social network

Why not upload photos of tickets and keys to social networks

For scammers this is an easy way to go to a concert instead of a victim, steal air tickets or hack an apartment.

Photo of hotlinesingh in Instagram
Photo of hotlinesingh in Instagram

Quick search on the hashtag #boardingpass (boarding pass) in Instagram givesabout 92 thousand records. The edition Motherboard noted that this is about 92 thousand more than it should be. When people publish photographs of air tickets, keys from apartments or cars, they expose themselves to the scammers.

Cases when this oversight ended sadly enough. Scammers not only use someone else’s tickets for an airplane or a concert, but also steal large sums of money. prepared a safety briefing and remembered the real situation when it could come in handy.

Do not show the booking code on the ticket

This six-digit code is a temporary password, also known as PNR (passenger name record) – a gold mine for attackers. In 2016, cyber security specialist Carsten Nol demonstrated this convincingly.

He found out that anyone who knows the booking code and the name of the ticket owner can safely get access to his luggage or fly away on his plane. On some airlines sites to enter the account you only need to enter the passenger’s last name and time of departure. And already in the profile contains data, which is enough to use the ticket.

Some airlines allow you to enter personal offices, recovering the password by the date of birth. It, in turn, is available to many people in social networks. After the authorization, the attacker can change the number of the passport to which the ticket is registered. For example, in the name of a terrorist who is represented in the Interpol database .

Photos of veetorious in Instagram
Photos of veetorious in Instagram
Scammers can use the victim’s ticket, even if the photo is closed PNR-code. For this you need to look at Aztec – the matrix barcode on the ticket. It is enough to scan it in an application such as Barcode Scanner . The combination obtained during the scan will give an attacker not only access to the account on the airline’s website, but also, if it is, to the loyalty program . And if the account is tied to a bank card, scammers can buy tickets for other flights.

In order not to get into this situation, you should not publish a photo of the ticket, which shows the passenger’s name, date of birth, PNR code or bar code. It is better to close the compromising information with a black line, and not blur it. It should also be remembered that leaving unused even used tickets is dangerous. They still contain important data. This applies to checks if they are paid by a bank card, as well as tickets to concerts.

Do not take pictures of car keys or apartments

There’s nothing wrong with bragging the keys to a new car on Facebook. But if the picture is seen by scammers, they can easily make a duplicate. To do this, you need a program for automatic design and a 3D printer. Duplicate key can be recreated in it for 30 minutes.

There is an easier way. To create a duplicate key, it is enough to use the services of services like KeyMe . He creates a key impression of the photo.

Having received the key, it is enough for scammers to calculate the location of the victim’s car or apartment according to geotags, which are often indicated in the photographs. The council to combat such a threat is banal: in the photo, you need to cover part of the blade with your finger.

Three stories that not everything needs to be advertised in social networks

Moskvich, who missed the concert of his beloved band

30-year-old Muscovite Maxim Elfimov became a victim of intruders in the summer of 2016.

July 12, his favorite band Black Sabbath gave a farewell concert in the sports complex “Olympic”. Elfimov bought a ticket on the first day of sales through Yandex.Afish. About the purchase, he wrote in Instagram, publishing a photo with tickets to the concerts of Black Sabbath, as well as Deep Purple, David Gilmour, Paul McCartney, Elton John and Red Hot Chili Peppers.

Photo by Yana Shirokova
Photo by Yana Shirokova

On the day of the concert, Elfimov came to the concert with a printed electronic ticket. However, at the entrance to the “Olympic” he was stopped and explained that someone already passed by the ticket. When he tried to explain the situation and offered to confirm his identity, the representative of “Yandex” apologized, but refused to let the Muscovite to the concert.

He was told that it was a photograph of a ticket published in social networks. On it was clearly visible barcode.

The client posted a photo with a clearly visible barcode in his Instagram, thereby assuming responsibility for possible consequences at the entrance (which is controlled by Olympisky IC, not by ticket agencies or aggregators).

Yana Shirokova
the representative of “Yandex.Afishi”

The startup who lost the bitcoins

The story of the founder of the startup PROME Sean Everett is not directly related to the demonstration of keys or air tickets. However, like the previous one, it emphasizes the risks of publishing personal information in social networks.

In March 2017, Everett decided to take a chance and invest in the crypto currency. He sold his shares to Apple and Amazon, then registered on the exchanger Coinbase, bought bitcoins and ether. Two weeks later, this decision made him a rich man, as the rate of crypto-currency sharply jumped .

Everett hoped to help out as much as possible from the jump and then withdraw the money. However, on May 17, his smartphone received a push notification. The message said that the man’s phone number was re-registered to another device.

Sean Everett (second from right). Photo from Facebook
Sean Everett (second from right). Photo from Facebook
About five minutes after the notice, the American was at the computer and watched as he was robbed. In his mailbox there were already read notifications about changing the password and logging in to the Coinbase account. All the crypto currency on Everett’s account went to the attackers.

As it turned out later, the man was in the top ten of other users of Coinbase, who were victims of intruders. They hunted down people who advertised their involvement in crypto-currencies – and Everett wrote a popular book explaining the phenomenon of bitcoin. After examining his publications in social networks, scammers learned the electronic address and phone number of the startup.

They contacted Everett’s mobile operator, dictated the stolen number and asked to recall the PIN. This procedure was repeated until the attackers were not caught by a co-worker who provided the code without further verification. Having received what they wanted, the scammers registered the number of the attacker on the phone controlled by him and changed the operator.

Then, the crackers changed the password from Everett’s mail via SMS. And after that, we used the data recovery function in Coinbase. Having access to the account, they could only transfer money through several exchangers in order to cover up the tracks.

Three weeks after the break-in, the price for the etherium jumped to $ 400, and the bitcoine rate reached $ 3,000. Everett still hopes to recover the stolen funds, but cybersecurity experts believe that the chances are small.


In 2014, Wired journalist Andy Greenberg described how he managed to penetrate the neighbor’s apartment without any hacking skills. It was an experiment, of which he warned his neighbor in advance. At first he caught the moment when his friend was distracted, and then within 30 seconds scanned the key to his apartment with the help of the KeyMe application.

The service made an image of the 3D key model from the scanned image. Then the journalist went to the nearest KeyMe terminal in New York. The machine gave him a finished duplicate. The next day, Greenberg used the key and quietly entered the apartment of a friend.

KeyMe can save images of lost keys in the “cloud”, and their drawings can be sent to the email address. This is convenient in the event that the owner of the apartment for some reason can not pass the key – friends can quickly make a duplicate.

The process of creating a duplicate key in KeyMe

The startup management claimed that the key can be scanned only if removed from the keychain. Greenberg refuted this statement by hitting a friend’s apartment without permission.

When Greenberg met with the company’s CEO Greg Marsh, he explained that every duplication leaves a digital footprint in the system, with which you can calculate the artist. According to Marsham, if someone and will use the key for mercenary purposes, it can be found.

Greenberg parried that the victim may not know how the burglar entered the house. He may not even have an account in KeyMe, now it is not required by attackers. On this argument, the founder of the startup did not find a suitable answer: “Now most of the country does not know about KeyMe, but we are trying to change it.”

Three years have passed since the publication of the Greenberg article. Vulnerability in the start-up has remained, and its popularity has multiplied. But the habit of people to publish pictures of their keys in social networks has not disappeared anywhere .

Back to top button