Legacy booking systems disclose travelers’ private information
Travel bookings worldwide are maintained in a handful of systems. The three largest Global Distributed Systems (GDS) Amadeus, Sabre, and Travelport administer more than 90% of flight reservations as well as numerous hotel, car, and other travel bookings.
Today’s GDSs go back to the 70s and 80s, built around mainframe computers and leased lines. The systems have since been interwoven with web services, but still lack several web security best practices.
The most important security feature lacking from all three GDSs is a proper way to authenticate travelers. While the rest of the Internet is debating which second and third factors to use, GDSs do not offer a first authentication factor. Instead, the booking code (aka PNR Locator, a 6-digit alphanumeric string such as 8EI29V) is used to access and change travelers’ information.
The authenticator is printed on boarding passes and luggage tags. Any person able to find or take a photo of the pass or tag can access the traveler’s information – including e-mail address and phone number – through the GDS’s or airline’s web site.
Weak web services
Traveler information is also at risk to online hacking because authenticators are brute-forceable. The way 6-digit booking codes are chosen makes them weaker than a 5-digit password (<28.5 bits), which would be considered insecure for most applications. Two of the three main GDSs assign booking codes sequentially, further shrinking the search space. Finally, many GDS and airline web sites allow trying many thousand booking codes from a single IP address. Given only passengers’ last names, their booking codes can be found over the Internet with little effort.
Given a passenger’s booking code, an intruder can:
- Invade travelers’ privacy. The booking overview typically contains contact information such as phone number, e-mail, and postal address, travel dates and preferences, and often passport information
- Steal flights. Most airlines allow flight changes, some even cancellations for a voucher, allowing a fraudster to travel for free
- Divert miles. By changing the frequent flyer information in the booking, a fraudster can steal miles without taking any flights
- Conduct phishing/vishing. By knowing details of a booking that has just been made – which is possible in GDSs that use sequential booking codes – an intruder can target travelers for social engineering, asking for their payment info or frequent traveler credentials
The way ahead
Global booking systems have pioneered many technologies including Cloud computing. Now is the time to add security best practices that other Cloud users have long taken for granted.
In the short-term, all web sites that allow access to traveler records should require proper brute-force protection in the form of Captchas and retry limits per IP address.
In the mid-term, traveler bookings need to be secured with proper authentication, at the very least with a changeable password.
- Conference presentation. Details were presented at 33C3 on Dec 27 2016: Outline and Slides, Video
- Further reading. Much more information from many years of research are available on Edward Hasbrouck’s blog
- Picture credit. Movie poster “Catch me if you can”