Shred your boarding pass to keep your sensitive information safe.
Watch this two minute video and you’ll know everything you need to know about what to do with your Boarding Pass after your trips.
Barcodes or QR codes printed on airline boarding passes can contain a lot of sensitive information. This may include personal details, future travel plans, and frequent flyer information. A scammer can potentially use this to access more. Don’t casually toss them into garbage cans on the way to the baggage claim, leave in the pocket behind the seat of the plane, or in the book you trade back to the used book store like my friend.
The safest thing is to burn or shred your boarding pass.
Don’t Share The Image Of Your Boarding Pass
According to security website KrebsOnSecurity, someone can access the information stored in those codes with just an image of the boarding pass. After one of the site’s readers, referred to as Cory, told KrebsOnSecurity that when he noticed his friend posted a photo of his boarding pass on Facebook, he saved the image and started doing a little digging. With just that one photo, Cory found a website that could decode the data and instantly reveal a lot of sensitive information about his friend. (This is the website.)
“Besides his name, frequent flyer number and other [personally identifiable information], I was able to get his record locator (a.k.a. “record key” for the Lufthansa flight he was taking that day,” Cory told the site. “I then proceeded to Lufthansa’s website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance.”
KrebsOnSecurity continues, “The access granted by Lufthansa’s site also included his friend’s phone number, and the name of the person who booked the flight. More worrisome, Cory now had the ability to view all future flights tied to that frequent flyer account, change seats for the ticketed passengers, and even cancel any future flights. The information contained in the boarding pass could make it easier for an attacker to reset the PIN number used to secure his friend’s Star Alliance frequent flyer account. For example, that information gets you past the early process of resetting a Star Alliance account PIN at United Airline’s “forgot PIN” Web site. After that, the site asks for the answer to a pre-selected secret question. The question in the case of Corey’s friend was “What is your Mother’s maiden name?” That information can often be gleaned by merely perusing someone’s social networking pages (e.g., does your aunt or uncle on your mom’s side have your mother’s maiden name as their last name? If so, are they friends with you on Facebook?)”
Also from Krebs: “United Airlines seems to treat its customers’ frequent flyer numbers as secret access codes. For example, if you’re looking for your United Mileage Plus number, and you don’t have the original document or member card they mailed to you, good luck finding this information in your email correspondence with the company. When United does include this code in correspondence, all but the last three characters are replaced with asterisks. The same is true with United’s boarding passes. However, the full Mileage Plus number is available if you take the time to decode the barcode on a boarding pass.”
So, one more time:
The best way to keep someone from getting your old boarding pass — and the information stored in it — is to burn or shred your boarding pass.
And don’t share images of your boarding pass on social media or anywhere else on the Internet.