Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Travel Booking Systems Expose User Data: Researchers

The lack of proper security mechanisms in travel booking systems exposes passengers’ personal information and allows fraudsters to steal tickets and loyalty bonuses, researchers have warned.

The lack of proper security mechanisms in travel booking systems exposes passengers’ personal information and allows fraudsters to steal tickets and loyalty bonuses, researchers have warned.

Last week, at the 33rd Chaos Communication Congress in Hamburg, Germany, Karsten Nohl and Nemanja Nikodijevic of Security Research Labs detailed the vulnerabilities affecting major travel booking systems and demonstrated how easily they can be exploited.

Their analysis has focused on Global Distribution Systems (GDS), which serve as a central point for service providers (e.g. airlines, hotels, travel agencies) to manage reservations. The records stored by these systems, called passenger name records (PNR), can include information such as name, contact information, ticket data, itinerary, passport number, date of birth and even payment information. The world’s top GDS providers are Amadeus, Sabre and Travelport.

One of the main problems, according to Nohl and Nikodijevic, is that airlines, travel agencies and third-party service providers often authenticate users based on the passenger’s last name and a booking code assigned when the reservation was made.

This code is typically a 6-digit alphanumeric string. It is embedded in the barcode found on the boarding pass and it may also be printed in clear text on baggage tags. Since some users share pictures of their boarding pass on social media websites, it might not be difficult for fraudsters and cybercriminals to obtain such codes.

Another problem highlighted by the experts is the fact that these authenticators can often be obtained using brute force as some web services have neglected to implement rate limiting mechanisms. In some cases, GDS providers exclude certain characters (e.g. “0” and “1” might be excluded as they can be confused with “O” and “I”) or they assign booking codes sequentially, making brute-force attacks even more efficient.

Once a traveler’s booking code is obtained, an attacker can gain access to personal information and abuse it for various purposes, including phishing and social engineering attacks. In the case of airline passengers, malicious actors could also steal flights and divert frequent flyer miles to their own account.

“In the short-term, all web sites that allow access to traveler records should require proper brute-force protection in the form of Captchas and retry limits per IP address,” the researchers said. “In the mid-term, traveler bookings need to be secured with proper authentication, at the very least with a changeable password.”

Advertisement. Scroll to continue reading.

SecurityWeek has reached out to Amadeus, Sabre and Travelport for comment. Travelport believes the research is flawed and misleading.

“Cyber security and the privacy of customer data are critical priorities for Travelport and an area in which we invest extensively in and lead in,” Travelport said in an emailed statement. “As such, we make ongoing investments in our own systems, and also engage with the various industry bodies we participate in, to implement any changes recommended in support of the general digital travel booking ecosystem. In recognition of our focus in this area, earlier this year, we were the first GDS to be certified for ISO 27001 compliance, an industry standard acknowledging our commitment to responsibly manage both our data and that of our customers worldwide.”

Sabre says it has numerous layers of security in place, but the company believes that discussing how it maintains the security and privacy of travelers undermines those safeguards and the security of its systems.

“Amadeus has upgraded security to its own properties, and will continue to defend against ‘brute force attacks’,” an Amadeus spokesperson told SecurityWeek. We are also assessing broader industry issues and will work with our partners to address these and seek solutions to potential problems.

Travel expert Edward Hasbrouck has been trying to raise awareness of these weaknesses since 2002, but he says service providers have only taken limited steps to address the issues.

*Updated with statement from Sabre and Amadeus

Related: Panasonic In-Flight Entertainment Systems Can Be Hacked

Related: United Airlines Patches Serious Flaw After 6 Months

Related: Panasonic Avionics Launches Bug Bounty Program

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.