Many of us have done it: after guarding our paper boarding pass through airport security and onto the plane, we treat it like a used bag of potato chips and leave it in the seatback pocket without a thought. You may never do that again after reading a recent post about how much personal information those boarding passes contain.
The blog KrebsOnSecurity posted a tip from a reader who was able to decode his friend’s Lufthansa boarding pass using the barcode reader on this site.
“Besides his name, frequent flyer number and other [personally identifiable information], I was able to get his record locator (a.k.a. “record key” for the Lufthansa flight he was taking that day,” the reader told KrebsOnSecurity. “I then proceeded to Lufthansa’s website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance.”
|What the reader was able to decode from the boarding pass.|
KrebsOnSecurity goes on to show that an experienced online thief could go even further and hijack that person’s entire frequent flyer account by changing the PIN number with that information on United’s site. All that would be left to find is the answer to a security question such as a mother’s maiden name, which could be tracked down with a simple Facebook search.
The safer tactic? Take that boarding pass home with you and put it in the shredder. Or use a mobile boarding pass, which is more secure and won’t leave a paper trail.