The next time you board a flight, be careful about how you dispose of your boarding pass after you land. It turns out, the barcode on the bottom of airplane boarding passes is not just a bunch of black blocks--those characters contain sensitive personal info.
According to cybersecurity expert Brian Krebs, who runs his own site Krebs on Security, hackers can easily use your boarding pass to find out your phone number, future travel plans, and frequent flyer number.
One of Krebs's readers, a man named Cory, saw a friend post his boarding pass to Facebook, so Cory took a screenshot and enlarged the barcode. He then used a website that can decode barcodes and suddenly he had enough information to hack the friend's airline account.
"Besides his name, frequent flyer number and other [personally identifiable information], I was able to get his record locator (a.k.a. 'record key' for the Lufthansa flight he was taking that day," Cory told Krebs. "I then proceeded to Lufthansa's website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see any future flights that were booked to his frequent flyer number from the Star Alliance."
Once the hack was pulled off, Cory had full access to his friend's information, itinerary, and future itinerary. "More worrisome, Cory now had the ability to view all future flights tied to that frequent flyer account, change seats for the ticketed passengers, and even cancel any future flights," Krebs writes.
From there, hackers can reset the PIN number for a person's frequent flyer account and suss out answers to common security questions--What's your mother's maiden name? What's your favorite pet's name? A hacker can easily scroll through a victim's social media profiles, photos, and lists of friends to get the correct answers.
The lesson here is that a surprising amount of data and personally identifiable information are stored on tickets, key cards, and other everyday items using standards and protocols that are not that secure. While not all airlines keep this much information in the barcode, you should always treat a boarding pass as a sensitive document.
If you want to keep your info secure, Krebs says you need to know where your data is being stored and handle those items properly.
"The next time you're thinking of throwing away a used boarding pass with a barcode on it, consider tossing the boarding pass into a document shredder instead," Krebs writes. "Two-dimensional barcodes and QR codes can hold a great deal of information, and the codes printed on airline boarding passes may allow someone to discover more about you, your future travel plans, and your frequent flyer account."