One of the comforts the internet has brought us is the fact that we can book flights anywhere and anytime and even choose where we want to sit on that flight. But like every online process, even your flight bookings could be subject to hacking.
Researchers Karstein Nohl and Nemanja Nikodejevic from German security firm Security Research Labs published just how easy it is to break into travel booking systems. The report noted that the three largest Global Distributed Systems (GDS) handling such reservations are vulnerable. “Today’s GDSs go back to the 70s and 80s, built around mainframe computers and leased lines. The systems have since been interwoven with web services, but still lack several web security best practices.” Amadeus, Sabre, and Travelport according to the report handle over 90 percent of global flight reservations and their set up dates back to the 70s.
So here’s the challenge. Each time you book a flight you are given a unique six digit code which is also knows as a PNR (Passenger Name Record) which is printed on your boarding pass. It’s so public that just about anyone can get a snapshot and if it’s a hacker, they can access all of your personal information including your home address and bank card number, frequent flyer number and IP address used in booking the ticket among others.
With respect to authentication, the researchers said the GDS and airline websites don’t even limit the number of times you can check codes and this means hackers don’t even need to employ brute force to run through the database in order to dig out valid codes. “While the rest of the Internet is debating which second and third factors to use, GDSs do not offer a first authentication factor. Instead, the booking code (aka PNR Locator, a 6-digit alphanumeric string such as 8EI29V) is used to access and change travelers’ information.”
Perhaps the worst part of this it is that these unique codes are serially assigned thereby making it much easier for hackers to locate just about anyone’s information they wish.
To protect yourself, the best shot you’ve got is to not reveal the PNR on your tickets to anyone. The other thing GDS can do is upgrade their entire system to meet modern day threats and probably do away with the six digit codes they currently give. If you think this is not a big deal, then maybe imagine a scenario where you get to the airport only to find out that that your flight booking has just been canceled.