{"id":5136,"date":"2015-11-06T08:14:58","date_gmt":"2015-11-06T13:14:58","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=5136"},"modified":"2019-11-15T15:24:23","modified_gmt":"2019-11-15T11:24:23","slug":"dont-post-boarding-pass-online","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/dont-post-boarding-pass-online\/5136\/","title":{"rendered":"7 reasons you shouldn&#8217;t post your boarding pass online"},"content":{"rendered":"<p>Checking in to an airport to brag that you are on your way to a Parisian getaway is\u00a0<em>so yesterday<\/em>. For starters Swarm has lost it\u2019s luster and usage since it was chopped off of Foursquare. Secondly, the saying goes\u00a0<em>pictures or it didn\u2019t happen<\/em>\u00a0\u2014 social media requires, social proof.<\/p>\n<p>While many people think that posting a picture of a boarding pass to social networks is a great way to brag, it could also be the first step to a nightmare. Since many people post these pictures under public settings, they think about the bragging rights and not what is lurking within that picture that could be used by someone with wicked intentions.<\/p>\n<p>Aside from your name and destination, your boarding pass includes some sensitive information, which at the first glance seems to be of no value for anyone, except the airport staff.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Before you click 'share' on your mobile device, be aware of the potential risks of 'checking in' via social media <a href=\"http:\/\/t.co\/eyLGf8OKBu\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/eyLGf8OKBu<\/a><\/p>\n<p>\u2014 Eugene Kaspersky (@e_kaspersky) <a href=\"https:\/\/twitter.com\/e_kaspersky\/status\/357401828226379776?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">July 17, 2013<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>This information is also included in the screenshots of a ticket, booking confirmations obtained via mobile apps and, moreover, in email confirmations. Even if you don\u2019t brag about your travel plans but are prone to employing weak passwords, anyone who secretly reads your emails can gain access to this data.<\/p>\n<p>So what other data is really on the boarding pass? For starters, it might be the number of your loyalty or frequent flyer card. This number or the cardholder\u2019s name is, in some cases, enough for an outsider to log onto your personal profile on the airline\u2019s website or to check-in online.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Is it possible to hack <a href=\"https:\/\/twitter.com\/hashtag\/planes?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#planes<\/a> in our time?<br>Super important post =&gt;<a href=\"https:\/\/t.co\/n2rzZDE2W2\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/n2rzZDE2W2<\/a><a href=\"https:\/\/twitter.com\/hashtag\/CyberSecurity?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#CyberSecurity<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/aircraft?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#aircraft<\/a> <a href=\"http:\/\/t.co\/2XPDrIiVaw\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/2XPDrIiVaw<\/a><\/p>\n<p>\u2014 Kaspersky Lab ME (@KasperskyME) <a href=\"https:\/\/twitter.com\/KasperskyME\/status\/638630007200321536?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">September 1, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The second piece of important data hiding is a thing in your boarding pass called Passenger Name Record, or PNR for short. PNR is a reservation code, which serves as a unique identifier of the passenger in the computer reservation system. It includes route data on you and on all those travelling along. So, if you travel with your family, you will share the same PNR.<\/p>\n<p>Just so you know, even if this code is not directly referenced on the boarding pass, there are relatively easy ways of pulling this data out of the bar code, and the latter is there for sure.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Woman shares selfie with winning horse race ticket, has the $825 stolen: <a href=\"https:\/\/t.co\/ojHsnJyjrB\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/ojHsnJyjrB<\/a> <a href=\"https:\/\/t.co\/GaiDdK59YC\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/GaiDdK59YC<\/a><\/p>\n<p>\u2014 PetaPixel (@petapixel) <a href=\"https:\/\/twitter.com\/petapixel\/status\/661997222641299456?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">November 4, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The PNR does not have to comply with any unified standard, and each booking system has its own set of credentials, yet they all share these: passengers\u2019 names, the contact data of a person who booked the flight, a ticket number and information on at least one flight segment (port of departure, port of destination or date and time). All the passengers on the reservation should have matching segments \u2013 so if you are on different flights, your PNRs will differ as well.<\/p>\n<p>The PNR also includes information on the fare, as well as payment information (like a credit card number). In some cases the following information can live within the PNR: passenger\u2019s phone number, his\/her accommodation details in the destination country, date of birth and passport data. If you think about it, this is some pretty valuable information. What do you suppose a criminal could do with this data?<\/p>\n<p><strong>1. Since you are away:<\/strong>\u00a0The simplest way this data can be used against you is that criminals can find out when you leave and return, based on the booking number. So, if your family leaves for a vacation for two weeks, no one is going to be home. It\u2019s a valuable insight for burglars or car thieves: they can break into your home or take your car away in a tow truck without a fear of you coming home.