Etay Maor, chief security officer at global threat intelligence firm IntSights, travels often. In fact, he took more than 100 flights over the past year. During his trips, he noticed a troubling trend: Passengers leaving their boarding passes behind on the plane.
“The problem is, people don’t realize that all your personal information is encoded right there,” Maor said. Some airlines keep more information than others, he noted, but even the most basic information can be used to gather more details about you.
If that has you worried (and honestly, it should), here’s a look at what kind of information can be unlocked with a boarding pass and what you can do to protect yourself.
How Hackers Can Exploit Your Boarding Pass
All anyone needs to see this hidden information is a barcode scanner ― the same kind that scans items at the grocery store. Barcode scanners can be easily found on various websites and in app stores, often for free. Any basic scanner will work, though Etay said he particularly likes BP Scanner because it decodes and categorizes the data so it’s easy to read.
Here’s how easy it was for me to find and download:
Just like that, I now have the ability to scan the barcode on any boarding pass and gain access to all that passenger’s associated information, such as their name and flight details. But the barcode will also reveal one key piece of information: The passenger’s full airline account number. Sometimes, additional details belonging to the account, such as email address, phone number and more, will also be available.
With access to the full frequent flier account number, a scammer can then get “secret question” information like mothers’ maiden names or high school mascots from social media to log into the account. From there, the criminal can wreak havoc by changing or canceling future reservations, stealing frequent flier points and more.
And if the hacker isn’t successful at logging in using that information alone, all they need to do is a bit of social engineering, according Maor. For example, they can call up the passenger and say, “Hello, Mr. Smith, this is Delta calling. Your full account number is [insert number here]. We just suffered a breach and need your last known password to re-credential you.”
“Or the other way around ― call Delta,” Maor said. Using personal details such as name, phone number, birthday, etc., there’s a good chance that the hacker can have the password reset.
“People should treat their boarding passes the same way they treat their passports. You’d never leave your passport behind.”
You Don’t Need A Frequent Flier Account To Get Hacked
Of course, there are a ton of different airlines, each with their own frequent flier or loyalty programs. If you’re like me, you may have signed up with several, but tend to stick with one or two brands you particularly like for most flights.
For example, I like to fly with Southwest whenever possible because of the open seating policy and free checked bags. But when I needed to book my recent trip from Los Angeles to Boston for Thanksgiving, tickets were unsurprisingly expensive and direct flights were hard to come by. So I ended up booking through American Airlines, an airline I don’t use very often, and didn’t bother hunting down my AAdvantage account information to link to the reservation.
But even if you don’t have your frequent flier account connected to your ticket, one other key piece of information will make that easy to find: The unique confirmation code you receive when you book your flight. Usually, this is a string of six characters the airline emails you that allows you to quickly look up your reservation.
By scanning my American Airlines boarding pass, I was able to see that reference code associated with my ticket (it was also printed on my actual boarding pass). I then went to aa.com and input it, along with my first and last name, into the “Your Trips / Check In” section of the site. Not only was I shown all my flight details, including connecting flights and times, but also the names of everyone else booked under the same reservation and our full AAdvantage account numbers.
How To Protect Your Boarding Pass Data
“People should treat their boarding passes the same way they treat their passports,” Maor said. “You’d never leave your passport behind.”
And if you’re wondering why airlines would keep all this data about passengers on their boarding passes, Maor said it comes down to security versus usability.
“When something bad happens and you want really quick help from a representative, they scan this and they see your email, travel information and everything else, and they can quickly help you,” he said. But often, consumers don’t realize how much information companies have on them and where that information is stored.
With data so easily accessible these days, you have to be skeptical and always err on the side of caution when it comes to your personal information.
Obviously, there’s no getting around using a boarding pass while traveling, but there are a few precautions you can take.
Use a mobile boarding pass. Your safest bet for protecting your sensitive travel information is to avoid paper completely. Opt to receive your boarding pass digitally instead of printing it so no one can see or access the barcode (as long as they don’t have your phone, anyway).
Shred your paper boarding pass. If you must print your boarding pass, keep it secured at all times and don’t leave it out where someone could quickly scan it or snap a quick pic. And definitely don’t forget it in the seatback pocket of the plane. Once you’ve made it home, go ahead and shred it.
Never post photos of your boarding pass. A quick search of #boardingpass on Instagram will show you thousands of recent posts by users displaying their boarding passes ― many with unobstructed barcodes.
In fact, I was able to scan a British Airways boarding pass posted on Nov. 30 and use the reservation code to look up the person’s full name, phone number, email address, membership number, and the name/account number of another person under her reservation. I was also granted access to change the details of her reservation and create an account to collect her unclaimed points earned for that trip (don’t worry, Erica, I didn’t!).