Given the high security at the airport, it would be logical to assume that airlines are tough with the security of their own systems as well. However, researchers have recently discovered that this is far from correct. They have found a number of airlines that are not using adequate encryption with their booking and airline check-in systems.
Researchers at Wandera have found that multiple airlines using e-ticketing systems, do not encrypt the check-in links. This flaw could allow a good actor on the same network as the victim to change their booking details or boarding pass.
They found eight companies that don’t encrypt airline check-in links. These were: Southwest, Air France, KLM, Vueling, Jetstar, Thomas Cook, Transavia and Air Europa.
In their report, they stated: “Our threat researchers discovered that these airlines sent unencrypted check-in links to passengers.” They also went on to say: “Upon clicking these unencrypted links, a passenger is directed to a site where they are logging in automatically to the check-in for their flight, and in some cases, they can then make certain changes to their booking and print off the boarding pass.”
A hacker on the same network as the passenger can easily intercept an airline check-in request. This could be made worse because many airports where passengers check-in has less than secure WiFi networks.
The hacker could be able to view a lot of personal data associated with the booking including name and frequent traveller number. With this data, the hacker can access the personal identifiable information or (PII). This data includes email, name, document number, and flight numbers.
Notifying the Airlines
Wandera has said that they have notified all the affected airlines as well as the relevant government agencies.
A spokesperson for Thomas Cook Airlines stated: “We have looked into the questions raised and have taken immediate action to further increase the security of our customer data.”
Transavia stated that their IT teams are working to further enhance security on the link sent to customers as part of the check-in process.