When you’re jetting off on a hard-earned holiday you might be tempted to post a picture of your boarding pass online – but you could be giving identity thieves a free ticket into your personal details.
You don’t have to scour social media hard to find a bragging #boardingpass post – there are over 75,000 on Instagram – but an experiment by Australian airmiles whizz Steve Hui has revealed just how easily personal information can be gleaned from your flight details. In just a few simple steps, he was able to access a passenger’s full itinerary, frequent flyer logins, and even credit card details.
Hui took a boarding pass photo from Instagram, which was posted by an Australian Virgin Australia passenger on a code-share flight with Delta Airlines.
He used the passenger’s name and flight details – all of which were clearly visible on the boarding pass – to log into the ‘manage my booking’ section of Delta’s website. “I could view the passenger’s entire itinerary, and see when and where they were going to travel,” he told news.com.au. “Details also included their seat numbers, frequent flyer details and ticket numbers.”
It was easy to see a full breakdown of the fare paid, including the date of purchase and the last four digits of the credit card used
Hui was also able to gain access to some of the passenger’s financial details. “It was easy to see a full breakdown of the fare paid, including the date of purchase and the last four digits of the credit card used. People could use that information to potentially cancel or change your flights, change your seat or cause other issues.”
You might think you’re safe from prying eyes if you cover up your name and flight number on boarding pass photos, but you’re wrong – Hui was also able to gain access to the passenger’s details by running the barcode through a simple online barcode reader. “I was able to retrieve all the passenger’s details without seeing the rest of the boarding card. The text provided full name, flight number, route, booking reference, ticket number, frequent flyer number and more.”
Telegraph Travel has contacted Delta Airlines for a comment.
This isn’t the first time that flaws with boarding pass technology have been highlighted. In August, a Polish computer hacker used a mobile phone app to fake a QR code boarding pass and gain false entry to a number of airport business lounges.
Przemek Jaroszewski, the head of Poland’s Computer Emergency Response Team, made a video showing how easy it was to create the fake codes, saying: “Literally, it takes 10 seconds to create a boarding pass… and it doesn’t even have to look legit because you’re not in contact with any humans.”
It takes 10 seconds to create a boarding pass… and it doesn’t even have to look legit
It’s not the most controversial news to hit boarding passes either. In August 2015, an investigation revealed that airport duty free shops weren’t asking passengers to show their boarding passes for security reasons – they were using the information to claim back VAT of 20 per cent on goods sold to passengers flying outside the EU.
“Handing over your boarding pass at the airport shop, even if you’re buying nothing more than a copy of The Telegraph, has become practically second nature – but I bet very few people realised the reason why retailers can be so insistent,” said Nick Trend, Telegraph Travel’s Consumer Editor.