Back in 2015, we wrote an article on the dangers of posting photos of your airline boarding pass online and just how much info the simple barcode and QR code carried.
Since then, I have become somewhat of a security and privacy warrior (and perhaps source of annoyance) to my friends by constantly reminding before they embark on trips to stop Instagramming shots of their boarding passes.
Although two years has passed since we first released that article, I found that many of my friends are still unaware of the depth of information available from those little black and white lines of barcodes.
While this may not be news to you, feel free to share this advice with THAT travelling friend you know who indulges in those humblebrag photos with their #blessed captions of their boarding passes.
One of the early extensive mentions of any privacy research pertaining to boarding pass barcodes was probably by KrebsonSecurity. Cory, a KrebsonSecurity blog reader, shared his investigation on this matter.
Cory only took a screenshot of a friend’s Lufthansa boarding pass that was posted to Facebook and uploaded it to a barcode reader online before he was able to gather a lot of personal information from the screenshot alone.
There are readily accessible free barcode scanners online. However BolehVPN chooses not to name the sites as they could potentially be used for **evil purposes**. However, all it takes on these barcode scanner sites is an image of the barcode to read all the data stored on it.
Information contained on an airline boarding pass (Source: KrebsOnSecurity)
What kind of information can be pulled from these photos of your boarding pass? A whole lot! This includes:
So you might be thinking, what’s the most a hacker could do even if they got hold of this basic information? After all, it is just simple info that could not be all that damaging, right?
Wrong. There are a variety of ways that the information stored on these barcodes could be more disruptive for you.
For instance, Steve Boggan a writer at The Guardian, detailed how from the information he gathered from a thrown out boarding pass, he did a quick Internet search which led him to even find the home address of the boarding pass holder.
Additionally, hacking into someone’s frequent flyer account would enable a hacker to redeem things like flights and gift vouchers. Travelling with a friend? A hacker would also be able to see all the passengers on that reservation.
Security researcher, Michal Špaček gave a talk at a conference in the Czech Republic how he was able to change the password for another friend’s United Airlines frequent flyer account, or with a six-digit booking code, was able to cancel future flights.
Travel blogger Ben Schlappig found himself in this unfortunate situation whereby a hacker looking to disrupt Schlappig’s travel expeditions, logged onto his accounts to cancel and alter his reservations two times just a few hours before he was set to check-in for long haul flights.
But did you REALLY go on your trip if you do not post that standard boarding pass and passport shot?
Well of course you did!
So how can you travel smarter the next time you are getting on a plane?