Privacy takes a flight on airline booking system
hamburg — Major travel booking systems lack a proper way to authenticate air travellers, making it easy to hack the short code used on many boarding passes to alter flight details or steal sensitive personal data, security researchers warned.
Passenger Name Records (PNR) are used to store reservations with links to a traveller’s name, travel dates, itinerary, ticket details, phone and email contacts, travel agent, credit card numbers, seat number and baggage information.
The six-digit codes act as pincodes for locating travel records, albeit with vital differences that make them highly insecure compared with even the simple usernames and passwords that consumers use to access email or websites, the researchers said.
The world’s three major global distribution systems (GDS) — Amadeus, Sabre and Travelport — manage a majority of travel reservations but face growing competition from airlines and corporate travel and online booking sites.
“While the rest of the Internet is debating which second and third factors to use, GDSs do not offer a first authentication factor,” researchers at Berlin-based Security Research Labs said in a statement.
Multi-factor authentication works when users offer separate pieces of evidence of their identity
Given only passengers’ last names, their bookings codes can be found over the Internet with little effort Karsten Nohl, researcher at SRLabs
such as something they know, like a password, pincode or security question, and something they possess, like a bankcard or a phone linked to them.
With just a passenger’s last name, the researchers were able to use computer guess work to find associated booking codes within hours and thereby gain access to travel records.
“Given only passengers’ last names, their bookings codes can be found over the Internet with little effort,” said SRLabs’ Karsten Nohl, who, with co-author Nemanja Nikodijevic, will detail their research this week at the Chaos Communications Congress, Europe’s biggest annual event on hacking.
Nohl has previously exposed major security threats in phones, cars, payment terminals and data storage devices.
Security Research Labs acts as a security consultant to major global clients, including banks.
Two of the three big booking systems — Amadeus and Travelport — assign booking codes sequentially, making brute-force computer guesswork easier. Of the three, Amadeus, through its web portal CheckMyTrip, is especially vulnerable, Nohl said.
“Amadeus is assessing the findings of SR Labs on travel industry security,” a company spokeswoman told Reuters. “We will take these findings into account and work together with our partners in the industry to address the issues that have been exposed here and seek solutions to potential problems,” she said, referring to airlines and other travel industry partners.
“As a matter of course Amadeus does protect its systems, including Check My Trip, from the type of automated robotic attacks outlined in this report.”
Sabre told Reuters: “We have numerous layers of security in place. Discussing how we maintain security and the privacy of travellers undermines those safeguards and the security of our systems.”
Travelport did not respond to a request for comment. — Reuters