Don’t let hackers unlock personal data with your boarding pass

This story has been around for a while, and it’s relevant as we’re all learning to be more careful with our private data and concerned about identity theft. It’s also a story because it’s been somewhat hyped up through relatively vague media stories like this one (the publish date for which is unclear). 

One story in March 2020 was about former Australian Prime Minister Tony Abbott, who posted a photo of his boarding pass on social media. Using only the image, one person was able to gain access to private details and then altruistically spent months trying to warn the Prime Minister’s staff. 

Stories like this have been passed around for years, so let’s get to the bottom of it and answer the question: Can your private data be hacked from your boarding pass?

What data is in a boarding pass?

What’s stored with that little barcode depends on the airline, but a rule of thumb is to assume that the scannable code has information about you, your stuff, and where you’re going. 

In addition to the info printed on the boarding pass, some personal information accessible using the barcode.

• Your full name (the one that matches your identity, possibly including your middle name)
• Where you’re headed and the dates you’re traveling
• Your airline customer number, which is linked to your miles
• Your record locator

And possibly (depending on the airline):

• Your phone number
• Your email address
• The fare you paid
• The last four digits of the credit card you used to pay

With an account number and name, plus some sleuthing in your social media accounts, a hacker may be able to find other details that you could have used to secure your account, like:

• Pet’s names
• Your parent’s names
• Your birthdate

Using the information they’ve gleaned/stolen, a hacker may be able to reset your password, steal your miles, change your seats, cancel flights, etc. Because your flight purchase may also be linked with family travelers, the hacker could also have that information!

How is the data accessed?

It’s easy for anyone to download a scanner app that decodes barcode data. I typed ‘barcode scanner’ into the app store and found dozens.

It’s similar to how simple it’s become to scan a QR code and get a full restaurant menu on your phone.

What about electronic passes?

Mobile boarding passes may seem like the easy answer to protecting your personal data, but it’s not as simple as showing the electronic ticket. According to privacy researcher Bill Fitzgerald, those apps are filled with a range of first-part and third-party tracking up to and including your real-time location when you’re using the app.

You can’t always avoid a printed boarding pass, either. Sometimes the requirement is out of a traveler’s control, like in the situation of a last-minute seat change, for example.

Bottom line: If you want to use your phone rather than a paper ticket, the recommendation is to take a screenshot of the QR code on the boarding pass, save it to your photos, and show that instead. It eliminates the need for an additional app to access it but TSA agents may not accept it

Biometrics to the rescue? Maybe

Shortly after 9/11, Congress mandated an entry and exit system with biometrics to secure US borders. Biometric scanning is not required for entry into the US for US citizens, and US citizens are allowed to opt-out of participation in favor of a manual review of travel documents.

Biometric scanning has been proliferating ever since. For biometrics to work, a known trusted source of data like personally identifying documents (driver’s licenses, passports, etc.) have to be matched to a record on file. These days, more systems, from opening your phone to accessing your banking app, are using facial recognition as the record on file. This is the basis of biometrics.

Ultimately, biometrics should allow travelers to use facial recognition to check a bag, clear security, and boarding a flight. No paper or app involved, and no identification required either.

The goals of biometrics are speed and efficiency as well as safety. Of course, how much and what data will be shared with what agencies remains to be seen. Luckily for those who are concerned, biometric scanning is optional.

Final word

It’s best to treat any iteration of your airline ticket like you would any sensitive personal document. It’s not likely or even catastrophic if someone gets this data because it will take additional work on their part to put it to use. If someone is coming after your information, however, you don’t want to make it easier for them.

Use these simple steps to keep your personal info to yourself:

1. Don’t post a boarding pass pic on social media (a quick search of #boardingpass on Instagram shows you how common this is, but it looks like the traveler on the right did it smart)
2. Don’t leave it behind in the airplane
3. Don’t toss it in the trash – shred it instead

When you’re not showing it to agents, fold it in half and keep it in your pocket.

Related topics

• Airport and security hacks for every traveler
• All the things to know before renting an EV
• What every traveler needs to know about VPNs