Researchers have warned that inadequate security with legacy travel booking systems allows hackers to easily obtain personal information and steal tickets and loyalty bonuses — even from luggage tags.
Security Research Labs delivered the bad news last week, explaining that the three largest “global distributed systems” — Amadeus, Sabre and Travelport, which cover 90 percent of the industry — do not even offer a first authentication factor. A booking code alone can be used to access and change a traveler’s information.
The booking codes, usually in a 6-digital alphanumeric string (such as 8EI29V) and common to every traveler, are printed on boarding passes and luggage tags, allowing anyone with access, even someone simply walking by a luggage check-in or pick-up counter, to gain access.
If that’s not bad enough, the complete lack of authentication required by the systems, many of which date to the 1960s and 1970s, have no limit on queries. That means a hacker can brute-force the system, or in more simple terms generate booking codes to see what comes up. In the case where hackers are looking for the details of a specific person, they simply need a reference point, since the booking numbers themselves are issued sequentially.
According to PC World, what this means is that having your personal details so easily accessible throws the door open for a lot of abuse. That includes the possibility of hackers stealing a flight booking by canceling it and receiving a voucher for another flight, as well as stealing frequent flyer miles.
The report notes further that the lack of security opens the door for phishing attacks: A hacker who has obtained details of a booking could target a traveler for social engineering, asking for their payment info or frequent traveler credentials.
Perhaps not surprisingly, the researchers suggest that the way to overcome this issue is to add security best practices to these systems. That means first implementing brute-force protection in the form of Captchas and retry limits on websites that allow access to travelers records. In the medium term, traveler bookings should be secured with proper authentication “at the very least with a changeable password.”