UPDATED 20:17 EST / JANUARY 02 2017

INFRA

Researchers find travel booking systems are easily hackable – even from luggage tags

Researchers have warned that inadequate security with legacy travel booking systems allows hackers to easily obtain personal information and steal tickets and loyalty bonuses — even from luggage tags.

Security Research Labs delivered the bad news last week, explaining that the three largest “global distributed systems” — Amadeus, Sabre and Travelport, which cover 90 percent of the industry — do not even offer a first authentication factor. A booking code alone can be used to access and change a traveler’s information.

The booking codes, usually in a 6-digital alphanumeric string (such as 8EI29V) and common to every traveler, are printed on boarding passes and luggage tags, allowing anyone with access, even someone simply walking by a luggage check-in or pick-up counter, to gain access.

If that’s not bad enough, the complete lack of authentication required by the systems, many of which date to the 1960s and 1970s, have no limit on queries. That means a hacker can brute-force the system, or in more simple terms generate booking codes to see what comes up. In the case where hackers are looking for the details of a specific person, they simply need a reference point, since the booking numbers themselves are issued sequentially.

According to PC World, what this means is that having your personal details so easily accessible throws the door open for a lot of abuse. That includes the possibility of hackers stealing a flight booking by canceling it and receiving a voucher for another flight, as well as stealing frequent flyer miles.

The report notes further that the lack of security opens the door for phishing attacks: A hacker who has obtained details of a booking could target a traveler for social engineering, asking for their payment info or frequent traveler credentials.

Perhaps not surprisingly, the researchers suggest that the way to overcome this issue is to add security best practices to these systems. That means first implementing brute-force protection in the form of Captchas and retry limits on websites that allow access to travelers records. In the medium term, traveler bookings should be secured with proper authentication “at the very least with a changeable password.”

Image credit: Pexels/Public Domain CC0

Since you’re here …

… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.

Cookies

We employ the use of cookies. Find out more.