The system used by millions of travelers each day to share data between travel agencies, airlines, passengers and websites is incredibly insecure. Security researchers have presented details that highlight just how easy it is to hack flight bookings.
German security firm SR Labs says that using nothing more than a traveler’s surname and a six-digit Passenger Name Record (PNR), it is possible to not only gather personal information about people, but also make changes to bookings.
SR Labs researchers Karsten Nohl and Nemanja Nikodijevic provided details of their findings at the 33rd Chaos Communications Congress in Hamburg. They show that antiquated Global Distribution Systems (GDS) are worryingly insecure, placing vast amounts of personal information within easy reach of hackers. Details such as names, addresses, credit card information and travel plans are all easily accessible with two readily available pieces of information.
The system dates back to the 1960s, and it has not been updated largely thanks to the ease with which it allows travelers to check-in online, and for price comparison websites to do their thing. But the reliance on surname and PNR is a very weak link, as Nohl explains:
If the PNR is supposed to be a secure password, then it should be treated like one. But they don’t keep it secret: it is printed on every piece of luggage. It used to be printed on boarding passes, until it disappeared and they replaced it with a barcode.
Even the barcoded version of data are easily read, and travelers often make things easy for would-be hackers by simply throwing their boarding passes in the trash, or even posting photos of them online as part of their travel excitement.
The potential for harm to be caused with the information available through the combined use of surname and PNR is great enough, but this can also provide access to further personal information which could then be used to launch a series of sophisticated and highly targeted phishing attacks. So what’s the solution? Nohl says:
In the short term, at the very least we should expect websites that give access to travelers’ personal information to have the bare minimum of web security, and this includes at the very least some rate limiting. And until passwords and other security measures become common, I think we have a right to know who accesses our records and there must be some accountability, especially knowing how insecure these systems are today.
Image credit: Bokic Bojan/ Shutterstock