Wednesday 16 June 2021

Why You Should NEVER Throw Your Boarding Pass Away. The Reason?


QTRAVEL – Multiple social media posts claimed boarding passes are encoded with sensitive personal information, but the risks involved seemed vastly overstated.

Claim: Thieves can obtain your home address, banking details, e-mail address, phone number, and other personal details from discarded boarding passes.

mostlyfalseMostly False
- Advertisement -

WHAT’S TRUE: Theoretically, a determined person can take several steps to obtain personal information (of dubious value) from a discarded boarding pass.

WHAT’S FALSE: Boarding passes were found to contain banking information or home addresses; there’s evidence criminals are mining boarding passes for personal information; this is a criminal initiative with a high return on investment.

WHAT’S Undetermined: Precisely how much information is available by scanning a boarding pass.

Origin:In early 2016, multiple web sites published breathless warnings about how social media users would “never believe” how dangerous it was to discard boarding passes. One such version reported:

After someone took a screen shot of the bar code on the ticket, you will be amazed of how much personal information that person can get about you: home address, banking info, email address, phone number.

- Advertisement -

The travel-related warning was reminiscent of the exaggerated and widely-circulated stories about the hidden dangers of hotel key cards and helping fellow airport travelers by holding their water bottles. In this case, the viral “boarding pass” items were mostly sourced from a far less alarmist KrebsOnSecurity article from October 2015.

The author of that piece explained that he had heard from a longtime reader, who said he “began to get curious about the data stored inside a boarding pass barcode after a friend put a picture of his boarding pass up on Facebook,” before going on to explain a complex series of steps he used to test his hypothesis:

“I found a website that could decode the data and instantly had lots of info about his trip … Besides his name, frequent flyer number and other [personally identifiable information], I was able to get his record locator (a.k.a. “record key” for the Lufthansa flight he was taking that day … I then proceeded to Lufthansa’s website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance.”

The access granted by Lufthansa’s site also included his friend’s phone number, and the name of the person who booked the flight. More worrisome, Cory now had the ability to view all future flights tied to that frequent flyer account, change seats for the ticketed passengers, and even cancel any future flights … information contained in the boarding pass could make it easier for an attacker to reset the PIN number used to secure his friend’s Star Alliance frequent flyer account. For example, that information gets you past the early process of resetting a Star Alliance account PIN at United Airline’s “forgot PIN” Web site.

After that, the site asks for the answer to a pre-selected secret question. The question in the case of Corey’s friend was “What is your Mother’s maiden name?” That information can often be gleaned by merely perusing someone’s social networking pages (e.g., does your aunt or uncle on your mom’s side have your mother’s maiden name as their last name? If so, are they friends with you on Facebook?)

All later versions of the boarding pass rumor were sourced from KrebsOnSecurity‘s original post. However, it described a process that was both time-consuming and laborious, and provided little information that would be truly useful to potential identity thieves. For example, the risks cited involved not thieves draining your bank account, but potential resetting of a PIN number for frequent flyer miles.

After what appeared to be moderate to intensive effort, all the information that could be extracted was apparently “the ability to view all future flights tied to that frequent flyer account, change seats for the ticketed passengers, and even cancel any future flights.”

Answers to security question are a common feature of such warnings, but the “mother’s maiden name” element wasn’t encoded in the boarding pass. Rather, the article concluded that someone who had the ability to find your mother via Facebook could use that information to gain further access to your frequent flyer account.

We contacted travel expert and consumer advocate Christopher Elliott for further information on the claims. We asked Elliott whether there was any truth to the rumor; he replied:

I’ve spent almost every day for the last 20 years advocating travel related consumer cases. I have not heard of personal information being compromised in this way. I have had no complaints from passengers about it.

That said, it is possible that this represents a security risk. But if it does, it would be a hypothetical security risk, at best.

- Advertisement -

Like Elliott, we were unable to uncover any indication thieves were routinely (or even rarely) plumbing discarded boarding passes to steal anyone’s personal information, and much of the “sensitive information” the warning cited was printed in plain text on the front of the boarding passes. The original warning had to do with interference with frequent flyer accounts, not banking details, and we were unable to substantiate claims that boarding passes contained any truly sensitive data. In short, most of the information that’s available via your boarding pass is information you can read with your eyes, with no scanning of bar codes required.

