The lack of proper security mechanisms in travel booking systems exposes passengers’ personal information and allows fraudsters to steal tickets and loyalty bonuses, researchers have warned.
Last week, at the 33rd Chaos Communication Congress in Hamburg, Germany, Karsten Nohl and Nemanja Nikodijevic of Security Research Labs detailed the vulnerabilities affecting major travel booking systems and demonstrated how easily they can be exploited.
Their analysis has focused on Global Distribution Systems (GDS), which serve as a central point for service providers (e.g. airlines, hotels, travel agencies) to manage reservations. The records stored by these systems, called passenger name records (PNR), can include information such as name, contact information, ticket data, itinerary, passport number, date of birth and even payment information. The world’s top GDS providers are Amadeus, Sabre and Travelport.
One of the main problems, according to Nohl and Nikodijevic, is that airlines, travel agencies and third-party service providers often authenticate users based on the passenger’s last name and a booking code assigned when the reservation was made.
This code is typically a 6-digit alphanumeric string. It is embedded in the barcode found on the boarding pass and it may also be printed in clear text on baggage tags. Since some users share pictures of their boarding pass on social media websites, it might not be difficult for fraudsters and cybercriminals to obtain such codes.
Another problem highlighted by the experts is the fact that these authenticators can often be obtained using brute force as some web services have neglected to implement rate limiting mechanisms. In some cases, GDS providers exclude certain characters (e.g. “0” and “1” might be excluded as they can be confused with “O” and “I”) or they assign booking codes sequentially, making brute-force attacks even more efficient.
Once a traveler’s booking code is obtained, an attacker can gain access to personal information and abuse it for various purposes, including phishing and social engineering attacks. In the case of airline passengers, malicious actors could also steal flights and divert frequent flyer miles to their own account.
“In the short-term, all web sites that allow access to traveler records should require proper brute-force protection in the form of Captchas and retry limits per IP address,” the researchers said. “In the mid-term, traveler bookings need to be secured with proper authentication, at the very least with a changeable password.”
SecurityWeek has reached out to Amadeus, Sabre and Travelport for comment. Travelport believes the research is flawed and misleading.
“Cyber security and the privacy of customer data are critical priorities for Travelport and an area in which we invest extensively in and lead in,” Travelport said in an emailed statement. “As such, we make ongoing investments in our own systems, and also engage with the various industry bodies we participate in, to implement any changes recommended in support of the general digital travel booking ecosystem. In recognition of our focus in this area, earlier this year, we were the first GDS to be certified for ISO 27001 compliance, an industry standard acknowledging our commitment to responsibly manage both our data and that of our customers worldwide.”
Sabre says it has numerous layers of security in place, but the company believes that discussing how it maintains the security and privacy of travelers undermines those safeguards and the security of its systems.
“Amadeus has upgraded security to its own properties, and will continue to defend against ‘brute force attacks’,” an Amadeus spokesperson told SecurityWeek. “We are also assessing broader industry issues and will work with our partners to address these and seek solutions to potential problems.”
Travel expert Edward Hasbrouck has been trying to raise awareness of these weaknesses since 2002, but he says service providers have only taken limited steps to address the issues.
*Updated with statement from Sabre and Amadeus