- Publish Date
- Tuesday, 26 November 2019, 3:54PM
When it comes to travelling, you've probably never given your paper boarding pass a second thought when it comes to cybersecurity.
After all, it is just a harmless piece of paper that has no connection to the internet.
Well, according to cybersecurity experts, we should be more careful when printing out boarding passes and should instead stick to the digital ones sent to mobile phones.
Because apparently a hard copy of your ticket is just as valuable to cybercriminals as anything else.
As revealed in a new report by Forbes, travellers who don't carefully dispose of their paper boarding pass – or who post it online – are making it easy for hackers to crack into their frequent flyer accounts and steal points that are hugely lucrative on the black market.
Caleb Barlow, president and CEO of cybersecurity consulting firm CynergisTek, told Forbes that to break into a frequent flyer account, "all you need is your name, your booking reference number and your frequent flyer number. All three of those things are on the boarding pass."
"There could be a couple of basic password reset questions – but I might be able to get the answers to those just by looking on the web. And now that I've got your frequent flyer account."
Even the barcode gives valuable information to hackers – not just your name.
Charles Henderson, from IBM Security, said the travel industry was the second most targeted industry by cybercriminals behind financial services.
Part of that was because of the enormous value of loyalty points.
In some cases, hackers transfer points into their own account or use them to buy flights and upgrades for themselves.
In other cases, stolen points are sold on the dark web.
Mr Henderson said people should use the mobile boarding pass on the airline's app instead of printing them.
"Paper boarding passes are just inherently insecure," he said. "There's a reason that we took credit card numbers off receipts."
"Would you carelessly throw away a piece of paper with your credit card number and your name on it?" he said. "Of course not."