Flight reservations can be easily hacked with a last name and PNR locator

Jos

TS Evangelist

These days it’s relatively simple to plan out a whole trip through a number of travel booking websites and aggregators. While this has certainly helped make one part of traveling less stressful, a new research from Security Research Labs (SR Labs) is shedding light on just how poorly the systems that they rely on are protected. The problem is not with the travel booking websites themselves, but with the fact that the three major global distribution systems (GDS) used to manage the majority of travel reservations — Amadeus, Sabre, and Travelport — reportedly lack any kind of secure authentication.

Speaking at the 33rd annual Chaos Communication Congress, the largest European computer security conference, researchers Karsten Nohl and Nemanja Nikodijevic  demonstrated that with nothing more than your six-digit passenger name record (PNR), which is used globally to store flight reservations, a hacker could steal your airline miles, gain access to your personal information, cancel flights, and more.

These credentials are assigned by airlines and can be easily found on people’s' luggage tags or boarding passes along with the traveler’s last name. These two data pieces are often enough to access and manage travel records on airline and mileage program websites. It doesn’t help that thousands of people actually post pictures of their boarding pass online as a ‘humble brag’ while waiting to board their plane.

Moreover, even if making an effort to conceal your PNR, the number and types of characters that can be used for this record must fall within a predetermined range, making it easier for hackers to target a specific last name and run through all the possibilities until they find a match. The researchers demonstrated this by reassigning a reporter to a seat next to a politician on a real flight.

“No matter where you book your flights, no matter what airline you fly, they all share similar issues. There’s no access control, no way to authenticate travelers, and no logging to track abuse,” the researchers claim.

They have notified the three main GDS systems of their findings and expect that some of the holes in the systems will be fixed soon, although others might require a deeper changes in how the system works.

Permalink to story.

 

Bigtruckseries

TS Evangelist
Passports are a huge "trust".

Trust that the government's are absolutely certain who individual people are.

Trust that the people are who they say they are.

Trust that people aren't frauding the system.

Ultimately any system isn't 100% perfect, but it's biometrics that has a better chance being more reliable so long as it doesn't get hacked.
 
  • Like
Reactions: Reehahs

Kibaruk

TechSpot Paladin
Passports are a huge "trust".

Trust that the government's are absolutely certain who individual people are.

Trust that the people are who they say they are.

Trust that people aren't frauding the system.

Ultimately any system isn't 100% perfect, but it's biometrics that has a better chance being more reliable so long as it doesn't get hacked.
What the duck are you talking about?!

It's simply how airline systems confirm that the guy who is doing the changes is the one who is actually doing it. Stop vomiting on the keyboard, pretty please, has nothing to do with Passports, nor Governments, nor biometrics... gosh...
 

mbrowne5061

TS Evangelist
Passports are a huge "trust".

Trust that the government's are absolutely certain who individual people are.

Trust that the people are who they say they are.

Trust that people aren't frauding the system.

Ultimately any system isn't 100% perfect, but it's biometrics that has a better chance being more reliable so long as it doesn't get hacked.
What the duck are you talking about?!

It's simply how airline systems confirm that the guy who is doing the changes is the one who is actually doing it. Stop vomiting on the keyboard, pretty please, has nothing to do with Passports, nor Governments, nor biometrics... gosh...
You're not familiar with BigTruck, are you? They tend to write their comment based exclusively on the headline and article picture.
 

Kibaruk

TechSpot Paladin
I'm amazed and disturbed at the same time... god why hasn't techspot implemented the ignore user over news mode... it's like... ffs read the ducking thing at least... it's bad enough when he vomits everything he thinks about whatever topic he "knows" about, but as you said... headline and picture... duck that... it annoys the duck out of me.
 
  • Like
Reactions: Reehahs

MattPD

TS Rookie
Passports are a huge "trust".

Trust that the government's are absolutely certain who individual people are.

Trust that the people are who they say they are.

Trust that people aren't frauding the system.

Ultimately any system isn't 100% perfect, but it's biometrics that has a better chance being more reliable so long as it doesn't get hacked.
What the duck are you talking about?!

It's simply how airline systems confirm that the guy who is doing the changes is the one who is actually doing it. Stop vomiting on the keyboard, pretty please, has nothing to do with Passports, nor Governments, nor biometrics... gosh...
Admins must be slacking or like you
Any time I saw anything about BigTrucks being annoying my comment gets deleted pretty quickly
There really should be a block user function there's a few people here I'd be glad to never hear from again
 

Kibaruk

TechSpot Paladin
Admins must be slacking or like you
Any time I saw anything about BigTrucks being annoying my comment gets deleted pretty quickly
There really should be a block user function there's a few people here I'd be glad to never hear from again
There is an Ignore option in forum mode, the only issue with that is that it doesn't work on newly released news on the homepage because they send you immediately into news mode in which it doesn't work.