Qantas to stop printing frequent flyer numbers on boarding passes

Seemingly innocent social media photos of a boarding pass can put your privacy at risk.

By David Flynn, October 10 2019

The boarding pass for your next Qantas flight probably won’t include your Qantas Frequent Flyer number, with the airline dropping those digits in the interests of passenger privacy in the social media age.

A Qantas spokesperson tells Executive Traveller that Qantas Frequent Flyer numbers are being removed from boarding passes “to maintain customer privacy.”

“Numbers are no longer on digital boarding passes and will gradually come off physical boarding passes over the next few weeks.”

Boarding passes will still show the traveller’s frequent flyer status, such as Gold or Platinum, which opens up perks such as access to airport lounges and the priority boarding lane. 

Why your boarding pass is a privacy risk

The modern habit of sharing a boarding pass photos on social media platforms such as Instagram, Twitter and Facebook can turn what seems like harmless ‘travel bragging’ into a hacker-induced headache.

Travel is exciting, but having your booking hacked is not.
Travel is exciting, but having your booking hacked is not.

A frequent flyer membership number, coupled with a passenger’s name, offers a window into their frequent flyer account – although would-be hackers still have to guess their password.

However, beyond the frequent flyer number, boarding passes contains a treasure-trove of details which can open the door to hackers, scammers and even identify theft.

The devil in the details

A six-digit alphanumeric PNR (Passenger Name Record) or a much longer E-Ticket number represent your specific flight booking.

Along with your family name, this is usually all that’s needed for somebody to visit the airline’s website and, through the Manage My Booking link, log in to not only view your booking and entire trip itinerary but many of your personal details.

Think twice before you post that photo of your boarding pass.
Think twice before you post that photo of your boarding pass.

This can result in malicious manoeuvres such as somebody changing your seats or flights, or even cancelling your booking.

However, in some cases the exposed data can include the last four digits of the credit card used to make the booking.

Beware the barcode

The barcode on the ticket also contains all of this travel information in a digital form to be scanned at check-in desks, lounges and departure gates.

But the tech-savvy can use special software capable of reading the barcode, even from a photo of the boarding pass.

The easy solution? Travellers should use smartphone photo-editing software to blur that sensitive information on their boarding pass, or just take a break from social media and enjoy that glass of pre-flight Champagne.

David

David Flynn is the Editor-in-Chief of Executive Traveller and a bit of a travel tragic with a weakness for good coffee, shopping and lychee martinis.

18 Jan 2017

Total posts 23

Recently flying on Delta I noticed they XX out must of the frequent flyer numbers, so it was piece of mind that the Frequent Flyer number was actually within the booking.

24 Aug 2011

Total posts 569

The QR code can simply be read with easily available apps on any smartphone. If you ever post a boarding pass photo on social media, make sure you hide or pixellate the QR code. The idea of XXX out most but not all of the FF number is very worthy particularly if there are subsequent disputes as to whether a FF number was recorded against a flight.

I think it is time for airlines to do second level authentication on booking changes made online. This would mean a code being sent by SMS to the mobile number attached at the time of original booking that needs to be entered to authenticate any change. This is common across many online services already such as banking and payroll applications. This would overcome potential fraudulent access to booking data using PNR and surname only.

06 Jun 2017

Total posts 26

I agree that second level of authentication would be great, I don't know is SMS would be a good idea though. Many of us travel overseas and use different Sim cards in other countries, so I can see many people not being able to receive the texts. Personally I would prefer Google Authenticator tied to my FF account.

Virgin Australia - Velocity Rewards

14 Mar 2017

Total posts 128

It really is astonishing that you can open a booking with a PNR and a surname, as reeves35 says. This has to be plugged at some point...

No, SMS often doesn't work. Right now I'm in a country where no Aust phone will roam, but Qantas has this sorted (unlike Qantas money) as you can choose email authentication.

Qantas - Qantas Frequent Flyer

02 Feb 2018

Total posts 5

Or if the "easy solution" is too complicated there's the easiest solution... Don't be BAF and post photos of your boarding pass on the www.

21 Aug 2019

Total posts 24

Security is all prevelant these digital days. Simple answer is to not post personal details. Problem solved.

17 May 2017

Total posts 2

Nickj338395, I trust your LogIn name is not your QFF number!

21 Aug 2019

Total posts 24

Thank you but no. The house numbers of homes when younger. As one gets older the simpler the password the better! One day face recognition and fingerprints hopefully will get rid of multiple passwords

This doesn't make much sense. As noted in the article, even if someone gets hold of your FF number and name, they still need a PIN to access the account, plus Qantas introduced two factor authentication some time ago to protect QFF accounts. Consequently, there is not much risk associated with someone simply finding out your FF number.

The much bigger problem is PNRs - if someone knows your PNR and surname, not only can they access the booking and retrieve all sorts of personal information, in many cases they can actually make changes to the booking or even cancel it altogether. This is a huge risk, which is completely unaffected by the omission of FF numbers.

By the way - to those saying the solution is simply not to post photos of the BP online - obviously that is good advice, but there are other ways people can get the info from a BP - e.g. if you lose it, leave it on a plane, dispose of it in a bin without shredding it. Someone might even get your PNR and name by simply looking at your BP over your shoulder as you board.

CX

05 Jun 2012

Total posts 121

And all of this is why I retain BPs until I am sure my miles have been credited and then shred them, shred baggage tags at home (which is a bugger because they're sticky, and clog up my shredder, but I persevere) or, if I am away from home, cut them into pieces that don't show the whole barcode and then throw the bits into different bins. All that may sound excessive, but my FF points are valuable, as is my identity (no, I'm not being precious, and I'm certainly not famous, but I really don't want people nicking my identity).

The major data security breaches from Cathay and Marriott recently have made me much more cautious (and extremely cross!). Unfortunately they both have more information about me than I am really comfortable with given those breaches (in the sense that I don't mind those organisations having them - I provided it freely in order to improve my travel experience - but I did so expecting that they wouldn't end up in the public domain), but that is just part of the price we pay for living in the modern world, I suppose. Cathay did, at least, give me a year's free subscription to the Experian monitoring service which seems to show that despite them having let an uncomfortably large proportion of my personal information escape, the breach didn't cause much damage. I do, however, try to minimise those data breaches that are within my own control by personal action.


Hi Guest, join in the discussion on Qantas to stop printing frequent flyer numbers on boarding passes