Why You Should Never Post a Boarding Pass Picture Online

Globetrotting friends and social media braggarts beware: posting that 'boarding pass selfie' on Instagram might be one of the easiest ways for someone to steal account information. Blogger Michal Spacek shows readers exactly how easy it can be using a friend's recent holiday trip. 

[see-also]

Spacek noticed that his friend Petr Mara and his wife were headed to Hong Kong to celebrate a birthday. However, his friend didn't say exactly how long they'd be out of town. However, Petr posted an aesthetically pleasing picture on Instagram to celebrate the trip that just so happened to include his boarding pass complete with booking reference and barcode. So, naturally, being the curious friend he was, Spacek did some quick research. 

Spacek got on the British Airways website and input the booking reference. Once logged in, Spacek found that Petr had already filled in the proper data for the rest of the trip (as he'd already landed in Hong Kong by the time Spacek investigated). However, Spacek hit a handy link that said "View or change details."

"You know, you see a red button, you have to click it. So I did," Spacek wrote. 

The airlines needed Petr's birthday in order to change details, which (thanks to Facebook) Spacek could easily find and input. Once British Airways verified the birthday, it gave Spacek full access to the planning trips -- including the passport number. 

Like a good friend, Spacek didn't extend Petr Mara's stay in Hong Kong. However, he did tell him how easily he hacked the account thanks to one picture on social media. 

Hide more data than you think you should

But what about people who are 'smart' and blur out the important information? Well, they normally forget to blur out the barcode. With the ubiquity of smart devices, it's easier than ever to decode barcode information and get exactly what one needs to access a flight account. With a simple barcode scanner from the App Store, Spacek could read barcodes, Aztec codes, and QR codes. 

His advice? Never create truthful answers when filling out those backup security questions. Hide more data than you think you should if you feel like you need to share that boarding pass picture. But the best option remains not sharing the image at all. 

"Users often publish data that they don't know what they mean," he said. "Because at first sight, it's not possible to see what's the data, or what the data is for. Someone might find the data useful for something. In the worst case, it's possible to steal an account. Just be careful with the data you upload or publish."

And it's not just British Airways with this super-simple access. Researcher Karsten Nohl did the same thing as Spacek during his presentation to the Chaos Computer Club. He used the Lufthansa website and gleaned all personal details and frequent flier number to potentially reschedule flights at will. That's just what the average person can do, so imagine a skilled hacker having access to both the user's side and the booking agent's side of the system. 

The moral of this story: don't be an idiot and overshare

While writing this story, I simply typed in the hashtag #boardingpass into Instagram and found just enough information to do this process myself. A few users thought they were being clever and put a thumb over their name, but all it takes is looking at their actual Instagram account to figure out important information. 

Even after the flight has taken place, plenty of personal information is still attached to that information. It doesn't take much before one act of oversharing becomes you accidentally staying a few more days you can't afford in Hong Kong for someone's birthday.