Anyone who has traveled by aircraft will have had to go through the whole boarding pass process. However, what information does a boarding pass have on it about you and how accessible is it?
A typical boarding pass has the following information printed on it:
- Your Name
- Flight Number and Airline Name
- Date of Departure
- Departure and Destination airports
- Boarding Time and Gate
- Your seat number.
It also has a barcode on it that would be typically read by the departure gate terminal to check you onto the aircraft.
This barcode can have varying amounts of information on it. It can have a single reference which the airline can then lookup on their departure systems, or it can have additional information in plain text, for example:
- Full name
- Date of birth
- Flight number
- Departure and destination airport
- Seat number
- A PNR record locator code.
What is the PNR record locator code?
PNR stands for “Passenger Name Record”. It is generated every time you book a flight and stored in the airlines reservation system and accessed by a record locator code. This record locator code is a 6-character alpha-numeric code e.g: RMT33W. You will have used this code anytime you have checked-in online or managed your booking through the airline’s website. It can also be called a booking reference number.
For a lot of airlines and travel companies, all you need to provide is your Surname and your booking reference to access your booking. Once you have accessed your booking, especially for international flights, you will have provided information similar to:
- Full name and date of birth
- Passport number and details
- Details of any car hire or hotel bookings made through the airline
- Email address and telephone number
- Last 4 digits of the payment card used and details of who paid for the ticket
- Special Service Requests, which could be special meal requirements and the reason (e.g. religious, medical, allergy) as well as any disabilities or medical issues you declare
- Optional Services Instructions, for example upgrade options, languages, luggage.
This information is provided for all parties on your booking.
This is a treasure trove of information that is only a quick scan away. All I have to do is scan a discarded boarding pass bar code to get this information. This is a major privacy concern.
This information can be used for multiple purposes, e.g. Phishing/Spear Phishing attempts and Identity theft being the most obvious.
If you do a search on social media for boarding passes (Instagram is a rich source) you will find hundreds of unsuspecting travelers posting their boarding pass. They might cover their name, but the barcode is often visible and that is all I need. As an attacker I am not bothered about disrupting your flight or holiday, but I may interested in the info I can harvest about you from your booking records.
While I am here, what do you do with your checked luggage tag that the check-in desk attaches to your luggage? This also has a barcode that can give access to the same information as on your boarding pass. When you get to your destination do you remove the luggage tag? If you do, do you just put it into the Hotel bin? Or do you just leave it on your luggage until you leave for your return flight?
All it takes is for someone who has access to your room (e.g. the maid) to scan your luggage tag and they have all the info they need.
Even if the barcode only produced a cryptic reference, the document still has your surname and airline. It isn’t that difficult to do a brute force attack on the airline booking system page and guess the 6 character booking reference.
What should I do?
TIP 1: First and foremost, treat your boarding pass and luggage tag as highly confidential information and do not just discard it on your seat or in a public bin.
TIP 2: Remove your luggage tag once you retrieve your luggage. Your luggage isn’t directly in your possession during the transfer from the airport, and the coach/taxi driver (or for that matter anyone near the vehicle) could scan the barcode. On a visit to Mexico I was also asked to scan my luggage before exiting the airport which is another opportunity for someone to scan the barcode on your luggage tag.
TIP 3: Do not dispose of your boarding pass and luggage tag in a Hotel bin.
TIP 4: Using a heavy marker pen to scrub out the barcode before you dispose of the boarding pass/luggage tag isn’t enough. The ink used by the airline to print the document and your marker pen use different inks which can be electronically separated if you have the original document.
TIP 5: Never post your boarding pass on social media. That is just asking for trouble. Also, probably better not to identify the airline you are flying with as other information on your social media feed can include your name.
TIP 6: Be careful when giving your boarding pass to shops in the airport when you buy duty free goods. This is another opportunity for someone to scan your barcode.
TIP 7: Don’t put your boarding pass down anywhere. Someone passing you could just take a quick photo of your boarding pass.
TIP 8: When you are booking your flight, only give the airline/travel company the information they actually need for the flight or is required by law. However, for international flights it is now required to provide your passport details ahead of arriving at the check-in desk.
TIP 9: Destroy your boarding pass and luggage tag securely, preferably using a cross-cut shredder. Keep them in your possession until you return home and you can dispose of them securely and certainly don’t leave them in the seat back in front of you on the plane.
What about other travel documents?
When you travel be mindful of the documents you take with you and keep them securely about yourself at all times. This applies to any document including:
- Boarding Pass and luggage tag
- Other tickets (e.g. rail tickets as these also have a bar code on them)
- Booking Confirmation and Hotel information.
Be careful what you put on a label on your luggage. This can also has the airline or travel company identified on it. Best to put the minimum information on this, for example:
- Flight Number
- Final Destination Hotel name.
This applies not just to air travel, but also domestic travel, cruise ships, hire cars and hotel bookings you make since they all have these barcodes on them and may provide the PNR code or a booking reference. Rail tickets also have barcodes on them, especially if you book them through an online booking service. If you book a car online, the claim documents may have a barcode on them or a booking reference printed in plain text.
There have been a few articles highlighting concerns over how all this PNR information is stored and archived. The EU requires that archived PNR records are anonymised however researchers have cast doubt on the effectiveness of this.
The aviation and travel sector, like so many other industries, has a lot of work to do when it comes to cyber security but we as passengers have a responsibility for our data too.
The best option is for travel companies to require you to register, provide a username/password and preferably a second factor authentication method rather than just your name and the booking reference.
Let’s not make it too easy for the bad guys when we travel.