Please note: This is an update to an article previously published by Equifax in January 2016.
The next time you walk off of a plane, you may want to think twice before tossing your boarding pass in the trash and resist the temptation to share a picture of it on social media. The same barcodes that help you speed through the airport may also risk exposing your personal data.
About two years ago, Brian Krebs, creator of the blog Krebs On Security, was contacted by Cory, one of his readers, who had made an unsettling discovery about a boarding pass his friend had posted on social media. He noticed the barcode on the pass and wondered if someone could use the information within that code to gain access to a passenger’s personal details.
It turns out that his hunch was right.
In minutes, Cory was able to use the Inlite Research website to decode the barcode directly from the snapshot, obtaining details not only about the flight, but also about his friend, including his name and his ticket’s record locator number, the tracking code used by the airline to archive purchased flights. Once he had the locator number, Cory went to the airline’s website and was able to access his friend’s account, including details about his upcoming flights — all using only the information found on the boarding pass.
Imagine all of this information falling into the wrong hands.
It’s important to keep in mind, however, that much of this information – your name, flight and seat, for instance – is available on the boarding pass itself. While many airlines obscure frequent flyer account numbers on the boarding pass, the numbers can be obtained from the barcode. But nearly every airline requires more than a number to access a frequent flyer account – a PIN or password, for instance, or the answer to a security question.
But that answer could, in some cases, be easily obtained – your mother’s maiden name might be found in information posted on social media, for example.
And even though no two airlines include precisely the same personal or account information on their boarding passes, it may be concerning to have that much information on a piece of paper that most people toss into the nearest trash.
The information, found in both QR codes and two-dimensional barcodes, could help data thieves find their way into anyone’s frequent flyer account.
This means posting pictures of boarding passes on social media to share your adventures with your friends could also enable thieves to figure out your passwords or reset your sign-in credentials using clues that appear on the pass or within the barcode, such as your date of birth or mother’s maiden name. Encryption-based solutions such as the HD barcode do exist and could make it more difficult for an outsider to decipher the information on boarding passes. The problem is that these solutions are expensive for airlines and harder to install.
Protect your boarding pass—and your identity—when traveling
Here are a few things to consider as you’re getting ready to board a plane armed with your boarding pass:
— Handle your boarding pass with the same care you would handle any other sensitive document, like a bank statement or medical bill. Avoid the urge to dispose of your boarding pass in a public trash can. Instead, keep it safely stored somewhere in your luggage. Once you’ve made it home safely, shred it or tear it up and throw it away in your personal trash can. Be mindful when using mobile boarding passes. Not only are they also vulnerable, but they also leave an electronic trail on your device that can be difficult to eradicate.
— If you think you might need your boarding pass again for proof of travel, especially on international flights, place it where you store other important documentation.
— When setting up security questions and passwords on frequent flyer accounts, use a combination of words, numbers and symbols rather than personal information, such as your mother’s maiden name.
The information contained in this blog post is designed to generally educate and inform visitors to the Equifax Finance Blog. The blog posts do not give, and should not be assumed to provide, personalized tax, investment, real estate, legal, retirement, credit, personal financial, or other professional advice. Before making any financial decision, you should always consult with the appropriate professionals who can explain your options, rights, and legal responsibilities, and advise you on any tax, legal, credit, or business implications that may result from those decisions. The views and opinions expressed by the authors of blog posts are their own views and may not be the views or opinions of Equifax, Inc. and/or its affiliates.