New York, US (BBN)-Posting a picture of a boarding pass to Facebook can seem smug, especially when no one else is going on holiday – but it could come back to bite you in a completely different way.
Brian Krebs, an author and blogger specialising in investigative stories on cybercrime and computer security, explained just how much information an airplane boarding pass contains in its barcode, reports The Independent.
He wrote about a reader of his blog, KrebsOnSecurity, who became curious about the information he could glean from a friend’s boarding pass uploaded to Facebook.
After taking a screenshot of the Lufthansa flight boarding pass, he quickly found a website “that could decode the data and instantly had lots of info about his trip”.
The information included the passenger’s name, frequent flyer number and other “personally identifiable information”.
The reader, known as Cory, was able to obtain the “record key” for the Lufthansa flight the passenger was taking that day.
The reader continues to the airline’s website and used the passenger’s last name, which was encoded in the barcode, and the record key enabled him “to access his entire account”.
“Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance,” said Cory.
Krebs said the access granted by Lufthansa also allowed Cory to view “all future flights tied to that frequent flyer account”, change seats for the ticketed passenger, and even cancel any future flights.
Travel news blog The Winglet suggests blurring out sensitive information if you must upload a photo of your boarding pass to social media.
This includes the airline ticket number, record locator and barcode, as well as “any other identifiable information”.
Once your flight is over and you no longer have a need for the boarding pass, Krebs suggests putting it in the shredder rather than simply throwing it away as the data stored in it can still be accessed.