Checking in to an airport to brag that you are on your way to a Parisian getaway is so yesterday. For starters Swarm has lost it’s luster and usage since it was chopped off of Foursquare. Secondly, the saying goes pictures or it didn’t happen — social media requires, social proof.
While many people think that posting a picture of a boarding pass to social networks is a great way to brag, it could also be the first step to a nightmare. Since many people post these pictures under public settings, they think about the bragging rights and not what is lurking within that picture that could be used by someone with wicked intentions.
Aside from your name and destination, your boarding pass includes some sensitive information, which at the first glance seems to be of no value for anyone, except the airport staff.
Before you click 'share' on your mobile device, be aware of the potential risks of 'checking in' via social media http://t.co/eyLGf8OKBu
— Eugene Kaspersky (@e_kaspersky) July 17, 2013
This information is also included in the screenshots of a ticket, booking confirmations obtained via mobile apps and, moreover, in email confirmations. Even if you don’t brag about your travel plans but are prone to employing weak passwords, anyone who secretly reads your emails can gain access to this data.
So what other data is really on the boarding pass? For starters, it might be the number of your loyalty or frequent flyer card. This number or the cardholder’s name is, in some cases, enough for an outsider to log onto your personal profile on the airline’s website or to check-in online.
— Kaspersky Lab ME (@KasperskyME) September 1, 2015
The second piece of important data hiding is a thing in your boarding pass called Passenger Name Record, or PNR for short. PNR is a reservation code, which serves as a unique identifier of the passenger in the computer reservation system. It includes route data on you and on all those travelling along. So, if you travel with your family, you will share the same PNR.
Just so you know, even if this code is not directly referenced on the boarding pass, there are relatively easy ways of pulling this data out of the bar code, and the latter is there for sure.
— PetaPixel (@petapixel) November 4, 2015
The PNR does not have to comply with any unified standard, and each booking system has its own set of credentials, yet they all share these: passengers’ names, the contact data of a person who booked the flight, a ticket number and information on at least one flight segment (port of departure, port of destination or date and time). All the passengers on the reservation should have matching segments – so if you are on different flights, your PNRs will differ as well.
The PNR also includes information on the fare, as well as payment information (like a credit card number). In some cases the following information can live within the PNR: passenger’s phone number, his/her accommodation details in the destination country, date of birth and passport data. If you think about it, this is some pretty valuable information. What do you suppose a criminal could do with this data?
1. Since you are away: The simplest way this data can be used against you is that criminals can find out when you leave and return, based on the booking number. So, if your family leaves for a vacation for two weeks, no one is going to be home. It’s a valuable insight for burglars or car thieves: they can break into your home or take your car away in a tow truck without a fear of you coming home.
2. So you like middle seats? Someone with this information can play a nasty game of musical chairs with your seating arrangements on the flight — you might get the worst seats on the plane — like aisle seats by the lavatory. Usually, you cannot change your seat once you have checked in, and even if you can, it won’t always be possible to switch back if the flight is sold out.
If you travel with your family, you might be assigned seats in different parts of the cabin: say, one of you would be placed by the fore-end lavatory, and the other would remain seated by the rear-end lavatory. In this case you would hardly be able to sleep on the long-haul flight, with people passing by all the time, grabbing your backrest for support, and the backrest, for sure, would be fixed in the upright position.
A reasonable portion of offline paranoia may save money online: https://t.co/ZGkvthc12o
— Eugene Kaspersky (@e_kaspersky) December 18, 2014
3. You wanted to come home? Imagine coming to the airport only to find out you are not on the list. It turns out that someone called the airline on your behalf, confirmed all of your personal data and asked to cancel the ticket.
You even might be able to prove that person wasn’t you. You even might be able to get a new ticked without paying cancellation fees — for tomorrow’s flight, as yours has already taken off, unfortunately. While you are waiting, experience the airport’ wonderful sleeping facilities – a hard bench and someone’s left over newspaper. In case you had a connecting flight – congratulations on not going anywhere!
— Kaspersky Lab ME (@KasperskyME) July 8, 2015
4. What day are you flying? Similar to changing seats, a jokester with your information could change the date of your return flight. If there are no change fees, the person with your information could laugh remotely as you find out your flight took off yesterday — or tomorrow — depending on their mood.
Of course, if the fare presupposes fees for changing the reservation, it’s quite unlikely the culprit is ready to pay them out of pure evilness. However, there is a trick, which would allow him to initiate changes without completing the payment process. Once it’s done, the seats would be cancelled and possibly resold. The victim, in this case, would have no other option rather than paying the fee twice to get their ticket back.
— Kaspersky Lab (@kaspersky) August 10, 2015
By the way, it’s a good scenario for scammers who could ask a victim to transfer a $100 ransom to avoid paying a double fee (say, $200). Moreover, the initial seat could be resold to another passenger, making the victim both pay additional fees and choose other date. With the holiday season approaching, this method is a great way to make enemies’ lives more miserable on Christmas. Also, this scam does not require calling the contact center as it used to be before — many airlines let passengers introduce changes right online.
5. “Business” Trip — Suppose a passenger tells his wife that he is going on a business trip, but in reality, he’s going on an exotic rendezvous with his mistress. If they are traveling together, this can be revealed in the PNR. Should this traveler brag and post their boarding pass online, someone with ill intentions could threaten to tell the person’s wife about the illicit travel plans unless they are paid hush money. If this person is a public figure, the scammer could also look to cash in with tabloid media.
— Kaspersky Lab (@kaspersky) September 3, 2015
6. Bye-Bye Miles — We have already noted that a frequent flyer number can be held within the PNR. Using this number along with and some social engineering tricks, an outsider can get access to your frequent flier profile. A culprit can easily reset the password: the procedure at times requires answering a simple secret question — like “What’s your mother’s maiden name?” In the era of social networks this can be found by finding your mother’s profile and, consequently, her maiden name, in no time.
Once the attacker gets access to your profile, he might drain all of your bonus miles. You’d have hard time proving the fact of the scam to the airline, and should a culprit use your miles in violation of the Terms and Conditions of the program (for instance, reselling them), the airline might go as far as blocking your frequent flier profile for good.
How to turn someone’s #flight into a havoc with nothing but a photo of a #boarding pass. #securityTweet
7. Text and Money Be-Gone: If the PNR includes your mobile phone number, it’s an opportunity for a scammer to duplicate your SIM card and use it to hijack your text messages including those sent by two-factor authentication systems employed by email services, social networks or even banks, giving a culprit an opportunity to purge your account from money or use it to pay online.
While some of these instances are extreme, these options are out there. All in all, flashing your boarding pass gives scammers a pool of opportunities, all of them very unpleasant for a victim. Think about it once you brag about your boarding pass to a tropic paradise in front of the entire world.