Airline boarding passes contain personal information that could be dangerous in the wrong hands, so never post a photo of these documents online or casually toss them in the trash, security experts advise.
Krebs on Security reported August 17, 2017 that the barcode printed on a boarding pass can be used in combination with the airline’s website to obtain such information as future travel plans (including the ability to change or cancel upcoming flights) and data that can be used to access travellers’ frequent-flyer information.
Hackers also can use data from the boarding pass to get the traveller’s passport information and change passwords for online accounts.
Commonly available barcode and QR code readers can be used to scan information stored on boarding passes. These documents contain far more information than hotel room keys – another item holding temporary stored data about travellers.
Security experts Karsten Nohl and Nemanja Nikodijevic said that airlines essentially treat the six-digit booking code known as a PNR as a temporary password while people travel, attaching it to everything from boarding passes to luggage, along with the passenger’s name. “You would imagine that if they treat it as a password equivalent then they would keep it secret like a password,” Nohl said. “Only, they don’t, but rather print it on everything you get from the airline.”
A keyword search of Instagram found at least 91,000 images of boarding passes posted online. A similar search revealed more than 42,000 images of concert tickets — another document printed with bar codes that can be easily hacked.