

Basically, information in the bar code can allow an attacker access to your airline travel account, view your travel plans, make changes to your itinerary, book airline tickets, and steal your frequent flyer points, among other things.  Want to know what is in your boarding pass bar code.  Take a picture of the barcode with your phone, and upload it to Inlite Online Barcode Reader.

So posting pictures of your boarding pass online is a bad plan.  Casually tossing it in the trash in your hotel room is not a good idea, either, since it would be possible for the cleaning staff to save the pass and sell it to cyber-crooks and identity thieves.  The boarding pass becomes one more item that needs to be shredded or destroyed in other ways.

More information:

0

About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Senior Cybersecurity Engineer at Computer Integration Technologies, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment