In Plane Sight

Don’t post pictures of your airline boarding card to social media or you could become a cybercrime victim.

In the days when speeds of connectivity made the pace of a glacier seem sprightly, and nobody was connected outside of their home or office cyber-crime was an unknown entity.

Back then in the ‘dial up’ years another crime wave was creating column inches in the newspapers and magazines – identity theft. This was an analogue crime, what millennials may consider almost ‘retro’ in its paper based simplicity. Thieves and rogues would go through the dustbins of individuals looking for documents that contained personal information. Anything would do, a discarded utility bill, a receipt with a credit card number on it – yes, they used to be printed in full on the receipts until somebody pointed out how silly that was – or a bank statement which would be considered gold dust in the identity theft world.

With this paper in their hand the villains would use it as a form of identification to establish lines of credit that would be drained almost instantly, leaving the unsuspecting victim with a rapidly approaching shock.

The mitigation strategy that was advised at the time was to purchase a domestic paper shredder and ensure that documents that contained the merest hint of who you are and what your personal circumstances are was reduced down into pieces about the size of confetti.

I conformed, as I so often do to well considered advice, and developed a comprehensive personal shedding policy thanks to the mechanical and affordable genius of a company called Fellowes. Their range of shredders adorned the shelves of office supplies outlets, stationers and all manner of places.

But time and crime both move on. As we connected at ever greater speeds, electronic billing came into being and the criminals moved on from the urban skill of bin diving, to the infinitely more scalable and profitable area of cyber-crime.

However, it seems that we haven’t learned our lesson and are still gleefully allowing personal information to appear in plain sight – or in the story I’m about to recall that should be ‘Plane Sight’

The National Cyber Security Centre (NCSC), a part of GCHQ, each week post a Weekly Threat Report on their website. This is a top level, but useful bellwether for current attack vectors and scams that are gaining momentum. One such threat that they posted in their September 1st report was titled “Airline boarding passes and baggage bar code stickers”.

They restate that since at least 2011 security experts have warned that an airline boarding pass can provide would-be attackers access with a host of sensitive passenger information and refer to a recent security blog about this subject.

We all know that the modern-day boarding cards and baggage code stickers are a collection of bar codes, QR codes and modern day digital hieroglyphics. The only thing that is readable is your name and destination, therefore when individuals are off to the far-flung corners of the globe they are having an increasing tendency to post a picture of their boarding pass on social media. I have to assume that this is in order to let all their friends and followers know what a jolly exciting life they lead.

The NCSC state that a simple search on Instagram for ‘boarding pass’ will return 91,000 images of such items. For those of you with either a technical or criminal mind will know that software can be used to read those images, decode the bar and QR codes and provide enough information to gain access to the booking systems on most airline websites. This in turn, if used maliciously could be used to obtain additional data and alter or even cancel upcoming flights.

And this particular form of cybercrime is not restricted to just airline documentation. Essentially anything with an individually generated bar code, or QR code can reveal information.

Anybody out there been to a concert recently? Yep, your concert tickets are the same. Full of lots of personal information all encoded into little strips, or blocks of black and white. The temptation to show the world that you have front row seats at the O2 for the ‘must see’ pop sensation of the moment is far too great not to post to social media. If you do, then you run the risk of having your identity stolen. Especially if you add the hashtag appropriate to your event!

We may have thought that the days of paper shredding were over and that these documents could be photographed and shared, or in many cases simply thrown away into waste bins after their perceived life expectancy has expired. It hasn’t. The advice is, as it has always been, any documents that contain personally sensitive, or identifiable information should not be shared and should be discarded in a way that the information contained on them cannot be reconstituted.

Which means either burn them or shred them and whatever you do don’t post them in plain, or plane sight!

Share: Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInPin on PinterestEmail this to someone