On 2 March 2016, a JetBlue representative returned our call and provided further information about how boarding pass QR or bar codes worked. The representative affirmed the encoded information approximately matched the text printed on the pass, and did not contain other sensitive information (such as bank details). However, he noted that sharing boarding passes to social media while en route presented a marginal risk of hassle to some passengers (largely unrelated to the warning).

On 10 March 2016, a representative from Southwest Airlines explained no sensitive information was encoded into that carrier’s boarding passes:

The bar codes on Southwest’s boarding passes do not contain any personal information that is not already available via the actual, printed boarding pass. We do not include any other financial or personal information in the bar codes.

Among information generally contained on a boarding pass was a traveler’s confirmation code. Armed with a confirmation code and a passenger’s ticketed name, mischievous individuals possessed the ability to possibly cancel a ticket mid-journey; that information was of particular relevance to folks on multi-leg trips. Conceivably, someone could cancel the second leg of your flight (and cause some hassle or headache) using that information. He confirmed that by and large that held true across the industry, and advised travelers to be mindful when sharing their itineraries to social media. But again, that caution was unrelated to information hidden in your boarding pass QR or bar code.


Watch the video that has gone viral on the social media and decided for youself!


- Advertisement -

We strive for accuracy in its reports. But if you see something that doesn’t look right, send us an email. The Q reviews and updates its content regularly to ensure it’s accuracy.

"Rico" is the crazy mind behind the Q media websites, a series of online magazines where everything is Q! In these times of new normal, stay at home. Stay safe. Stay healthy.

Related Articles

The US improves travel alerts for Central America; Not Costa Rica and Nicaragua

QCOSTARICA - The United States has eased travel advisories for most...

Are you fully vaccinated? You can now enter Spain

Q TRAVEL - Travelers from the European Union or third countries,...


Direct flight will connect Guanacaste with Austin starting in November

QCOSTARICA - American Airlines announced that starting November 2, 2021, it will offer a direct flight between Austin, Texas and the Daniel Oduber International...

COVID vaccines in the workplace: Can I ask who got their shots?

(DW) Jon works for the local government in the US state of Virginia. The 40-year-old received both his COVID shots in April. Most of...

Tourism sector feels in crisis despite increase in international arrivals

QCOSTARICA - Despite the improvement in tourist arrivals reported in May, with more than 72,000 visitors, both the Cámara Nacional de Turismo (Canatur) and...

Cynthia Ann Telles named new U.S. Ambassador to Costa Rica

QCOSTARICA - Today, U.S. President Joe Biden announced his nomination of Dr. Cynthia Ann Telles as United States ambassador to Costa Rica. According to the...

Carlos Alvarado describes calls reprehensible the persecution of Ortega against opponents in Nicaragua

QCOSTARICA - The President of Costa Rica, Carlos Alvarado, described the persecution of Nicaragua President Daniel Ortega against opponents as reprehensible after the government...

Costa Rica passes law to attract foreign pensioners and rentiers with $150K capital

QCOSTARICA - Costa Rica's legislature approved, in the first debate, a bill that reduces the minimum amount that a foreign pensioner or rentier must...

Today’s Vehicle Restriction: June 9, “EVENS”

Today, Wednesday, June 9, only EVENS can circulate. The measure is countrywide and applied between 5:00 am and 9:00 pm, save for those under the...

Today’s Vehicle Restriction: June 11, “EVENS”

Today, Friday, June 11, only EVENS can circulate. The measure is countrywide and applied between 5:00 am and 9:00 pm, save for those under the...

Should the vaccination against covid-19 be opened?

QCOSTARICA - Six months after the start of vaccination against covid-19, will it be time to open the campaign to those who want to...


Get our daily newsletter with the latest posts directly in your mailbox. Click on the subscribe and fill out the form. It's that simple!

Log In

Forgot password?

Forgot password?

Enter your account data and we will send you a link to reset your password.

Your password reset link appears to be invalid or expired.

Log in

Privacy Policy

Add to Collection

No Collections

Here you'll find all collections you've created before.