<\/p>\n<div id=\"attachment_5138\" style=\"width: 810px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-5138\" class=\"size-full wp-image-5138\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2015\/11\/05103608\/boarding-pass-check-in-cartoon.png\" alt=\"Thanks to Mike's check-in, Tom and Jake unlocked a new arena\" width=\"800\" height=\"565\"><p id=\"caption-attachment-5138\" class=\"wp-caption-text\">Thanks to Mike\u2019s check-in, Tom and Jake unlocked a new arena<\/p><\/div>\n<p><strong>2. So you like middle seats?<\/strong>\u00a0Someone with this information can play a nasty game of musical chairs with your seating arrangements on the flight \u2014 you might get the worst seats on the plane \u2014 like aisle seats by the lavatory. Usually, you cannot change your seat once you have checked in, and even if you can, it won\u2019t always be possible to switch back if the flight is sold out.<\/p>\n<p>If you travel with your family, you might be assigned seats in different parts of the cabin: say, one of you would be placed by the fore-end lavatory, and the other would remain seated by the rear-end lavatory. In this case you would hardly be able to sleep on the long-haul flight, with people passing by all the time, grabbing your backrest for support, and the backrest, for sure, would be fixed in the upright position.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">A reasonable portion of offline paranoia may save money online:  <a href=\"https:\/\/t.co\/ZGkvthc12o\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/ZGkvthc12o<\/a><\/p>\n<p>\u2014 Eugene Kaspersky (@e_kaspersky) <a href=\"https:\/\/twitter.com\/e_kaspersky\/status\/545564445049516033?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">December 18, 2014<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p><strong>3. You wanted to come home?\u00a0<\/strong>Imagine coming to the airport only to find out you are not on the list. It turns out that someone called the airline on your behalf, confirmed all of your personal data and asked to cancel the ticket.<\/p>\n<p>You even might be able to prove that person wasn\u2019t you. You even might be able to get a new ticked without paying cancellation fees \u2014 for tomorrow\u2019s flight, as yours has already taken off, unfortunately. While you are waiting, experience the airport\u2019 wonderful sleeping facilities \u2013 a hard bench and someone\u2019s left over newspaper. In case you had a connecting flight \u2013 congratulations on not going anywhere!<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">5 <a href=\"https:\/\/twitter.com\/hashtag\/Tips?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Tips<\/a> to remember when flying:<a href=\"https:\/\/t.co\/ABxdaI4xio\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/ABxdaI4xio<\/a><a href=\"https:\/\/twitter.com\/hashtag\/vacation?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#vacation<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/security?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#security<\/a> <a href=\"http:\/\/t.co\/SBMY7xNByN\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/SBMY7xNByN<\/a><\/p>\n<p>\u2014 Kaspersky Lab ME (@KasperskyME) <a href=\"https:\/\/twitter.com\/KasperskyME\/status\/618696574625951744?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">July 8, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p><strong>4. What day are you flying?\u00a0<\/strong>Similar to changing seats, a jokester with your information could change the date of your return flight. If there are no change fees, the person with your information could laugh remotely as you find out your flight took off yesterday \u2014 or tomorrow \u2014 depending on their mood.<\/p>\n<p>Of course, if the fare presupposes fees for changing the reservation, it\u2019s quite unlikely the culprit is ready to pay them out of pure evilness. However, there is a trick, which would allow him to initiate changes without completing the payment process. Once it\u2019s done, the seats would be cancelled and possibly resold. The victim, in this case, would have no other option rather than paying the fee twice to get their ticket back.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">How to kill a human with a keyboard <a href=\"https:\/\/t.co\/Mg6yBJxHRz\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/Mg6yBJxHRz<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/defcon?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#defcon<\/a> <a href=\"http:\/\/t.co\/F3VRae185m\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/F3VRae185m<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/630717675229065216?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">August 10, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>By the way, it\u2019s a good scenario for scammers who could ask a victim to transfer a $100 ransom to avoid paying a double fee (say, $200). Moreover, the initial seat could be resold to another passenger, making the victim both pay additional fees and choose other date. With the holiday season approaching, this method is a great way to make enemies\u2019 lives more miserable on Christmas. Also, this scam does not require calling the contact center as it used to be before \u2014 many airlines let passengers introduce changes right online.