QTRAVEL – Multiple social media posts claimed boarding passes are encoded with sensitive personal information, but the risks involved seemed vastly overstated.
Claim: Thieves can obtain your home address, banking details, e-mail address, phone number, and other personal details from discarded boarding passes.
WHAT’S TRUE: Theoretically, a determined person can take several steps to obtain personal information (of dubious value) from a discarded boarding pass.
WHAT’S FALSE: Boarding passes were found to contain banking information or home addresses; there’s evidence criminals are mining boarding passes for personal information; this is a criminal initiative with a high return on investment.
WHAT’S Undetermined: Precisely how much information is available by scanning a boarding pass.
Origin:In early 2016, multiple web sites published breathless warnings about how social media users would “never believe” how dangerous it was to discard boarding passes. One such version reported:
After someone took a screen shot of the bar code on the ticket, you will be amazed of how much personal information that person can get about you: home address, banking info, email address, phone number.
The travel-related warning was reminiscent of the exaggerated and widely-circulated stories about the hidden dangers of hotel key cards and helping fellow airport travelers by holding their water bottles. In this case, the viral “boarding pass” items were mostly sourced from a far less alarmist KrebsOnSecurity article from October 2015.
The author of that piece explained that he had heard from a longtime reader, who said he “began to get curious about the data stored inside a boarding pass barcode after a friend put a picture of his boarding pass up on Facebook,” before going on to explain a complex series of steps he used to test his hypothesis:
“I found a website that could decode the data and instantly had lots of info about his trip … Besides his name, frequent flyer number and other [personally identifiable information], I was able to get his record locator (a.k.a. “record key” for the Lufthansa flight he was taking that day … I then proceeded to Lufthansa’s website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance.”
The access granted by Lufthansa’s site also included his friend’s phone number, and the name of the person who booked the flight. More worrisome, Cory now had the ability to view all future flights tied to that frequent flyer account, change seats for the ticketed passengers, and even cancel any future flights … information contained in the boarding pass could make it easier for an attacker to reset the PIN number used to secure his friend’s Star Alliance frequent flyer account. For example, that information gets you past the early process of resetting a Star Alliance account PIN at United Airline’s “forgot PIN” Web site.
After that, the site asks for the answer to a pre-selected secret question. The question in the case of Corey’s friend was “What is your Mother’s maiden name?” That information can often be gleaned by merely perusing someone’s social networking pages (e.g., does your aunt or uncle on your mom’s side have your mother’s maiden name as their last name? If so, are they friends with you on Facebook?)
All later versions of the boarding pass rumor were sourced from KrebsOnSecurity‘s original post. However, it described a process that was both time-consuming and laborious, and provided little information that would be truly useful to potential identity thieves. For example, the risks cited involved not thieves draining your bank account, but potential resetting of a PIN number for frequent flyer miles.
After what appeared to be moderate to intensive effort, all the information that could be extracted was apparently “the ability to view all future flights tied to that frequent flyer account, change seats for the ticketed passengers, and even cancel any future flights.”
Answers to security question are a common feature of such warnings, but the “mother’s maiden name” element wasn’t encoded in the boarding pass. Rather, the article concluded that someone who had the ability to find your mother via Facebook could use that information to gain further access to your frequent flyer account.
We contacted travel expert and consumer advocate Christopher Elliott for further information on the claims. We asked Elliott whether there was any truth to the rumor; he replied:
I’ve spent almost every day for the last 20 years advocating travel related consumer cases. I have not heard of personal information being compromised in this way. I have had no complaints from passengers about it.
That said, it is possible that this represents a security risk. But if it does, it would be a hypothetical security risk, at best.
Like Elliott, we were unable to uncover any indication thieves were routinely (or even rarely) plumbing discarded boarding passes to steal anyone’s personal information, and much of the “sensitive information” the warning cited was printed in plain text on the front of the boarding passes. The original warning had to do with interference with frequent flyer accounts, not banking details, and we were unable to substantiate claims that boarding passes contained any truly sensitive data. In short, most of the information that’s available via your boarding pass is information you can read with your eyes, with no scanning of bar codes required.
On 2 March 2016, a JetBlue representative returned our call and provided further information about how boarding pass QR or bar codes worked. The representative affirmed the encoded information approximately matched the text printed on the pass, and did not contain other sensitive information (such as bank details). However, he noted that sharing boarding passes to social media while en route presented a marginal risk of hassle to some passengers (largely unrelated to the warning).
On 10 March 2016, a representative from Southwest Airlines explained no sensitive information was encoded into that carrier’s boarding passes:
The bar codes on Southwest’s boarding passes do not contain any personal information that is not already available via the actual, printed boarding pass. We do not include any other financial or personal information in the bar codes.
Among information generally contained on a boarding pass was a traveler’s confirmation code. Armed with a confirmation code and a passenger’s ticketed name, mischievous individuals possessed the ability to possibly cancel a ticket mid-journey; that information was of particular relevance to folks on multi-leg trips. Conceivably, someone could cancel the second leg of your flight (and cause some hassle or headache) using that information. He confirmed that by and large that held true across the industry, and advised travelers to be mindful when sharing their itineraries to social media. But again, that caution was unrelated to information hidden in your boarding pass QR or bar code.
Watch the video that has gone viral on the social media and decided for youself!