The travel booking systems used by millions of people every day are woefully insecure and lack modern authentication methods. This allows attackers to easily modify other people's reservations, cancel their flights and even use the refunds to book tickets for themselves, according a team of researchers who analyzed this online ecosystem.
Karsten Nohl and Nemanja Nikodijevic from Berlin-based consultancy Security Research Labs have spent months investigating the security employed by the Global Distribution Systems (GDSs) that are used by travel agencies, airlines, hotels and car rental companies. They presented their findings Tuesday at the 33rd Chaos Communications Congress in Hamburg.
GDSs are databases that date back to the mainframe era and hold all information about travel bookings such as the traveler's name, travel dates, itinerary, ticket details, phone and email contacts, passport information, credit card numbers, seat numbers and baggage information. All of this data make up the so-called Passenger Name Records (PNRs).
The three major GDS operators in the world are Sabre, Travelport and Amadeus and together they store PNRs for hundreds of millions of travelers at any given time. Any data added or modification made to a booking is stored in their systems and all that's required to access that information is typically a last name and a six-character booking code.
There are multiple access points into these systems and this includes the websites operated by airlines and travel agencies, but also third-party websites like CheckMyTrip. Even if some of them request more information than others to authenticate users -- like the first name in addition to the last name -- the level of protection for a PNR is ultimately that of the weakest link in the chain.
For example, if a booking includes flights with different airlines, the booking can be accessed and modified through the websites of any of the airlines that operate the different legs of the trip.
The booking code itself is far from secret. It's printed on luggage tags that most people throw away after each flight -- even if their entire trip has not concluded yet -- and is also embedded in the QR codes printed on tickets that an alarmingly large number of travellers photograph and post on social media websites, the researchers said.
Many airline and trip checking websites don't put limits on how many bad codes people can enter before they're blocked, which makes them vulnerable to brute force code-guessing attacks. The researchers showed they can find matching booking codes for popular last names within minutes by using automated methods.
GDSs further lower the number of possibilities for these booking codes by using only uppercase letters. One of them doesn't use 1s and 0s at all to avoid confusion with the letters I and O and two of them increase the codes sequentially which can give attacker an idea of what range of codes to search through for a given period of time.
Sign up for Computerworld eNewsletters.