Why you shouldn’t post a picture of a boarding pass on social media

Security experts are repeating warnings to keep pictures of documents with personal information and barcodes — such as boarding passes and tickets — off social media, after the latest instance of such information being misused.

Earlier this week self-described "hacker" Alex Hope detailed in a long blog post how he used an Instagram post from former Australian prime minister Tony Abbott, showing a boarding pass, to discern his passport number and other personal details.

Former Prime Minister Tony Abbott posted a picture of his boarding pass to Instagram.Credit:Getty Images

Hope warned Qantas and Mr Abbott about the breach, but it shows how easily images like this can be used for identity fraud or other crimes.

Mark Gorrie, the Australia-Pacific senior director of cybersecurity company NortonLifeLock, said boarding passes featured information that can make it very easy for anyone to uncover more personal details than what are printed on the paper.

Blogger Alex Hope used the booking reference that was visible on the boarding pass to log in to Qantas’ website and was able to view personal details.Credit:Instagram

"As we saw with Tony Abbott, his passport number and phone number were easily discoverable with little effort on the part of the hacker," Mr Gorrie said.

"Private details, such as an email, home address and phone number linked to an airline account could be exposed and even give a cyber criminal the ability to change your travel plans."

Hope said he had tried to scan the barcode on Mr Abbott's pass, but then realised the booking reference was printed on it so he used that to log in to Qantas' website and found Mr Abbott's details.

He said he spent six months trying to alert Qantas and Mr Abbott to the fact that these details are so easily accessible.

This is not a new vector for malicious actors to grab valuable information. In 2015 security expert Brian Krebs was warning about software that could dig into the data locked away behind pictures of barcodes and QR codes on tickets and boarding passes.

These often contain airport codes, flight numbers, frequent flyer IDs and names, Krebs said, which is easily enough to log into airline websites and impersonate the ticket holder. While information like phone numbers and future travel plans aren't in the barcodes or on the ticket, they're easily accessible through the airline website.

In Mr Abbott's case, Hope was able to get to additional information — including airline staff's notes and comments about the trip — by examining the HTML code of the Qantas website.

Also in 2015, a woman who posted a selfie with her winning Melbourne Cup ticket found someone else had already claimed it by the time she reached the TAB. There have also been instances of tickets for sporting events and concerts being replicated from online photos and sold online as legitimate.

Mr Gorrie said it was important to be aware of the opportunities you're giving malicious actors by posting pictures of yourself and your personal items to the public internet.

"If you’re posting pictures to Instagram or other social networks, make sure you switch your privacy settings to only share updates with your trusted network," he said.

Technology Newsletter

The top technology stories and reviews delivered weekly. Sign up to The Age‘s newsletter here and The Sydney Morning Herald‘s here.

Most Viewed in Technology

Source: Read Full Article