Let me check my Rolodex… T for Travel Agent …
Legacy travel booking systems disclose travellers’ private information, security researchers warn.
Travel bookings worldwide are maintained in a handful of Global Distributed Systems (GDS) built around mainframe computers linked to the web but without adequate security controls, say the researchers. “The systems have since been interwoven with web services, but still lack several web security best practices,” according to researchers from German security firm Security Research Labs.
The three largest travel booking systems – Amadeus, Sabre, and Travelport – administer more than 90 per cent of flight reservations as well as numerous hotel, car, and other travel bookings.
All three systems use a booking code (aka PNR Locator, a 6-digit alphanumeric string such as 8EI29V) to access and change travellers’ information.
This authenticator is printed on boarding passes and luggage tags. The firm claims anybody able to find or take a photo of the pass or tag can theoretically access the traveller’s information – including email address and phone number – through the GDS or an airline’s website.
Traveller information is also at risk of hacking because authentication strings can be vulnerable to brute-force attacks, say the researchers. Two of the three main GDSes assign booking codes sequentially, further shrinking the search space needed for a brute force attack.
Airlines and GDS systems fail to block IP addresses after a large number of unsuccessful booking attempts, claims the firm. “Given only passengers’ last names, their bookings codes can be found over the Internet with little effort,” the researchers conclude.
Obtaining a booking code opens the door to all manner of abuse, the researchers claim.
The booking overview typically contains contact information such as phone number, email, postal address, travel dates and preferences, and often passport information. Worse yet, most airlines allow flight changes – some even cancellations for a voucher – potentially allowing hackers to steal flight credits and travel for free.
By changing the frequent flyer information in the booking, a fraudster can steal miles without taking any flights.
Lastly, knowing details of a booking that has just been made – which is possible in GDSes that use sequential booking codes – creates a launchpad for hackers to target travellers for social engineering, asking for their payment info or frequent traveller credentials, claims the firm.
El Reg invited Amadeus, Sabre, and Travelport to comment on the research. In a statement, Amadeus said it was reviewing the findings.
Amadeus is assessing the findings of the research on travel industry security, and we have upgraded security to our own properties. We give the security of customer systems and data the highest priority and our systems and processes are under continuous review.
We will take these findings into account and work together with our partners in the industry to address the issues that have been exposed here and seek solutions to potential problems.
Travelport offered a generic statement (below) saying that it takes security seriously without commenting on the specifics of Security Research Labs’ research.
Cyber security and the privacy of customer data are critical priorities for Travelport and an area in which we invest extensively in and lead in.
As such, we make ongoing investments in our own systems, and also engage with the various industry bodies we participate in, to implement any changes recommended in support of the general digital travel booking ecosystem.
In recognition of our focus in this area, earlier this year, we were the first GDS to be certified for ISO 27001 compliance, an industry standard acknowledging our commitment to responsibly manage both our data and that of our customers worldwide.
We’ve yet to hear back from Sabre.
“Global booking systems have pioneered many technologies including cloud computing,” the researchers conclude. “Now is the time to add security best practices that other cloud users have long taken for granted.”
“In the short-term, all websites that allow access to traveller records should require proper brute-force protection in the form of CAPTCHAs and retry limits per IP address,” they add.
Details of the research were presented at the 33C3 conference last week, in a talk entitled Where in the World Is Carmen Sandiego?: Becoming a secret travel agent (slide deck, pdf). A 60-minute video of the presentation can be found here. ®
Sponsored: Customer Identity and Access Management