peshkov - Fotolia
Legacy flight booking systems are extremely easy to hack, exposing travellers to social engineering and other forms of cyber attack, security researchers have warned.
Malicious actors could infiltrate these systems to alter passenger information and even cancel bookings, Karsten Nohl and Nemanja Nikodijevic of Berlin-based Security Research Labs (SRL) told the Chaos Communications Congress hacking conference in Hamburg.
All that is required to make such changes is the passenger’s last name and a six-digit alphanumeric booking code or Passenger Name Record (PNR), according to Digital Trends.
The researchers’ findings are detailed in a report published on the SRL website, which explains that travel bookings worldwide are maintained in just a handful of systems.
The three largest Global Distribution Systems (GDS) are Amadeus, Sabre and Travelport, which administer more than 90% of flight reservations as well as numerous hotel, car and other travel bookings.
But these systems were built around mainframe computers and leased lines in the 1970s and 80s, and although they have since been interwoven with web services, they still lack several web security best practices.
Most importantly, the three booking systems lack the means to authenticate travellers properly, relying only on the passenger name and booking code, both of which appear on boarding passes.
The researchers said attackers could brute force the booking codes more easily than a five-digit password because of the way they are generated.
Read more about authentication
- Halifax is testing a technology that identifies customers by their heartbeats.
- The use of fingerprint authentication for banking will save young people from sharing their bank details.
- MasterCard will pilot a biometric authentication and verification tool in 2015.
- The Government Digital Service adds five authentication providers to Gov.uk Verify.
Two of the three main booking systems assign booking codes sequentially, further shrinking the search space, and many of the systems and airline websites allow thousands of login attempts from a single IP address.
Given only passengers’ last names, their booking codes could be found on the internet with little effort, the researchers claimed.
Armed with just a name and a booking code, attackers can access booking details which often include contact information such as phone number, email and postal address, travel dates and preferences, and passport information.
By accessing bookings in this way, the researchers said attackers could also potentially take over bookings, steal flier miles and carry out social engineering attacks to trick travellers into revealing online banking and other credentials.
The researchers have called for better authentication and other security controls to be added to these bookings systems.
In the short term, they said security could be improved by introducing measures to prevent brute-force attacks on airlines’ websites and enabling travellers to set their own passwords to access bookings.