Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Travel Booking Systems Expose User Data: Researchers

The lack of proper security mechanisms in travel booking systems exposes passengers’ personal information and allows fraudsters to steal tickets and loyalty bonuses, researchers have warned.

The lack of proper security mechanisms in travel booking systems exposes passengers’ personal information and allows fraudsters to steal tickets and loyalty bonuses, researchers have warned.

Last week, at the 33rd Chaos Communication Congress in Hamburg, Germany, Karsten Nohl and Nemanja Nikodijevic of Security Research Labs detailed the vulnerabilities affecting major travel booking systems and demonstrated how easily they can be exploited.

Their analysis has focused on Global Distribution Systems (GDS), which serve as a central point for service providers (e.g. airlines, hotels, travel agencies) to manage reservations. The records stored by these systems, called passenger name records (PNR), can include information such as name, contact information, ticket data, itinerary, passport number, date of birth and even payment information. The world’s top GDS providers are Amadeus, Sabre and Travelport.

One of the main problems, according to Nohl and Nikodijevic, is that airlines, travel agencies and third-party service providers often authenticate users based on the passenger’s last name and a booking code assigned when the reservation was made.

This code is typically a 6-digit alphanumeric string. It is embedded in the barcode found on the boarding pass and it may also be printed in clear text on baggage tags. Since some users share pictures of their boarding pass on social media websites, it might not be difficult for fraudsters and cybercriminals to obtain such codes.

Another problem highlighted by the experts is the fact that these authenticators can often be obtained using brute force as some web services have neglected to implement rate limiting mechanisms. In some cases, GDS providers exclude certain characters (e.g. “0” and “1” might be excluded as they can be confused with “O” and “I”) or they assign booking codes sequentially, making brute-force attacks even more efficient.

Once a traveler’s booking code is obtained, an attacker can gain access to personal information and abuse it for various purposes, including phishing and social engineering attacks. In the case of airline passengers, malicious actors could also steal flights and divert frequent flyer miles to their own account.

“In the short-term, all web sites that allow access to traveler records should require proper brute-force protection in the form of Captchas and retry limits per IP address,” the researchers said. “In the mid-term, traveler bookings need to be secured with proper authentication, at the very least with a changeable password.”

Advertisement. Scroll to continue reading.

SecurityWeek has reached out to Amadeus, Sabre and Travelport for comment. Travelport believes the research is flawed and misleading.

“Cyber security and the privacy of customer data are critical priorities for Travelport and an area in which we invest extensively in and lead in,” Travelport said in an emailed statement. “As such, we make ongoing investments in our own systems, and also engage with the various industry bodies we participate in, to implement any changes recommended in support of the general digital travel booking ecosystem. In recognition of our focus in this area, earlier this year, we were the first GDS to be certified for ISO 27001 compliance, an industry standard acknowledging our commitment to responsibly manage both our data and that of our customers worldwide.”

Sabre says it has numerous layers of security in place, but the company believes that discussing how it maintains the security and privacy of travelers undermines those safeguards and the security of its systems.

“Amadeus has upgraded security to its own properties, and will continue to defend against ‘brute force attacks’,” an Amadeus spokesperson told SecurityWeek. We are also assessing broader industry issues and will work with our partners to address these and seek solutions to potential problems.

Travel expert Edward Hasbrouck has been trying to raise awareness of these weaknesses since 2002, but he says service providers have only taken limited steps to address the issues.

*Updated with statement from Sabre and Amadeus

Related: Panasonic In-Flight Entertainment Systems Can Be Hacked

Related: United Airlines Patches Serious Flaw After 6 Months

Related: Panasonic Avionics Launches Bug Bounty Program

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.