How posting boarding passes on social media helps cyber-criminals.

Putting your boarding pass on Instagram and Facebook may be a fun way of sharing travel plans but it could be a is a huge mistake which hands online criminals powerful information. The advice from experts is:  don’t do it. Some Qantas frequent flyers have recently seen points disappearing from their account and the airline believes people with weak pins who post boarding passes on social media are particularly vulnerable. The airline says it is identity theft, rather than its system being hacked, that is the big problem. Information contained on a boarding pass includes your name and your frequent flyer number. But the bar code used to wave you through to the plane has other information embedded in it. Frequent flyer guru Steve Hui, of website iFLYflat, says the passenger name record (PNR) and date of travel could allow someone to log on while the ticket was still active to change a seat, a meal or even a flight. “It’s everything you would do as a ticket holder,’’ Hui told AirlineRatings.  “So while the seat is active that’s actually up for grabs. “Once you’ve flown that closes and you can’t access the site anymore but it still means people have your frequent flyer number.’’ Hui said he was not sure how people with this protection lost points but noted people who advertised their membership number were more likely to be targeted. “I guess the thinking is if someone’s discovered a membership number then it’s worthwhile putting the hacking system,’’ he said. “But if you don’t have a number to start with then there’s random chance, you’re not going to pick them up.’’ Hui said it was “pretty common” for people to post their boarding passes on social media but they would be better served to find other ways to advertise their trip, such as a selfie in the lounge or on the plane. Former Washington Post reporter and tech security blogger Brian Krebs, also advises people to shred their boarding passes rather than throwing them away. Krebs wrote on his blog about a reader who managed to decode a boarding pass by taking a screenshot and enlarging it. The reader was able to use the last name and the record locator — the code you type in to access your booking — to gain access to the traveller’s entire account on the Lufthansa website, including any future flights booked to his frequent flyer number from the Star Alliance. Krebs said the information contained in the boarding pass could make it easier for an attacker to reset the PIN number used to secure the traveller’s Star Alliance frequent flyer account using a “forgot PIN” website. In this case, the site asked a pre-selected “secret” question about the traveller’s mother’s maiden name — information which could be gleaned from the Internet. Another problem is people using weak pins such as 0000 or 9999. Qantas has a four-digit pin and has also started offering two-step verification. This system requires members to use a unique SMS verification code before logging into their account. There is also an account lock-out process if someone makes multiple attempts to access an account using the wrong information. “While we can’t control identity fraud, there are multiple layers of security controls in place to protect our members’ personal information and points balances when a cyber-related incident occurs,” a Qantas spokeswoman said. “We continually invest in our people, processes and technology to protect the security of our members and their accounts.’’ Qantas also offers frequent flyer members a security tips page to help frequent flyer members remain secure online. These include ways to set up a strong password, use two-step verification and recognise phishing attempts, a process where criminals use disguised emails or websites to try and extract information.