Don’t expose yourself with your boarding pass

Perhaps you’re one of those people who would never, ever send an “intimate” picture to anyone – even your partner – online.

Good. But if you can’t resist bragging about your vacation or the concert tickets you just got by posting the boarding pass or the tickets – anything with a barcode – on social media or any other public platform, you’re exposing yourself in a different, but still very risky, way.

No, you won’t be publicly embarrassed – it’s not like an open raincoat. But it could still cost you – big time, because it’s a bit like an open wallet – or passport. That barcode has lots of information about you in it, and it’s info that is not terribly difficult to decode. If you post it, it’s like handing it out to just about anybody, including people who would love to spoof your identity or do other bad things with it. When they know your travel plans, they know when you won’t be home.

You can’t say you haven’t been warned. A few security experts – Brian Krebs among them – have written in the past that a boarding pass can provide a window into not just your current travel and frequent flyer account number, but future travel plans and personally identifiable information (PII) – phone number, address, passport number and more – as well.

Not everybody listened, apparently. People are still doing it. Krebs reported this past week that a search on Instagram for “boarding pass” yielded 91,000 results, and “concert tickets” brought up 42,000 results.

And security researcher Michael Špaček, who gave a talk (in Czech) at a recent conference organized by CZ domain in the Czech Republic, wrote a summary of it, which included telling what he was able to get from a picture of a British Airways boarding pass that a friend of his posted on Instagram before a trip to Hong Kong with his wife.

All he had to do was enter the booking reference on the BA website and find out his friend’s birth date (which was on his Facebook profile) to get his passport number, to be allowed to change the details on his account – cancel future flights, edit the passport number, citizenship, expiration date and date of birth – which he didn’t do. Fortunately the “victim” was a friend.

Špaček also noted that barcodes for boarding passes are increasingly on mobile devices like smartphones or smart watches. The so-called “Aztec code” has all that information as well, including frequent flyer numbers. In another case, he got an Aztec code image for a United Airlines boarding pass. While United guards that number with anything in print – providing only the last three digits and masking the rest – the full number is within the Aztec code.

In that case, he found he could hijack the account simply by selecting “Forgot Password” on the United website and answering a couple of easy security questions. In an update, Špaček said United has since added a third security measure that requires the customer to click a link that then generates an email to enable changing the password.

But he wasn’t impressed. “Nowadays, I’d be able to just trigger such an email,” he wrote.

OK, but Špaček is a security researcher. How many other bad people would have the savvy to do this stuff? Turns out you don’t need much savvy. As Krebs reported almost two years ago, there are websites to help you out. “Interested in learning what’s in your boarding pass barcode? Take a picture of the barcode with your phone, and upload it to this site,” he wrote.

Some of the exposure risks are not a traveler’s fault. Krebs cited a talk from last year’s CCC (Chaos Communication Congress) in Berlin by security researchers Karsten Nohl and Nemanja Nikodijevic, who pointed out that the six-digit booking code, also known as the PNR (passenger name record) amounts to a temporary password, but it is printed on every piece of checked luggage.

But their advice is relatively simple. For starters, don’t be an exhibitionist – keep those images off the internet. But also, don’t leave boarding passes tucked into the seatback on the plane – don’t even throw them in the trash. Shred them. If you can’t resist posting them on social media, black out the bar code and the PNR, at a minimum.

Your friends will be impressed when you send them pictures – after you return home.