Don't even think about posting a photo of your boarding pass on social media.
For millions of travelers, printing out a boarding pass is just part of the pre-flying routine, falling somewhere between checking in to a flight and heading to the airport. That boarding pass is your ticket through airport security and the departure gate so, naturally, you keep it safe until you’re on the plane. But what do you do with that slip of paper after takeoff?
Do you use it to bookmark the airline’s in-flight magazine? Tuck it into the seatback pocket? Hold on to it and chuck it in the waste basket in your hotel room? Or, worse, do you take a photo of your boarding pass and share it on social media?
Any of those moves could be a gift to hackers, say cybersecurity experts. In an era where concerns over digital privacy loom large, travelers may think that good old paper is a safe bet. But paper boarding passes that aren’t safeguarded make it easier for hackers to target the stockpile of frequent flyer miles you’ve spent years building.
“If you look at a boarding pass through the eyes of a scam artist, it's really the laundry list of things you need to take over a frequent flyer account,” says Charles Henderson, Global Managing Partner and Head of X-Force Red at IBM Security.
Cracking into a frequent flyer account usually doesn't take a whole lot of skill, says Caleb Barlow, president and CEO of CynergisTek, a cybersecurity consulting firm. “All you need is your name, your booking reference number and your frequent flyer number. All three of those things are on the boarding pass,” he says. “There could be a couple of basic password reset questions – but I might be able to get the answers to those just by looking on the web. And now that I've got your frequent flyer account.”
A new form of currency
“When you look at cybercrime, the travel industry is now the second most-attacked industry, right behind financial services,” says Barlow. “And a lot of that is because bad guys are realizing the value of loyalty points.”
For hackers, frequent flyer miles are just another currency. In a report published last year, the tech site Comparitech detailed how the site’s editors pored through the dark web looking for sites that sold illicit miles and points. One example, a site called Dream Market, was setting an average price of $884 for 100,000 airline miles for many major carriers.
That’s a buyer’s bargain. The personal finance site NerdWallet estimates that United MileagePlus points are worth roughly a penny apiece in terms of buying power – meaning that 100,000 points are worth $1,000. And points for other legacy carriers are valued substantially higher. Delta SkyMiles and American AAdvantage miles are valued at an average of 1.7 and 2.6 cents apiece – that means 100,000 points have buying power equal to $1,700 and $2,600, respectively.
Once a hacker has taken over a frequent flyer account, he has two options, explains the Comparitech report: “Sell the hacked account or transfer the miles into another account. Buying a hacked account is fairly straightforward, more common, and from what we could tell, cheaper. A typical listing on the dark net offers the necessary login information. The buyer is then responsible for transferring the miles to his or her own account, or redeeming the rewards directly.”
The scheme works because criminals can rely on a few things, says Barlow. “One, it's relatively easy to figure out how to get into your frequent flyer account. Two, you're probably not watching your miles or points like you would be your bank account. And three, it's relatively easy to use your miles or points in ways that may be very difficult to trace,” he says. “It's easy to turn points into gift cards or into travel and lots of other things that can be used immediately or sold.”
The bottom line: “You should think of your frequent flyer number like a credit card or a bank balance,” says Barlow. “Would you carelessly throw away a piece of paper with your credit card number and your name on it? Of course not.”
Don’t show and tell
What’s even riskier than a printed boarding pass? Taking a photo of your boarding pass and posting it on social media.
On Instagram, the #boardingpass hashtag currently includes more than 116,000 photos, many of which display an entire boarding pass with precisely the information a hacker would need.
It’s a really dumb practice, says Henderson. “If you print out a boarding pass and somebody picks it up, only one person is going to get your details. But when you put it on social media, you're talking about thousands of people who now have your details.”
“And if you put a hashtag on it that says boarding pass, you make it even easier for scam artists,” says Henderson. “But the message here is not ‘don't hashtag your boarding pass photos.’ It's ‘don't take the photos in the first place.’”
Two easy ways to protect miles and points
As it happens, there are some simple ways for travelers to protect their miles and points. “Enable two-factor authentication on your frequent flyer account,” says Barlow. 2FA strengthens login security by requiring a second piece of information – typically a temporary security code delivered to your cell phone – in order to access your account or change a password.
“And I would absolutely recommend using the mobile boarding pass on the airline’s app,” says Henderson. “Paper boarding passes are just inherently insecure. There's a reason that we took credit card numbers off receipts.”
READ MORE
