Joe H. points me to an article at Krebs on Security that looks at all the scary personal information contained in your boarding pass and recommends “[t]he next time you’re thinking of throwing away a used boarding pass with a barcode on it, consider tossing the boarding pass into a document shredder instead.”
My advice might be different, to just use a mobile boarding pass and then there’s no need for a shredder. But I don’t actually think the barcode is the problem here.
“I found a website that could decode the data and instantly had lots of info about his trip,” Cory said, showing this author step-by-step exactly how he was able to find this information. ‘
“Besides his name, frequent flyer number and other [personally identifiable information], I was able to get his record locator (a.k.a. “record key” for the Lufthansa flight he was taking that day,” Cory said. “I then proceeded to Lufthansa’s website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance.”
The access granted by Lufthansa’s site also included his friend’s phone number, and the name of the person who booked the flight. More worrisome, Cory now had the ability to view all future flights tied to that frequent flyer account, change seats for the ticketed passengers, and even cancel any future flights.
Of course for the most part what’s in the bar code is also printed in plain language on the boarding pass itself. There’s very little unique to the bar code that you need to be worried about.
The real lesson here is that given a little bit of information about you, it’s generally possible to get a lot more information about you either through social engineering or a bit of internet searching.
Your boarding pass often has:
- your name
- your frequent flyer account number (along with status with the airline)
- it has your ticket number
- It details where you flew and when
- where you sat
Depending on your Facebook privacy settings, it’s possible to find out or at least guess at your mother’s maiden name (often used as a security question). It may be possible to see your birth day or date as well as your employer, where you have lived, and your spouse’s name. It may even reveal your phone number. Property and court records can usually be looked up online as well.
Taking just a little bit of information, and building out, it shouldn’t be difficult to impersonate that person on the phone with customer service representatives from a variety of companies (or at least pose as the individual’s assistant) and get access to accounts.
What protects us most of the time is that:
- Usually there’s not anyone especially interested in impersonating us
- Most identity theft isn’t done on an individual level anymore. People don’t go through others’ trash to find preapproved credit card offers. Identity theft, and theft of credit, is done by the tens and hundreds of thousands in data breaches.
All things equal you probably shouldn’t leave your boarding pass in the seat back pocket in front of you. But the odds whomever is seated there next will be knowledgeable enough to hack you are exceedingly small. The odds that someone with that kind of know how and desire will choose you are smaller still. But we probably undervalue our Facebook privacy settings, and ought to set passwords where possible on our loyalty program accounts.