KUCHING: If you ever thought of posting a picture of your boarding pass online, especially in social media sites such as Facebook or Instagram, you better think twice.
Technology security expert Brian Krebs, who writes for a renowned cybersecurity news site Krebs on Security, took to his blog last month to warn travellers against posting a picture of their boarding pass online in a bid to deter travellers from sharing private information.
Krebs said information contained in the boarding pass such as full name, origin, destination, frequent flyer number and barcode could be exploited by cyber thieves with access to private details. An attacker can also use such details to change travel itineraries.
“Two-dimensional barcodes and QR codes hold a great deal of information, and the codes printed on airline boarding passes may allow someone to discover more about you, your future travel plans and your frequent flyer account,” Krebs wrote on his blog posted Oct 6.
He warned against simply throwing away a boarding pass, suggesting that travellers shred them after use.
Beside the name and other personally identifiable information, an attacker could use the frequent flyer number to see any flights booked to the account. Information contained on the boarding pass would make it easier for an attacker to reset the PIN number.
Krebs said there were sites online that could read the data stored inside a boarding pass barcode. Decoding a barcode is as easy as uploading an image of it to a free online barcode reader.
“The next time you’re thinking of throwing away a used boarding pass with a barcode on it, better toss it into a document shredder instead,” he said.
Krebs relayed a story from a reader who was able to use a picture of his friend’s boarding pass to get information and access to the friend’s itinerary account on an airline website.
“Not only I could see this one flight, but I could also see other future flights that are booked to his frequent-flier number,” he wrote the reader as saying.
The Borneo Post ran a quick check – using a boarding pass of a local airline – on an online barcode reader site. Using only image of the barcode instead of the whole boarding pass, the programme managed to note the passenger’s full name, travel itineraries including frequent flyer number, flight and seating arrangement. Decoding the barcode only required uploading an image of the boarding pass.
Paul Sim, a system and network security analyst for an international firm at Cyberjaya, echoed Krebs’s advice against posting image of boarding pass online. He said data contained in airplane tickets could be exploited to get other information such as home address, phone number and others. He added that a cyber attacker could find ways to unlock one’s PIN number using the security question.
“If your online security question is about your mother’s maiden name, where you were born or where you live, a quick check through your friends and relatives in Facebook could do the trick,” he said.
Sim reminded users to be cautious when sharing information and images online as content in the internet could be shared countless times even by trusted network.