Travel bookings worldwide are maintained in a handful of systems. The three largest Global Distributed Systems (GDS) Amadeus, Sabre, and Travelport administer more than 90% of flight reservations as well as numerous hotel, car, and other travel bookings.
Today’s GDSs go back to the 70s and 80s, built around mainframe computers and leased lines. The systems have since been interwoven with web services, but still lack several web security best practices.
Weak authentication
The glaring deficiency in authentication across all three major Global Distribution Systems (GDSs) poses a significant security risk to travelers. While the broader internet community grapples with the nuanced selection and implementation of robust multi-factor authentication, exploring options like biometrics, hardware tokens, and time-based one-time passwords, GDSs remain shockingly reliant on a single, woefully inadequate authentication mechanism: the booking code, also known as the Passenger Name Record (PNR) Locator.
This six-digit alphanumeric string, such as “8EI29V,” serves as the sole key to accessing and modifying a traveler’s sensitive information. This reliance on a simple code, printed in plain sight on boarding passes and luggage tags, creates an alarmingly vulnerable scenario. Anyone who gains access to this code, whether by physically observing it, photographing it, or obtaining it through discarded travel documents, can effortlessly access a wealth of personal data through the GDS or airline website. This data often includes the traveler’s full name, contact information (email address and phone number), travel itinerary, and even payment details in some cases.
This fundamentally flawed authentication system leaves travelers exposed to a range of potential threats, from identity theft and fraudulent bookings to the unauthorized disclosure of private information.
Weak web services
Traveler information is also at risk to online hacking because authenticators are brute-forceable. The way 6-digit booking codes are chosen makes them weaker than a 5-digit password (<28.5 bits), which would be considered insecure for most applications. Two of the three main GDSs assign booking codes sequentially, further shrinking the search space. Finally, many GDS and airline web sites allow trying many thousand booking codes from a single IP address. Given only passengers’ last names, their booking codes can be found over the Internet with little effort. This could lead to an abuse.
Abuse potential
Given a passenger’s booking code, an intruder can:
- Invade travelers’ privacy. The booking overview typically contains contact information such as phone number, e-mail, and postal address, travel dates and preferences, and often passport information
- Steal flights. Most airlines allow flight changes, some even cancellations for a voucher, allowing a fraudster to travel for free
- Divert miles. By changing the frequent flyer information in the booking, a fraudster can steal miles without taking any flights
- Conduct phishing/vishing. By knowing details of a booking that has just been made – which is possible in GDSs that use sequential booking codes – an intruder can target travelers for social engineering, asking for their payment info or frequent traveler credentials
The way ahead
Global booking systems have pioneered many technologies including Cloud computing. Now is the time to add security best practices that other Cloud users have long taken for granted.In the short-term, all web sites that allow access to traveler records should require proper brute-force protection in the form of Captchas and retry limits per IP address. In the mid-term, traveler bookings need to be secured with proper authentication, at the very least with a changeable password.
References
- Conference presentation. Details were presented at 33C3 on Dec 27 2016: Outline and Slides, Video
- Further reading. Much more information from many years of research are available on Edward Hasbrouck’s blog
- Picture credit. Movie poster “Catch me if you can”
Shares to Social Media
