Wednesday , October 28 2020
Home / Technology / Why you shouldn’t post a picture of a boarding pass on social media

Why you shouldn’t post a picture of a boarding pass on social media

Blogger Alex Hope used the booking reference that was visible on the boarding pass to log in to Qantas' website and was able to view personal details.

Blogger Alex Hope used the booking reference that was visible on the boarding pass to log in to Qantas’ website and was able to view personal details.Credit:Instagram

“As we saw with Tony Abbott, his passport number and phone number were easily discoverable with little effort on the part of the hacker,” Mr Gorrie said.

“Private details, such as an email, home address and phone number linked to an airline account could be exposed and even give a cyber criminal the ability to change your travel plans.”

Mr Hope said he had tried to scan the barcode on Mr Abbott’s pass, but then realised the booking reference was printed on it so he used that to log in to Qantas’ website and found Mr Abbott’s details.

He said he spent six months trying to alert Qantas and Mr Abbott to the fact that these details are so easily accessible.

This is not a new vector for malicious actors to grab valuable information. In 2015, security expert Brian Krebs was warning about software that could dig into the data locked away behind pictures of barcodes and QR codes on tickets and boarding passes.

These often contain airport codes, flight numbers, frequent flyer IDs and names, Mr Krebs said, which is easily enough to log into airline websites and impersonate the ticket holder. While information like phone numbers and future travel plans aren’t in the barcodes or on the ticket, they’re easily accessible through the airline website.

Loading

In Mr Abbott’s case, Mr Hope was able to get to additional information — including airline staff’s notes and comments about the trip — by examining the HTML code of the Qantas website.

Also in 2015, a woman who posted a selfie with her winning Melbourne Cup ticket found someone else had already claimed it by the time she reached the TAB. There have also been instances of tickets for sporting events and concerts being replicated from online photos and sold online as legitimate.

Mr Gorrie said it was important to be aware of the opportunities you’re giving malicious actors by posting pictures of yourself and your personal items to the public internet.

“If you’re posting pictures to Instagram or other social networks, make sure you switch your privacy settings to only share updates with your trusted network,” he said.

Technology Newsletter

The top technology stories and reviews delivered weekly. Sign up to The Age‘s newsletter here and The Sydney Morning Herald‘s here.

Most Viewed in Technology

Loading

About admin

Check Also

Best consumer VR yet comes with a serious warning

The ageing Snapdragon 835 processor has been swapped out for Qualcomm’s shiny new XR2 chip, …