January 28, 2019

Holiday hacks: Cyberattackers could steal your holiday and your data

By Priya Kantaria

You’ve booked your holiday flights and hotel, you’ve even checked in online and printed off your boarding pass.

The next obvious thing to do is to post on social media – a quick snap with your boarding pass for Instagram?

No, holidaymaker, not so fast.

SureCloud is warning travellers that barcodes on boarding passes can be read by hackers, letting them steal personally identifiable information and even gain access to customers’ accounts with airlines and make changes to bookings.

Hackers can use barcode scanning mobile apps easily downloaded from app stores to get personal data like names, document verification numbers and airline frequent flyer account numbers from a social media image.

Researchers from SureCloud even obtained a volunteer victim’s driving licence number, home address, middle name and date of birth from an image.

And right now there are more than 108,500 posts on Instagram with #boardingpass, signposting the hackers to possible victims.

There were over 200 new #boardingpass posts made in the last week alone, creating nearly 900,000 impressions and gaining over 13,000 likes.

#boardingpass at your own risk

SureCloud’s Cybersecurity practice director, Luke Potter said:  “Posting photographs of boarding passes on social media is a popular trend.

“Although some users obscure printed details such as their full name, users commonly leave the barcode on display, thinking it can only be scanned at the airport, but anyone can easily scan the code themselves to extract data, even from an image posted on social media.

“Depending on the airline, if the barcode is scanned before a flight it can also be used to make changes to bookings. Passengers should be aware that the barcode on the pass can be scanned from an image and can still be used many months after the holiday is over so it should never be shared or discarded without care.”

Hyatt hack

You’ve arrived safely on the other side, and been careful to dispose of your used boarding pass appropriately because the hard copy can be just as easily used in a hack.

But there are more cybersecurity risks at your luxury lodgings.

Big name hotels like Sheraton, Radisson and Hyatt that use an Assa Abloy locking system were hacked, again only by researchers, reported The Telegraph in April 2018.

Cybersecurity company F-Secure managed to create a master key that gave them entry to every room at the inn.

The team put in many years and hours of work to find exploitable loopholes in the locking system, leading to the hack.

They used one key card and a cheap piece of hardware combined with a custom-built software to read the card and find the master key code.