In early 2016, multiple web sites published breathless warnings about how social media users would “never believe” how dangerous it was to discard boarding passes. One such version reported:
After someone took a screen shot of the bar code on the ticket, you will be amazed of how much personal information that person can get about you: home address, banking info, email address, phone number.
The travel-related warning was reminiscent of the widely-circulated stories about the hidden dangers of hotel key cards and helping fellow airport travelers by holding their water bottles. In this case, the viral “boarding pass” items were mostly sourced from a far less alarmist source, a KrebsOnSecurity article from October 2015.
The author of that piece explained that he had heard from a longtime reader, who said he “began to get curious about the data stored inside a boarding pass barcode after a friend put a picture of his boarding pass up on Facebook,” before going on to document a complex series of steps he used to test his hypothesis:
“I found a website that could decode the data and instantly had lots of info about his trip … Besides his name, frequent flyer number and other [personally identifiable information], I was able to get his record locator (a.k.a. “record key” for the Lufthansa flight he was taking that day … I then proceeded to Lufthansa’s website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance.”
The access granted by Lufthansa’s site also included his friend’s phone number, and the name of the person who booked the flight. More worrisome, Cory now had the ability to view all future flights tied to that frequent flyer account, change seats for the ticketed passengers, and even cancel any future flights … information contained in the boarding pass could make it easier for an attacker to reset the PIN number used to secure his friend’s Star Alliance frequent flyer account. For example, that information gets you past the early process of resetting a Star Alliance account PIN at United Airline’s “forgot PIN” Web site.
After that, the site asks for the answer to a pre-selected secret question. The question in the case of Corey’s friend was “What is your Mother’s maiden name?” That information can often be gleaned by merely perusing someone’s social networking pages (e.g., does your aunt or uncle on your mom’s side have your mother’s maiden name as their last name? If so, are they friends with you on Facebook?)
The KrebsOnSecurity article described a process that was both time-consuming and laborious, and provided little information that would be truly useful to potential thieves. For example, the risks cited involved not the draining of bank account, but the potential resetting of the PIN used to access frequent flyer miles.
After what appeared to be a moderate to intensive effort, all the information extracted in the provided example was described as “the ability to view all future flights tied to that frequent flyer account, change seats for the ticketed passengers, and even cancel any future flights.”
Many such operations with online accounts require the user to answer one of more security questions, and the answers to those questions are not something a potential thief would be able to glean from a discarded boarding pass. The article hypothesized that thief might be able a to answer a simple security question such as “What is your mother’s maiden name?” by gathering that information from a flyer’s social media accounts.
We contacted travel expert and consumer advocate Christopher Elliott for additional information on the claims, who noted in reply that the risks expressed were more hypothetical than actual:
I’ve spent almost every day for the last 20 years advocating travel related consumer cases. I have not heard of personal information being compromised in this way. I have had no complaints from passengers about it.
That said, it is possible that this represents a security risk. But if it does, it would be a hypothetical security risk, at best.
Like Elliott, we were unable to uncover any indication thieves were routinely (or even rarely) plumbing discarded boarding passes to steal anyone’s personal information, and much of the “sensitive information” the warning cited was printed in plain text on the front of the boarding passes.
A JetBlue representative provided us with additional information about how boarding pass QR or bar codes worked. The representative affirmed the encoded information approximately matched the text printed on the pass and did not contain other sensitive information (such as bank details). However, he noted that sharing boarding passes to social media while en route presented a marginal risk of hassle to some passengers (largely unrelated to the warning).
A representative from Southwest Airlines also explained to us that no sensitive information was encoded into that carrier’s boarding passes:
The bar codes on Southwest’s boarding passes do not contain any personal information that is not already available via the actual, printed boarding pass. We do not include any other financial or personal information in the bar codes.
Among information generally contained on a boarding pass was a traveler’s confirmation code. Armed with a confirmation code and a passenger’s ticketed name, mischievous individuals potentially possess the ability to cancel a ticket mid-journey. The Southwest rep confirmed that by and large that held true across the industry and advised travelers to be mindful when sharing their itineraries to social media.