The next time you walk off of a plane, you may want to think twice before tossing your boarding pass in the trash and resist the temptation to share a picture of it on social media. The same barcodes that help you speed through the airport could also risk exposing your personal data.
A few months ago, Brian Krebs, creator of the blog Krebs On Security, was contacted by Cory, one of his readers, who had made an unsettling discovery about a boarding pass his friend had posted on social media. He noticed the barcode on the pass and wondered if someone could use the information within that code to gain access to a passenger’s personal details.
It turns out that his hunch was right.
In minutes, Cory was able to use the Inlite Research website, to decode the barcode directly from the snapshot, obtaining details not only about the flight, but also about his friend, including his name and his ticket’s record locator number, the tracking code used by the airline to archive purchased flight. Once he had the locator number, Cory went to the airline’s website and was able to access his friend’s account, including details about his upcoming flights—all using only the information found on the boarding pass.
Imagine all of this information falling into the wrong hands.
“It really is a wake-up call to people in general—how much of our personal information is out there on different types of documents,” says Scott N. Schober, cybersecurity expert and author of the upcoming book “Hacked Again.” “But most people don’t think much about the boarding pass.”
Concerns about boarding pass security are not new
This isn’t the first time passengers and the media have raised alarms. In 2011, a Forbes reporter typed his own boarding pass record locator into a public access computer located in the airline lounge and was able to access his future itineraries and update sensitive personal information without a password.
Even though no two airlines include precisely the same personal or account information on their boarding passes, having that much information on a piece of paper that most people toss into the nearest trash can is concerning.
The information, found in both QR codes and two-dimensional barcodes, could help data thieves find their way into anyone’s frequent flyer account.
This means that the trend of posting used boarding passes on social media to share your latest adventures with your friends could also enable thieves to figure out your passwords or reset your sign-in credentials using clues that appear on the pass or within the barcode, such as your date of birth or mother’s maiden name. “You really need to stop and think before you post your boarding pass,” says Schober.
Encryption-based solutions such as the HD barcode do exist and could make it more difficult for an outsider to decipher the information on boarding passes. The problem is that these solutions are expensive for airlines and harder to install.
Protect your boarding pass—and your identity—when traveling
Schober shared a few tips that might help you and your family travel more safely this holiday season.
- Handle your boarding pass with the same care you would handle any other sensitive document, like a bank statement or medical bill. Avoid the urge to dispose of your boarding pass in your hotel trash can. Instead, keep it safely stored somewhere in your luggage and once you’ve made it home safely, put it through your personal shredder.
- Be mindful when using mobile boarding passes. Not only are they just as vulnerable but they also leave an electronic trail on your device that can be difficult to eradicate.
- If you think you might need your boarding pass again for proof of travel, especially on international flights, place it where you store other important documentation.
- Instead of using real information when setting up frequent flier accounts, substitute a fake birthdate or a combination of words, numbers, and symbols for your mother’s maiden name.
The information contained in this blog post is designed to generally educate and inform visitors to the Equifax Finance Blog. The blog posts do not give, and should not be assumed to provide, personalized tax, investment, real estate, legal, retirement, credit, personal financial, or other professional advice. Before making any financial decision, you should always consult with the appropriate professionals who can explain your options, rights, and legal responsibilities, and advise you on any tax, legal, credit, or business implications that may result from those decisions. The views and opinions expressed by the authors of blog posts are their own views and may not be the views or opinions of Equifax, Inc. and/or its affiliates.