Le me, swiping Instagram stories in morning.
Le see a photo of airline boarding pass on a friend’s story.
As you’re reading this, you might have shared boarding pass photo on social media at some point.
So what’s the drama about?
Exploit from the Insta Story
In order to see what I could exploit from the boarding pass, I took a screenshot of my friend’s story.
I knew that I just needed to glean 6 character PNR number and last name. (Which I was aware of anyway). The PNR number wasn’t clearly legible but after several trial and errors, I was able to get it right. Soon after,
- Le me go to: Manage Booking portal of Go Air airline
- Le me enter PNR and last name
- Le me be able to access entire trip itinerary. Le me not surprised.
Here’s PDF version of the itinerary:
So essentially, I had full access to my friend’s trip itinerary. And it’s stupidly easy. Doesn’t take more than 5 minutes.
The data that I was able to view included but wasn’t limited to:
- Full names of all passengers on the PNR
- Their seat number, flight number, arrival, departure
- Mobile and email of primary contact person
- Payment information
- PAN number of payment agency
What Could Go Wrong
Of course I had no intention to screw up a long awaited Goa trip. But if I was a crook then here’s what I could’ve done:
- Login to Manage Booking using the PNR/Last Name and cancel ticket. Destroying trips couldn’t get any simpler. (Most airlines allow flight cancellations up until 2 hours of departure time)
- If it’s not possible to cancel online, call airline and ask them to cancel. When I called Emirates to modify my ticket, I was asked email address, phone number, full name and PNR number to verify my identity. I would have all required authentication info already with me from the boarding pass, thus no problems here.
- Access frequent flyer account and monitor/change all past/future trips. Reference.
- From the previous point, obtain payment information and make monies.
- Potential identity theft
- …and many more attacks.
Most know about the potential dangers of sharing boarding pass photos online. But also, there are plenty of others who do not.
A simple Instagram search on hashtag, #boardingpass gets me over 100k results.
I also see the photos on my feed time to time.
What and What not
- Do not share photos of boarding pass. Avoid the temptation to brag on social media. 🙂
- Redacting last name and PNR is not enough. The bar code also holds sensitive information. There are plenty of websites that let you read bar codes easily.
- Use mobile boarding pass if possible.
- Avoid leaving extra copies of boarding passes in trash, at least until your departure.
- Posting a Photo of Your Airline Boarding Pass Can Get You Hacked
- What’s in a Boarding Pass Barcode? A Lot
- Why It’s Still A Bad Idea to Post or Trash Your Airline Boarding Pass
- What’s contained in a boarding pass barcode?
- How Hackers Use Hidden Data on Airline Boarding Passes to Hack Flights
Cover photo: https://uxplanet.org/while-i-was-redesigning-a-boarding-pass-paper-got-old-eda92055dd29