This article originally appeared on Motherboard Germany.
A quick search for the hashtag #boardingpass comes up with around 92,000 results on Instagram. According to our calculations, that’s exactly 92,000 too many. That’s because it’s not only your followers who delight in a lighthearted announcement of your upcoming trip or vacation—criminals who are either interested in stealing your identity, using your name to fly somewhere, or taking over your account can cause a lot of damage with a photo of your boarding pass.
In the first half of 2017 alone, there have already been so many cases of identity theft that the BBC referred to it as an “epidemic.” The most affected age group, however, wasn’t unsuspecting grandmas who click on shady links, but rather people around the age of 30, or so-called “digital natives.”
But how are cyber criminals accessing the online identities of their victims, when awareness about the importance of having a secure password is on the rise? The answer lies in our feeds. Many people aren’t aware that by carelessly posting Instagram photos of tickets or even car keys, they’re sending a friendly invitation to strangers to get a little creative.
Your booking code is a temporary password—and not a very good one
That the six-digit booking code, known by airlines as the PNR (Passenger Name Record), is a goldmine for identity theft, hacker Karsten Nohl proved last year during the Chaos Communication Congress in Hamburg, Germany.
Nohl discovered that the PNR is nothing more than a really bad temporary password given out by airlines that openly floats around on every luggage tag. Anyone who knows your booking code and last name can use the online check-in portal to get free flights or wreak other sorts of havoc.
On some airline’s websites, the passenger’s last name and the time of departure is enough to log in as a registered passenger and receive a copy of their boarding pass. And because we live in a time of codesharing agreements between different airlines, it’s possible to use a PNR to log into five or more airline websites—at which point criminals usually carry out an attack with relative ease and gain access to additional personal information or fraudulently obtain flights for free. It’s simply a question of the worst configuration possible.
The story behind this sort of flight theft had already made huge waves by the beginning of 2017. But as developer and cybersecurity expert Michal Spacek explains, airlines and passengers in particular seemed to have learned very little just eight months later. In a post on his website, he illustrates everything you could possibly do through a quick photo search on social media.
With or without a booking code: Three arguments against boarding passes on social media
In the first of three Instagram case studies, Spacek describes how he not only determined the location of a friend on vacation in Hong Kong, but also could have framed him to be an internationally wanted criminal. He was able to do all of this because Spacek’s friend stylistically arranged a photo of his boarding pass next to his smartphone and speakers.
With the photo of the clearly legible booking code, Spacek could log into the British Airways check-in site, where he could see his friend had typed in all his important personal information—date of birth and passport number included—before his departure.
To play a practical joke on him, all Spacek would have to do is convince the website that his friend was the one trying to change the details. Because he doesn’t yet have the passport number of his victim, the website kindly gives him the option of entering his date of birth. Bingo. In the case of this victim, that information wasn’t only available in the airline’s register but also on Facebook. Spacek could then modify the data as he liked—and change the passport number, for example, to that of a terrorist registered in an Interpol database.
Second case: Someone—let’s call her Anna—tries to protect herself on Instagram by photoshopping out her last name on her boarding pass photo before posting it online. But that won’t do her any good as long as the Aztec Code is still visible. In this case, Spacek would need nothing more than an app like “Barcode Scanner” to retrieve the passenger’s full name. This killer combination gives him—depending on the airline’s level of security—the same hazardous opportunities as in the first case.
Third case: A guy—in this case, the founder of a rather famous startup—posts a photo of his smartwatch displaying an Aztec Code instead of his boarding pass. Spacek was able to scan it like in the previous case and unlocked something even more valuable: The founder’s frequent-flyer number, which the airline usually protects at all costs.
With the help of this number and publicly available information, Spacek would just need to answer two laughably simple questions at United Airlines to immediately create a new password for the victim’s account—that’s the jackpot, because from there, he could score other relevant information, such as payment information, reservations, and addresses, as well as one or two free flights. Since Spacek demonstrated his hack, United has built in an additional layer of security for changing passwords. But until recently, he could have hijacked the founder’s identity and blocked him out of his account.
But I want to show everyone where I’m flying anyway!
You do you, so long as you don’t show names, booking codes, dates, and the barcode. Blacking out sensitive information is a lot smarter than blurring it out, because the pixels, under the right circumstances and with the right programs, can often be reverted to their previous form, disclosing exactly the thing you’re trying to conceal.
Even if it isn’t likely, when it comes to written text and numbers, you’ll be on the safer side if you simply put a black bar across the information, instead of giving attackers the chance to piece together the leftover streaks or titles of the original. No information is safer than scraps of information.
Many people like to forget that this doesn’t just apply to photos, but also paper tickets and boarding passes. Rather than just letting them lie around in the airplane, it’s much better to dispose of them after use—the best case scenario is to tear them up. For that next level of paranoia, get a paper shredder for your home or throw your torn up boarding pass into different garbage cans when you arrive at your destination. But in most cases, there’s one tip that’ll do the trick: Just don’t post your boarding passes online. Besides, pictures from your airplane window look better anyway.
Safer bragging with car keys
Sure, you’re proud of your car. Maybe it’s new and probably expensive, and you’d like to share with the world that your key to freedom is lying on the table right next to your avocado toast. But your keys don’t belong on Facebook, Twitter, or Instagram.
That’s because it’s not all that difficult to recreate a precise computer model from the contours and shadows using a 3D program. CAD software, for example, can retrace the forms present in photos, which are then converted to Flash files, while the attacker warms up a 3D printer and picks out different color schemes for his synthetic-resin key copy. From there, an attacker can figure out the location of your car or home through geotags or other bits of information easily gleaned from social media. Thirty minutes later, the copy is completely cast—and in the most cases, the exactness of the copy is often sufficient enough to pull off the heist.
But if you’re really eager to post your keys on social media, then you don’t even need to be skilled with Photoshop. Just hold them by the key bit or at least hide the lower third of the key tip so that no one can make a copy. And here’s another a great tip: Show off your car instead of the info required to steal it.