What do you do with your used boarding pass after a flight or trip? If you typically just toss it in the trash on your way to baggage claim, that’s a bad idea.
Barcodes and QR codes that are printed on airline boarding passes can contain a lot of information about the traveler, including personal details, future travel plans and frequent flyer account information. And with that information, a scammer get access to a lot more.
What’s in a boarding pass
According to security website KrebsOnSecurity, someone can access the information stored in those codes with just an image of the boarding pass. After one of the site’s readers, referred to as Cory, told KrebsOnSecurity that when he noticed his friend posted a photo of his boarding pass on Facebook, he saved the image and started doing a little digging. With just that one photo, Cory found a website that could decode the data and instantly reveal a lot of sensitive information about his friend.
“Besides his name, frequent flyer number and other [personally identifiable information], I was able to get his record locator (a.k.a. “record key” for the Lufthansa flight he was taking that day,” Cory told the site. “I then proceeded to Lufthansa’s website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance.”
Once Cory got access to his friend’s airline account, he could see his friend’s phone number, the name of the person who booked the flight and information about future flights. He could even cancel or change any future flights.
And a thief would be able to find a lot more information than that. KrebsOnSecurity says that by using the frequent flyer account number — which is stored in the boarding pass code — a scammer could use the ‘Forgot PIN’ option on the airline’s website to gain more access. Answering a security question like ‘What is your mother’s maiden name?’ would only take a quick social media or Google search, and then the scammer is in — gaining access to, and control of, the entire account.
How to protect yourself
The best way to keep someone from getting your old boarding pass — and the information stored in it — is to shred it in a paper shredder.
And don’t share images of your boarding pass on social media or anywhere else on the Internet.
For more on how to protect your personal documents and files, check out Clark’s guide to record, paperwork and file keeping.