The Boarding Pass Nightmare

Le me, swiping Instagram stories in morning. 

Le see a photo of airline boarding pass on a friend’s story. 

As you’re reading this, you might have shared boarding pass photo on social media at some point. 

So what’s the drama about?


Exploit from the Insta Story

In order to see what I could exploit from the boarding pass, I took a screenshot of my friend’s story.  

I knew that I just needed to glean 6 character PNR number  and last name. (Which I was aware of anyway). The PNR number wasn’t clearly legible but after several trial and errors, I was able to get it right. Soon after, 

  1. Le me go to: Manage Booking portal of Go Air airline
  2. Le me enter PNR and last name
  3. Le me be able to access entire trip itinerary. Le me not surprised. 

Here’s PDF version of the itinerary:

So essentially, I had full access to my friend’s trip itinerary. And it’s stupidly easy. Doesn’t take more than 5 minutes. 

The data that I was able to view included but wasn’t limited to:

  • Full names of all passengers on the PNR
  • Their seat number, flight number, arrival, departure 
  • Mobile and email of primary contact person
  • Payment information
  • PAN number of payment agency

What Could Go Wrong

Of course I had no intention to screw up a long awaited Goa trip. But if I was a crook then here’s what I could’ve done:

  • Login to Manage Booking using the PNR/Last Name and cancel ticket. Destroying trips couldn’t get any simpler. (Most airlines allow flight cancellations up until 2 hours of departure time)
  • If it’s not possible to cancel online, call airline and ask them to cancel. When I called Emirates to modify my ticket, I was asked email address, phone number, full name and PNR number to verify my identity. I would have all required authentication info already with me from the boarding pass, thus no problems here. 
  • Access frequent flyer account and monitor/change all past/future trips. Reference.   
  • From the previous point, obtain payment information and make monies.
  • Potential identity theft
  • …and many more attacks.  

Prevalent

Most know about the potential dangers of sharing boarding pass photos online. But also, there are plenty of others who do not. 

A simple Instagram search on hashtag, #boardingpass  gets me over 100k results. 

I also see the photos on my feed time to time. 


What and What not

  • Do not share photos of boarding pass. Avoid the temptation to brag on social media. 🙂
  • Redacting last name and PNR is not enough. The bar code also holds sensitive information. There are plenty of websites that let you read bar codes easily. 
  • Use mobile boarding pass if possible. 
  • Avoid leaving extra copies of boarding passes in trash, at least until your departure. 

Further Reading


Cover photo: https://uxplanet.org/while-i-was-redesigning-a-boarding-pass-paper-got-old-eda92055dd29


Posted

in

,

by

Comments

3 responses to “The Boarding Pass Nightmare”

  1. Rajesh Avatar

    Great Post !

    I think this a wonderful travel places All over India.

    I like very much. Great !!!

  2. Tanmay Avatar
    Tanmay

    Very informative, helpful article! I just noticed how the further reading section has text links and not actual ones, was there a reason behind that or just some error, just curious.. Normally, people keep the title as text for hyperlink too.

    1. Darpan Dodiya Avatar

      Thanks!

      Oh, my bad about the links.

      Combination of laziness + ignorance.

      Fixed it now. 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *