At a time when it seems like nothing online is safe – especially when it comes to travelling – an old-school, paper boarding pass might seem like the safest option.
But cybersecurity experts say that’s a fallacy – a hard copy boarding pass is just as valuable to cybercriminals as anything else.
And they’re warning travellers to reconsider having boarding passes printed out and sticking to the digital ones sent to phones instead.
According to a new Forbes report, travellers who don’t carefully dispose of their paper boarding pass – or who share it online – are making it easy for hackers to crack into their frequent flyer accounts and steal points that are hugely lucrative on the black market.
To break into a frequent flyer account, “all you need is your name, your booking reference number and your frequent flyer number. All three of those things are on the boarding pass,” Caleb Barlow, president and CEO of cybersecurity consulting firm CynergisTek, told Forbes.
“There could be a couple of basic password reset questions – but I might be able to get the answers to those just by looking on the web. And now that I’ve got your frequent flyer account.”
Charles Henderson, from IBM Security, said the travel industry was the second most targeted industry by cybercriminals behind financial services.
Part of that was because of the enormous value of loyalty points. In some cases, hackers transfer points into their own account or use them to buy flights and upgrades for themselves.
Finder.com.au editor-in-chief Angus Kidman recently told news.com.au how he had 47,000 Virgin Velocity points stolen from his account that a hacker used to buy an overseas flight.
In other cases, stolen points are sold on the dark web.
Tech sites that have investigated the sale of points on the dark web have reported they have the buying power of at least one US cent per point. Personal finance site NerdWallet estimated American Airlines’ AAdvantage points were valued at about 2.6 US cents, which means 100,000 of those points have buying power equal to $US2600 or $A3808.
Mr Barlow told Forbes dealing with stolen points wasn’t very difficult.
“One, it’s relatively easy to figure out how to get into your frequent flyer account,” he said.
“Two, you’re probably not watching your miles or points like you would be your bank account.
“And three, it’s relatively easy to use your miles or points in ways that may be very difficult to trace. It’s easy to turn points into gift cards or into travel and lots of other things that can be used immediately or sold.”
Another easy way for points to be stolen is when people succumb to the dangerous trend of posting photos of boarding passes online – another way to expose cybercriminals to the information they need to carry out a hack.
Even the barcode gives valuable information to hackers – not just your name.
Mr Henderson said people should use the mobile boarding pass on the airline’s app instead of printing them at home or at the airport.
“Paper boarding passes are just inherently insecure,” he said. “There’s a reason that we took credit card numbers off receipts.”
Digital boarding passes may soon be the only option for travellers anyway, with Qantas and Jetstar announcing this year they would ditch paper passes and switch to a digital system to cut down on paper waste.
Mr Barlow said to protect frequent flyer points, travellers should enable two-factor authentication on the account, if possible, to bolster login security.
Whatever you do, though, he said people needed to start thinking of their frequent flyer account like they would their credit card number and savings balance.
“Would you carelessly throw away a piece of paper with your credit card number and your name on it?” he said. “Of course not.”