Researchers have warned that the lack of enough security measures in the travel booking systems exposes the passenger’s personal information and thus allows the attackers to steal tickets and info about the passengers.
At the 33rd Chaos Communication Congress in Hamburg of Germany, security researchers Nemanja NIkodijevic and Karsten Nohl from Security Research Labs explained in detail about the vulnerability that is affecting the major travel booking systems. He demonstrated them how easy it is to exploit these popular services.
His analysis is focused on Global Distribution Systems (GDS), that serve as a central point for service providers (e.g. hotels, airlines, travel agencies) to manage reservations. The records that are stored by these systems, which are called passenger name records (PNR), can include information like name, ticket data, contact information, passport number, itinerary, date of birth and even payment information. The world’s top GDS providers are Sabre, Amadeus and Travelport.
One of the main problems, according to Nohl and Nikodijevic, is these airlines, travel agencies and third-party service providers often use to authenticate users is based on passenger’s last name.
This code typically contains a 6-digit alphanumeric string. This is embedded in the barcode found on boarding pass and it can also be printed in clear text on the baggage tags. Since some users share pictures of their boarding pass on some social media websites, it is not a difficult task for fraudsters and cybercriminals to obtain these codes.
Another problem that is given a lot interest is the fact that these authenticators can also be obtained using brute force as some web services have neglected to implement limiting the rate mechanisms. In some cases, GDS providers exclude certain characters (e.g. “0” and “1” might be excluded as they can be confused with “O” and “I”) or they assign booking codes sequentially, making brute-force attacks even more efficient.
Once a traveler’s booking code is obtained, an attacker can gain access to personal information and abuse it for various purposes, including phishing and social engineering attacks. In the case of airline passengers, malicious actors could also steal flights and divert frequent flyer miles to their own account.
