The Southern African Fraud Prevention Service recently warned social media users about the dangers of posting personal information online, including photos of their driver’s licence, ID book, and plane tickets.
The organisation stated that posting information of this nature on social networks like Facebook could lead to identity theft, which could result in fraudulent transactions in the victim’s name.
While the service’s warning has been repeated by multiple security organisations over time, this has not stopped Facebook users who are keen to share their travel plans from posting pictures of their flight details.
Security website Krebs on Security detailed why posting a photo of your plane ticket online is a bad idea, as detailed below.
Don’t post that ticket to Facebook
Krebs said airline boarding passes which contain barcodes and QR codes carry “a great deal of information” in them, and the codes on the ticket may allow someone to discover your future travel plans and frequent flyer account details.
The report stated that certain websites allow attackers to interpret the data in a photo of plane ticket, which results in the traveller’s trip information being exposed.
The attacker takes the photo of the plane ticket, puts the barcode into an online barcode reader, and extracts the available information.
Websites on how to decipher plane ticket information are also available to amateur attackers.
According to the report, the standards for boarding pass barcodes are widely available and have been implemented worldwide for years.
The traveller’s name, frequent flyer number, personal information, and “record key” can be extracted, which allows the attacker to see future flights that the person books on an airline or the airline’s alliance partners.
The information gained can also include the person’s phone number, and in some cases – in conjunction with information taken from a Facebook account – give an attacker the ability to edit a person’s flight schedule or take over their online frequent flyer account.
This can be done through the “I forgot my password” option on an airline’s website, which requires a security question to be answered – such as “What is your mother’s maiden name?”.
The plane ticket and barcode reader websites have been omitted from the article, but are linked in the Krebs report.