Major travel booking systems lack a proper way to authenticate air travelers, making it easy to hack the short code used on many boarding passes to alter flight details or steal sensitive personal data, security researchers warned on Tuesday.
Passenger Name Records (PNR) are used to store reservations with links to a traveler’s name, travel dates, itinerary, ticket details, phone and email contacts, travel agent, credit card numbers, seat number and baggage information.
The six-digit codes act as pincodes for locating travel records, albeit with vital differences that make them highly insecure compared with even the simple usernames and passwords that consumers use to access email or websites, the researchers said.
The world’s three major global distribution systems (GDS) – Amadeus, Sabre and Travelport – manage a majority of travel reservations but face growing competition from airlines and corporate travel and online booking sites.
“While the rest of the Internet is debating which second and third factors to use, GDSs do not offer a first authentication factor,” researchers at Berlin-based Security Research Labs said in a statement.
Multi-factor authentication works when users offer separate pieces of evidence of their identity such as something they know, like a password, pincode or security question, and something they possess, like a bankcard or a phone linked to them.
With just a passenger’s last name, the researchers were able to use computer guess work to find associated booking codes within hours and thereby gain access to travel records.
“Given only passengers’ last names, their bookings codes can be found over the Internet with little effort,” said SRLabs’ Karsten Nohl, who, with co-author Nemanja Nikodijevic, will detail their research this week at the Chaos Communications Congress, Europe’s biggest annual event on hacking.
Nohl has previously exposed major security threats in phones, cars, payment terminals and data storage devices.
Security Research Labs acts as a security consultant to major global clients, including banks.
Two of the three big booking systems – Amadeus and Travelport – assign booking codes sequentially, making brute-force computer guesswork easier. Of the three, Amadeus, through its web portal CheckMyTrip, is especially vulnerable, Nohl said.
“Amadeus is assessing the findings of SR Labs on travel industry security,” a company spokeswoman told Reuters.
“We will take these findings into account and work together with our partners in the industry to address the issues that have been exposed here and seek solutions to potential problems,” she said, referring to airlines and other travel industry partners.
“As a matter of course Amadeus does protect its systems, including Check My Trip, from the type of automated robotic attacks outlined in this report.”
Sabre told Reuters: “We have numerous layers of security in place. Discussing how we maintain security and the privacy of travelers undermines those safeguards and the security of our systems.”
Travelport did not respond to a request for comment.
Travelers will never know who accessed their information, because PNR data is not logged, the researchers said. Users have no option to secure these codes themselves because the credentials are arbitrarily assigned by airlines using the booking systems.
The researchers call for the airlines to adopt modern safeguards against brute force attacks such as limiting the number of PNR requests per Internet address and offer passengers a changeable password as minimal protections against such attacks.
Nohl said the vulnerabilities he found with travel databases are not new. They have been described, conceptually, by San Francisco-based travel privacy campaigner Edward Hasbrouck, who has waged a sometimes lonely campaign to expose them for years.
Hasbrouck, author of the 2001 traveler’s rights book “The Practical Nomad Guide to the Online Travel Marketplace”, said that since the 9/11 airline attacks on U.S. cities, industry and public attention has focused on government access to travel data to insure flight safety instead of such data’s commercial abuse.
Fifteen years ago, he warned: “Privacy is the Achilles’ heel of Internet travel planning”.
Hasbrouck said the SRL research vindicates his arguments.
“If the data protection laws that have been in effect since the early 1990s in the EU and Canada had been enforced, (travel systems) would have been required to make changes that would have significantly reduced some of the vulnerabilities… and that SRLabs has now demonstrated can be exploited”, he said.