25 January 2019 – SureCloud, a provider of Cybersecurity services and Governance, Risk and Compliance solutions has warned consumers that barcodes on boarding passes can be easily read by criminals, enabling them to steal personally identifiable information and, in some cases, gain access to the customer’s account with the airline and make changes to flight bookings.
Luke Potter, SureCloud’s Cybersecurity Practice Director and his team will appear on BBC One’s Rip-Off Britain programme on the 25th January to demonstrate how passengers who post images of the pass on social media, or discard the pass after flying, could leave themselves vulnerable to data theft, identity fraud and account takeover.
Using barcode scanning mobile apps that are easily obtainable from app stores, SureCloud’s researchers were able to obtain personal data such as the individual’s full name, document verification number and airline frequent flyer account number from an image of a volunteer’s recently-used boarding pass that they had posted to social media.
Combined with wider open-source intelligence (OSINT) techniques, researchers were also able to obtain the volunteer’s driving licence number, home address, middle name and date of birth. Using the information gathered, it would be repetitively simple for a malicious party to carry out identity fraud or potentially take over a victim’s existing accounts.
SureCloud’s Cybersecurity Practice Director, Luke Potter comments: “Posting photographs of boarding passes on social media is a popular trend. There are currently more than 108,500 posts on Instagram under the hashtag #boardingpass. Although some users obscure printed details such as their full name, users commonly leave the barcode on display, thinking it can only be scanned at the airport, but anyone can easily scan the code themselves to extract data, even from an image posted on social media.
“Depending on the airline, if the barcode is scanned before a flight it can also be used to make changes to bookings. Passengers should be aware that the barcode on the pass can be scanned from an image and can still be used many months after the holiday is over so it should never be shared or discarded without care.”
A demonstration of the attack method can be seen on BBC One’s Rip-Off Britain, BBC One on the 25th January at 9:15am, or on BBC iPlayer here: https://www.bbc.co.uk/programmes/b0c0vz95
SureCloud is a provider of Cybersecurity services and cloud-based, integrated Risk Management products, which reinvent the way you manage risk. Certified by the National Cyber Security Centre (NCSC) & CREST and delivered using the innovative Pentest-as-a-Service (underpinned by a highly configurable technology platform), SureCloud acts as an extension of your in-house security team and ensures you have everything you need to improve your risk posture. SureCloud not only offers a wide range of Cybersecurity testing and assurance services, but crucially, we stay with you throughout the entire test life-cycle from scoping through to vulnerability discovery and remediation.