Sharing Your Boarding Pass Is A Bad Idea

Last Friday we covered some of the security issues travelers can face when staying at a hotel.  Today we are going to look at air travel – specifically the bad things that can happen to you if you carelessly discard or foolishly post a picture online of your airline boarding pass.

For some reason, people like to post images of their boarding passes on Facebook, Instagram, and other social networks.  Probably a hipster version of “wish you were here – not!”  Brian Krebs reported that a recent search on Instagram for “boarding pass” returned 91,000 results!  There are also smartphone and smart watch apps for capturing the bar code.  This is supposed to help you board more easily, but it is another great way to lose the information in the bar code.

Your boarding pass, especially the bar coded information, can reveal more information about you than you might expect.  This includes things such as:

  • Name
  • Address
  • Phone Number
  • Passport Number
  • Frequent Flyer Number
  • 6-digit Booking Code

Czech security researcher Michael Spacek recently gave a talk at a cybersecurity conference.  He described how:

“…he was able to get from a picture of a British Airways boarding pass that a friend of his posted on Instagram before a trip to Hong Kong with his wife.

All he had to do was enter the booking reference on the BA website and find out his friend’s birth date (which was on his Facebook profile) to get his passport number, to be allowed to change the details on his account – cancel future flights, edit the passport number, citizenship, expiration date and date of birth…”

Basically, information in the bar code can allow an attacker access to your airline travel account, view your travel plans, make changes to your itinerary, book airline tickets, and steal your frequent flyer points, among other things.  Want to know what is in your boarding pass bar code.  Take a picture of the barcode with your phone, and upload it to Inlite Online Barcode Reader.

So posting pictures of your boarding pass online is a bad plan.  Casually tossing it in the trash in your hotel room is not a good idea, either, since it would be possible for the cleaning staff to save the pass and sell it to cyber-crooks and identity thieves.  The boarding pass becomes one more item that needs to be shredded or destroyed in other ways.

More information:


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.