Global system coordinating travel bookings woefully insecure
According to researchers, the global system used to coordinate travel bookings between airlines, travel agents and price comparison websites is woefully insecure. A lack of modern security features makes it easy for attackers to gather personal information from bookings, steal flights by altering ticketing details, or earn millions of air miles by attaching new frequent-flyer numbers to pre-booked flights said German security firm SR Labs.
Dating from the 1960’s, Global Distribution Systems (GDS) technology is most associated with the six-character Passenger Name Record (PNR) used to enable online check-in and ticket retrieval. However, researchers Karsten Nohl and Nemanja Nikodijevic revealed this system comprised fundamental weaknesses.
A notable flaw was the use of only two pieces of information to authenticate a booking: the six-character PNR, combined with the user’s last name. “If the PNR is supposed to be a secure password, then it should be treated like one,” said Nohl. “But they don’t keep it secret: it is printed on every piece of luggage. It used to be printed on boarding passes, until it disappeared and they replaced it with a barcode.”
Various apps can easily read the barcode, meaning many of the 80,000 travellers posting pictures on the #boardingpass tag on Instagram risk information theft. “This is supposed to be the only way of authenticating users and it’s printed on pieces of paper you just throw away at the end of the journey,” added Nohl.
Websites that allow a PNR and last name to check the flight status offer no defenses against attackers guessing thousands of combinations a minute. Thus, the researchers could access multiple records. Looking for bookings under the name “Smith” and using a thousand randomly generated booking codes, five came back with active bookings.
Attackers could then cancel a flight in exchange for airline credit and book new tickets or add frequent flyer numbers to hundreds of flights to chalk up air miles. There is also enough personal and flight data accessible to compose convincing phishing emails purporting to report problems with the flights or bookings.
Fortunately, the whole system might end up being rewritten. As the “Smith” example shows, the namespace for booking codes is slowly filling up. Running out of characters for new bookings could force a system rewrite long before security concerns do.
If not, an increase in cybercrime could do the same job. “Airlines sometimes notice this, but only when it becomes excessive,” he said. “I just hope it becomes so excessive that it can’t be ignored so that it gets fixed, because then the privacy issues get fixed as well. Privacy is never enough on its own,” said Nohl