When you’re picking vacation photos to post on social media, there are some you should leave out: any shots of your boarding pass. Here's what Globe Aware travelers should know about the risks of sharing those documents and how they can protect themselves.
Don't do it for the likes: Why travelers shouldn't post their boarding pass online
By Nathan Diller
JULY 24, 2023
When you’re picking vacation photos to post on social media, there are some you should leave out: any shots of your boarding pass.
Outside their primary function at the airport, the documents might seem like nothing more than travel scrapbook fodder, but they can reveal a lot more than flyers may think. “People often think, like, ‘Just this information isn't enough to compromise (me),’ but that's not how the attackers view that information,” said Amir Tarighat, CEO of cybersecurity firm Agency.
Here’s what travelers should know about the risks of sharing those documents and how they can protect themselves.
Why shouldn’t I post my boarding pass on social media?
Online attackers can take advantage of travelers in a number of ways if they get an image of their boarding pass.
Even if the information on the documents seems limited, Tarighat said bad actors “can very easily bring up the rest of the things they need to know about you from public records, like your date of birth, your address or phone number (or) your email address.” They can even cross reference those with other details available from past data breaches.
“Frequent flyer miles are actually really easy to steal, and they kind of don't have the same protection that banks have,” Tarighat said, adding that travel accounts are commonly sold on the Dark Web.
Hackers may be able to use the information on a boarding pass – such as your rewards account and confirmation numbers – to access your account. Third parties can also remove information via the barcodes on a boarding pass, Tarighat said.
The information on that travel document can also be used to create social engineering attacks, which is “basically tricking people,” he said.
“So you might be an employee of a corporation, and somebody sees that, ‘Oh, this person is traveling,’” he said. “They can use that information in social engineering, phishing and spam emails to other employees who work at the company and say, like, ‘Amir's in Paris this week,’ or whatever, and use that information to get you to do something.” That could include giving them access to a certain account or wiring money.
The information can also create digital breadcrumbs for attackers to follow the traveler’s online connections, which can provide further fodder for attacks.
How can I protect myself?
If your airline rewards account is compromised, Tarighat said, “You’re at the mercy of the airline. You kind of have to ask them to help you.”
Consumers can also report fraud and scams to the Federal Trade Commission.
But Tarighat stressed the importance of having preventative measures in place, such as two-factor authentication on all accounts and strong passwords. Travelers can also use services that scan for personal data online and remove their information from public records sites. While information on the Dark Web can’t be removed, he added, travelers can take steps such as discontinuing the use of a compromised email address or changing their passwords.
“It’s really about just vigilance,” Tarighat said.