A few weeks ago, a friend of mine posted a picture on Instagram and Facebook. We’ve probably all seen it before, a picture of someone’s boarding pass with commentary about how excited they are to be off to their next destination.
I love pictures like this, because I love seeing people traveling the world with those they love and seeing pictures of their experiences.
As much as I hear things like “Andy, we live vicariously through your blog!” and “Hey Andy, how about that $20 you owe me!” I enjoy seeing other people’s trips almost as I enjoy going on my own. More travel is very seldom a bad thing in my eyes. There was a problem with his post though, and I’ve seen it countless times: he didn’t hide any of his personally identifiable information. This information is displayed all over boarding passes. Why is this a bad thing? I mean, if someone is Facebook friends with you, then surely they know you, right? Same for Twitter and Instagram? Really?! Of course not. You simply don’t know who can see pictures you post to social media. So why is it bad to post boarding passes to social media?
For as often as the airline industry and federal government harp on airport and airplane safety (with good result, airlines are safer than ever), there’s a gaping hole in their systems: the ease of accessing reservations of others. If I’m a social deviant (or worse, a criminal looking to steal data), accessing your reservation means I now have access to (usually) your email address, your physical address, and even the last four digits of the card you used to purchase the ticket.
The airlines have to tread a fine line in designing their websites, especially in the age of OTAs (online travel agencies) where a person who never interacts with the airline directly all of a sudden has a ticket on said airline. Coupling that with people’s general hatred regarding registering for yet another website, airlines need to have a universal code that someone can use to access their reservation. An airline can issue what’s called an e-ticket, which is a series of numbers. This is confusing as heck to remember and/or type in correctly, so airlines also issue something called a PNR (Passenger Name Record). This is a six-character code that links to your reservation. Let’s take a look at an American Airlines boarding pass (this is an older boarding pass).
Now, I’ve gone in and used iPhoto to digitally obscure the personally identifiable information on the boarding pass, but let’s just take a look at the information displayed therein:
Ok, instant security survey: if I asked you to, instead of posting a picture of your boarding pass, post all of the above information instead, how many of you would do it? Very few, probably none, and for good reason. Using just about any of those data points, anyone can access your reservation details on the airline’s website. Not to be a creep or anything, but using the data I saw on this friend’s boarding pass, I immediately was able to gain access to his reservation and see all of the data therein. Of course I didn’t do anything, but come on everyone, this is the internet. There are a lot of bored people that love causing chaos who have no feelings and would gladly ruin someone’s carefully crafted travel plans simply for the perverse pleasure of doing so.
Ben over at One Mile At A Time even had someone go in and cancel his flights a few years ago! He goes on to mention in his post that you can password protect an itinerary by calling the airline, and I suggest you do so for an important trip that you don’t want anyone social engineering and ruining.
A much easier solution, however, would be not to post your boarding pass picture in the first place! Find a different picture, anything! It’s getting to the point I try to speak only generally about my trips on social media before I take them, because, with a comically limited amount of information, someone could really mess up my trip. Not to mention that would be one of the creepiest feelings in the world, knowing that someone went in and had that much access to my information. Don’t be a victim, be careful what you post out there!
UPDATE: Unfortunately, we now have an example of yet another person who fell victim to this. WFAA (my local Dallas station) reports a sad story of a Houston Texans football fan whose boyfriend decided to surprise her with a trip to the away game in Jacksonville, Florida. She was excited and they posted pictures of their boarding passes to a Texans Facebook group.
An online prankster found the boarding passes, logged in, and canceled their flights! As I show you in the video above, it’s not that hard to do. Fortunately the story has a happy ending! The airline eventually reissued the tickets and their story went viral during their flight. They ended up being invited to tailgates hosted by Jacksonville fans and even received sideline passes for the game!
It’s a great ending to an otherwise annoying story. Sure there are things the airlines could do to make things more secure, but don’t wait for them: simply stop posting boarding passes (and concert/event tickets as well) to social media!
110 Reykjavik, Iceland