Brian Krebs, an author specialising in cybercrime and computer security, recently wrote about a reader of his KrebsOnSecurity blog who investigated how much information he could extract from a boarding pass his friend uploaded to Facebook.
“I found a website that could decode the data and instantly had lots of info about his trip,” the reader, Cory, said.
“Besides his name, frequent flyer number and other [personally identifiable information], I was able to get his record locator (a.k.a. “record key” for the Lufthansa flight he was taking that day,” he said.
“I then proceeded to Lufthansa’s website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance.”
Krebs wrote that the access granted by Lufthansa’s site also included Cory’s friend’s phone number and also gave him the ability to view, edit and even cancel all future flights tied to that frequent flyer account.
The information you’ve unknowingly given away in your smug snap could also make it easier for someone to reset your passwords.
“For example, that information gets you past the early process of resetting a Star Alliance account PIN at United Airline’s “forgot PIN” Web site,” Krebs wrote.
“After that, the site asks for the answer to a pre-selected secret question. The question in the case of Cory’s friend was “What is your Mother’s maiden name?” That information can often be gleaned by merely perusing someone’s social networking pages (e.g., does your aunt or uncle on your mum’s side have your mother’s maiden name as their last name? If so, are they friends with you on Facebook?)”
This article originally appeared on 7travel.com.au.