People love sharing photos of their holidays, even before arriving at their holiday destination. Just take a look at Instagram – a snap of a plane wing, their luggage on the conveyor belt, their palm with a passport and boarding pass resting on it – it’s littered with jealousy-inducing photos strategically captioned ‘#wanderlust’.
However, what most people don’t realise is how much danger they’re putting themselves in when posting photos of their passport and boarding pass. Even if you hide your passport number, that boarding pass of yours contain so much sensitive information. If someone gets their hand on a photo of your boarding pass, they can easily access your personal information down to your future travel plans.
It’s all hidden in the two-dimensional barcodes and QR codes.
Security news site Krebs on Security revealed how much personal data is stored in those barcodes after a reader, Cory, managed to hack into a friend’s frequent flyer account using only a photo of the boarding pass that was posted on Facebook.
All Cory had to do was take a screenshot of the boarding pass, enlarge the image, and then find a website that could read the data in the barcode. By running the screenshot through the barcode reader, Cory was able to find his friend’s frequent flyer number, record locator (“record key” for the flight he was taking that day), and full name.
That was not all. Cory then went onto the Lufthansa website and used his friend’s last name and record locator to access his friend’s entire frequent flyer account. Not only could he see his friend’s current flight, he could also see all future flights that have been booked, personal phone numbers. He could also have easily cancelled his friend’s flights or changed the account PIN number.
All that from one photo? That’s worrying.
Is it really that easy to hack into someone’s frequent flyer account from a photo posted on social media? I decided to try it out myself.
On Instagram, a search under the hashtag for “boardingpass” racked up over over 70,000 photos! I randomly chose one to run through the same barcode reader that Cory used. After browsing through a multitude of photos with the captions like “Travelling is the best way to live your life”, we settled on this one:
I’m a bit of a technology noob (I still use Internet Explorer), so I thought it would be difficult for me to get any information out of the boarding pass.
I was surprised by how easy it really was! I just uploaded the photo onto the website, ticked a box of what type of barcode was on the boarding pass, and the barcode was decoded.
I wasn’t too sure what all the numbers meant in the barcode’s read results, but it was easy to figure out which one was the 14-digit flight number. With the Instagram post showing me the passenger’s last name and which airport he was departing and arriving to, I could find out that he managed to arrive in San Diego safely.
I tried to log into his Delta Airlines frequent flyer account, but my technological ineptness failed me. But then again, I am just a university student interning at an online travel magazine. Imagine if I were a hacker or worse, an identity thief.
Keep this in mind the next time you want to post a photo of your boarding pass on social media. The likes and views are not worth the security risk. In fact, just tear your boarding pass in half after your flight. You wouldn’t want anyone, not even me, to be cancelling your next flight, do you?
Read Cory’s full story on Kerb On Security here.