Are you aware of the vulnerability in travel booking systems?
Travel booking systems are among the oldest global IT infrastructures, going back to the 70's and 80's. There are three so-called global distribution systems (GDS), Amadeus, Sabre and Galileo, which keep information of travelers and which all travel companies have access to. These companies have grown for decades and changed surprisingly little, lacking modern IT security and hence security of passenger data.
Passenger data has been in dispute for years. Since 9/11 the US wants as much access to data about travelers as possible, while the EU tries to protect travelers data.
To show how insecure the infrastructure of these systems are, Karsten Nohl from Security Research Labs recently demonstrated real-world hacking risks from tracking travelers to stealing flights in his talk “Where in the World Is Carmen Sandiego?”. (And yes, believe it or not, during his talk he actually finds out where Carmen is and where she’s travelling to).
To start with, anybody, who works at an airline can access your flight information. But also, if there’s a car rental linked to your booking, the car rental company has access to your flight details and vice versa, the airline can access your car rental booking. Any trip itinerary that you book with a travel agency can be accessed by travel agents (be it flight, hotel, car rental), meaning employees have access to (IP address, postal address, contact information and payment details).
What is striking is that passengers authenticate only with their last name and a 6-digit booking code or password (a PNR locator), which is then printed on boarding passes and luggage tags. This means that not only can travel agents can access booking details via GDS; but with a few hacks, anybody can.
Any traveler can be authenticated with the bar-code of a boarding pass. If you search for #boardingpass on Instagram you’ll find numerous boarding passes of random travelers. Scanning the bar-code grants you access to personal details (name and booking reference), with which anyone can then access the flight booking and retrieve even more data (frequent flyer details, contact information, birth date and passport details). You might want to think twice next time, before publishing your boarding pass online.
If the security of Amadeus, Sabre, and Galileo wasn’t already a cause for concern, most travel websites only make things worse. The frequent flyers amongst you will know that most airline websites only require the last name and a 6-digit booking code to access a booking. American Airlines also requires the first name, but there are workarounds such as services like ViewTrip that only require the last name and 6-digit booking code to access booking. There’s always a way to find the information you’re looking for, the only question is how.
Now we don’t want to scare you but make you aware of the different scenarios that the lack of security brings about.
Taking it one step further, you can imagine that if someone can access your booking so easily, they’ll also be able to make changes to your booking. Depending on the airline, different actions could be taken. All airlines allow date and flight changes, most allow some form of refund (usually in the form of a coupon), and a few even allow name changes. So basically someone could change your name to their own and use the ticket themselves.
Another way to take advantage of your booking would be by adding their frequent flyer number to use earn miles. These miles can then be redeemed for free flights, hotel nights, or gift certificates. Just to give you an example of the value of frequent flyer miles: a round trip from Europe to Australia in first class is 10,000 miles, which is worth about 900 USD.
For those of you, who don’t know the term, “Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.”
Now this scenario is a bit more unlikely, as it requires more technological knowledge. With all that information fraudsters can send very targeted phishing emails. Due to their sequential nature, fraudsters can find recently created PNR’s and passenger’s last names, with which they can find out the person’s email address and ultimately phish for frequent flyer login or credit card details.
You see how lacking standards and measures put your privacy at risk. To minimize the risk of someone hacking your trip, we recommend not posting your boarding pass online and not leaving your travel documents behind.
However, at this stage, you will never know, who accessed your information, since PNR access is intentionally not logged.