<\/p>\n<p><strong>5. \u201cBusiness\u201d Trip<\/strong>\u00a0\u2014 Suppose a passenger tells his wife that he is going on a business trip, but in reality, he\u2019s going on an exotic rendezvous with his mistress. If they are traveling together, this can be revealed in the PNR. Should this traveler brag and post their boarding pass online, someone with ill intentions could threaten to tell the person\u2019s wife about the illicit travel plans unless they are paid hush money. If this person is a public figure, the scammer could also look to cash in with tabloid media.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Securing intimate activities: Don\u2019t let your spicy stories leak online \u2013 <a href=\"https:\/\/t.co\/He4AOM43ur\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/He4AOM43ur<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/privacy?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#privacy<\/a> <a href=\"http:\/\/t.co\/s9xz7k1fdS\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/s9xz7k1fdS<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/639434049052913664?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">September 3, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p><strong>6. Bye-Bye Miles\u00a0<\/strong>\u2014 We have already noted that a frequent flyer number can be held within the PNR. Using this number along with and some social engineering tricks, an outsider can get access to your frequent flier profile. A culprit can easily reset the password: the procedure at times requires answering a simple secret question \u2014 like \u201cWhat\u2019s your mother\u2019s maiden name?\u201d In the era of social networks this can be found by finding your mother\u2019s profile and, consequently, her maiden name, in no time.<\/p>\n<p>Once the attacker gets access to your profile, he might drain all of your bonus miles. You\u2019d have hard time proving the fact of the scam to the airline, and should a culprit use your miles in violation of the Terms and Conditions of the program (for instance, reselling them), the airline might go as far as blocking your frequent flier profile for good.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>How to turn someone\u2019s #flight into a havoc with nothing but a photo of a #boarding pass. #security<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2F3gjN&amp;text=How+to+turn+someone%26%238217%3Bs+%23flight+into+a+havoc+with+nothing+but+a+photo+of+a+%23boarding+pass.+%23security\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p><strong>7. Text and Money Be-Gone:\u00a0<\/strong>If the PNR includes your mobile phone number, it\u2019s an opportunity for a scammer to duplicate your SIM card and use it to hijack your text messages including those sent by two-factor authentication systems employed by email services, social networks or even banks, giving a culprit an opportunity to purge your account from money or use it to pay online.<\/p>\n<p>While some of these instances are extreme, these options are out there. All in all, flashing your boarding pass gives scammers a pool of opportunities, all of them very unpleasant for a victim. Think about it once you brag about your boarding pass to a tropic paradise in front of the entire world.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Checking in to an airport to brag that you are on your way to a Parisian getaway is\u00a0so yesterday. For starters Swarm has lost it\u2019s luster and usage since it<\/p>\n","protected":false},"author":540,"featured_media":5137,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5],"tags":[924,927,93,1082,97,211,521,633],"class_list":{"0":"post-5136","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"tag-aircrafts","9":"tag-aviation","10":"tag-cybercriminals","11":"tag-planes","12":"tag-security-2","13":"tag-social-media","14":"tag-threats","15":"tag-travel"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/dont-post-boarding-pass-online\/5136\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/dont-post-boarding-pass-online\/3592\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/dont-post-boarding-pass-online\/6437\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/dont-post-boarding-pass-online\/6362\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/dont-post-boarding-pass-online\/7220\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/dont-post-boarding-pass-online\/6878\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/dont-post-boarding-pass-online\/9617\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/dont-post-boarding-pass-online\/10495\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/dont-post-boarding-pass-online\/5775\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/dont-post-boarding-pass-online\/9490\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/dont-post-boarding-pass-online\/9617\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/dont-post-boarding-pass-online\/10495\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/dont-post-boarding-pass-online\/10495\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/aircrafts\/","name":"aircrafts"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5136","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/540"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=5136"}],"version-history":[{"count":2,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5136\/revisions"}],"predecessor-version":[{"id":14915,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5136\/revisions\/14915"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/5137"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=5136"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=5136"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=5136"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}