Changing Other People's Flight Bookings Is Just Too Easy

Uploaded on 2017-01-16 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Transport & Travel

The travel booking systems used by millions of people every day are woefully insecure and lack modern authentication methods. 

This allows attackers to easily modify other people's reservations, cancel their flights and even use the refunds to book tickets for themselves, according a team of researchers who analyzed this online ecosystem.

Karsten Nohl and Nemanja Nikodijevic from Berlin-based consultancy Security Research Labs have spent months investigating the security employed by the Global Distribution Systems (GDSs) that are used by travel agencies, airlines, hotels and car rental companies. They presented their findings recently at the 33rd Chaos Communications Congress in Hamburg.

GDSs are databases that date back to the mainframe era and hold all information about travel bookings such as the traveler's name, travel dates, itinerary, ticket details, phone and email contacts, passport information, credit card numbers, seat numbers and baggage information. All of this data make up the so-called Passenger Name Records (PNRs).

The three major GDS operators in the world are Sabre, Travelport and Amadeus and together they store PNRs for hundreds of millions of travelers at any given time. Any data added or modification made to a booking is stored in their systems and all that's required to access that information is typically a last name and a six-character booking code.

There are multiple access points into these systems and this includes the websites operated by airlines and travel agencies, but also third-party websites like CheckMyTrip. Even if some of them request more information than others to authenticate users, like the first name in addition to the last name, the level of protection for a PNR is ultimately that of the weakest link in the chain.

For example, if a booking includes flights with different airlines, the booking can be accessed and modified through the websites of any of the airlines that operate the different legs of the trip. 

The booking code itself is far from secret. It's printed on luggage tags that most people throw away after each flight, even if their entire trip has not concluded yet, and is also embedded in the QR codes printed on tickets that an alarmingly large number of travellers photograph and post on social media websites, the researchers said.

Many airline and trip checking websites don't put limits on how many bad codes people can enter before they're blocked, which makes them vulnerable to brute force code-guessing attacks. The researchers showed they can find matching booking codes for popular last names within minutes by using automated methods.

GDSs further lower the number of possibilities for these booking codes by using only uppercase letters. One of them doesn't use 1s and 0s at all to avoid confusion with the letters I and O and two of them increase the codes sequentially which can give attacker an idea of what range of codes to search through for a given period of time.

The travel agencies have their own master logins into the GDSs and these accounts have very weak passwords. In one case the password was WS, which stands for web service, followed by the date when the login was created in DDMMYY format. This can easily be brute-force and unfortunately it was one of the most complex travel agency passwords the researchers observed.

In addition to the obvious privacy violation that results from accessing someone else's booking data, attackers can abuse such access for their own gain. For example, they could add their frequent flier number to other people's long-haul flights in order gain the reward miles for themselves. The researchers said that they know for a fact that this technique is already being used.

Attackers could also cancel a flight and if the ticket is flexible, they could use the credit given by the airline to book a different ticket for themselves, the researchers said.

Knowledge of a person's exact traveling plans can also facilitate powerful phishing attacks. Imagine receiving an email from the airline you recently booked your flight with saying that the payment failed and you need to rebook by entering your credit card details again. Most people would probably comply with that request without checking if the email is authentic.

To top it all, there is no logging being done in the GDS databases. And since there's no logging, there's no way to tell who accessed a given record and how much abuse exists in these systems, the researchers said.

The ideal case would be for these systems to start requiring proper passwords for accessing individual PNRs, but that's a very long term goal because all the players in the ecosystem, travel agencies, airlines, hotels, car rental companies, etc., would need to get on board with this change and move at the same pace, Nohl said.

"In the short term, at the very least we should expect websites that give access to travelers' personal information to have the bare minimum of web security, and this includes at the very least some rate limiting," the researcher said. 

"And until passwords and other security measures become common, I think we have a right to know who accesses our records and there must be some accountability, especially knowing how insecure these systems are today."

Computerworld:    Four Threats To Aviation Security & Four Responses:  

Airlines on Defence Amid Cyber Warfare: IATA:

 


 

« America’s Cyber Security Dilemma
Anti-Surveillance Clothing Thwarts Facial Recognition »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Allen & Overy

Allen & Overy

Allen & Overy is an international law firm. Practice areas include Cybersecurity and Data Protection.

QMS International

QMS International

QMS is one of the leading ISO certification bodies in the UK and serves clients worldwide.

Pradeo

Pradeo

Pradeo Security offers a complete, automatic and seamless protection to mobile devices and applications, aligned with your organization security policy while preserving business agility.

Advanced Systems International SAC

Advanced Systems International SAC

Advanced Systems international is a global company dedicated to data security software design, development, support, and licensing.

DTS Solution

DTS Solution

DTS Solution delivers advanced cyber security solutions through is technology partnerships with industry leading security vendors and advanced consulting services.

CARICERT

CARICERT

CARICERT is the National Cyber Emergency Response Team of Curacao in the Caribbean.

C2A Security

C2A Security

C2A Security offers a comprehensive suite of cyber security solutions for the automotive industry, providing in-vehicle end-to-end protection.

Malleum

Malleum

MALLEUM are specialists in penetration testing and security assessments. We think like hackers – and act like them – to disclose discreet dangers to your organization.

NINJIO

NINJIO

NINJIO is a leader in cybersecurity awareness training. View IT Security Awareness through a different lens - entertain and educate your users through storytelling.

ADL Consulting

ADL Consulting

ADL Consulting provide information security-related consultancy and training support to businesses across the UK. Our services include ISO27001, GDPR, Cyber Essentials and training.

Stratia Cyber

Stratia Cyber

Stratia Cyber is an independent, technology agnostic company providing high quality, pragmatic cyber security consultancy and expertise.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

See how to use next-generation firewalls (NGFWs) and how they boost your security posture.

Communicate Technology

Communicate Technology

Communicate Technology are IT, telecoms and cyber-security specialists, keeping over 500 businesses and 50,000 users connected and secure across the UK.

Nicoll Curtin

Nicoll Curtin

Nicoll Curtin is a global company with over 20 years of experience in connecting outstanding talent with industry leading companies within Technology, Change and Cyber Security.

Ever Nimble

Ever Nimble

Ever Nimble are award-winning experts in IT support, cybersecurity, and cloud technology. Our proactive approach will enhance your security and protect you from cyber security threats.

Amyna Systems

Amyna Systems

Amyna has developed an IoT cybersecurity platform that prevents malignant attacks, helping users to protect themselves from cyberattacks.