Wednesday, September 21, 2016

"Why you should never post pictures of your boarding pass online"

That's the title of a cautionary article in the Telegraph.

When you’re jetting off on a hard-earned holiday you might be tempted to post a picture of your boarding pass online – but you could be giving identity thieves a free ticket into your personal details.

You don’t have to scour social media hard to find a bragging #boardingpass post – there are over 75,000 on Instagram – but an experiment by Australian airmiles whizz Steve Hui has revealed just how easily personal information can be gleaned from your flight details. In just a few simple steps, he was able to access a passenger’s full itinerary, frequent flyer logins, and even credit card details.

Hui took a boarding pass photo from Instagram, which was posted by an Australian Virgin Australia passenger on a code-share flight with Delta Airlines.

He used the passenger’s name and flight details – all of which were clearly visible on the boarding pass – to log into the ‘manage my booking’ section of Delta’s website. “I could view the passenger’s entire itinerary, and see when and where they were going to travel,” he told “Details also included their seat numbers, frequent flyer details and ticket numbers.”

Hui was also able to gain access to some of the passenger’s financial details. “It was easy to see a full breakdown of the fare paid, including the date of purchase and the last four digits of the credit card used. People could use that information to potentially cancel or change your flights, change your seat or cause other issues.”

You might think you’re safe from prying eyes if you cover up your name and flight number on boarding pass photos, but you’re wrong – Hui was also able to gain access to the passenger’s details by running the barcode through a simple online barcode reader. “I was able to retrieve all the passenger’s details without seeing the rest of the boarding card. The text provided full name, flight number, route, booking reference, ticket number, frequent flyer number and more.”

This isn’t the first time that flaws with boarding pass technology have been highlighted. In August, a Polish computer hacker used a mobile phone app to fake a QR code boarding pass and gain false entry to a number of airport business lounges.

. . .

It’s not the most controversial news to hit boarding passes either. In August 2015, an investigation revealed that airport duty free shops weren’t asking passengers to show their boarding passes for security reasons – they were using the information to claim back VAT of 20 per cent on goods sold to passengers flying outside the EU.

There's more at the link.

Since I don't use social media apart from this blog, I'd never have thought of posting a picture of my boarding pass, but I suppose in this share-everything-about-yourself world, there are those who do.  Just goes to show:  the more you share, the less privacy you have, and the more at risk you are of being defrauded or robbed.



Old NFO said...

People don't 'think' until it's too late... Too busy showing off. Sigh...

John Cunningham said...

I am constantly stupefied at the amounts and types of personal data that people post phone.

Borepatch said...

Heck, why not post a picture of your Social Security card online?

Tal Hartsfeld said...

So far the only thing I use my ATM card for is withdrawing cash from the ATM machines.
I don't even own a credit card.

And the extend of my online activity is also my blog site and commenting on other people's sites.