At the recent Chaos Communication Congress, a cybersecurity conference in Germany, two researchers from SR Labs showed how the three major global distribution systems (GDS) are not using secure authentication. GDS is a system used for managing travel reservations where data is shared among travel agencies, airlines, and the passengers. The top three GDS providers in the field are Sabre, Amadeus, and Travelport.
Researchers Karsten Nohl and Nemanja Nikodijevic claimed that malicious actors could infiltrate these booking systems to alter passenger information and even cancel bookings. Most worryingly, the researchers said that they didn’t need much effort to do it, just the passenger’s last name and the six-digit Passenger Name Record (PNR).
The main problem? The GDS systems simply haven’t been updated. SR Labs claims that many of the legacy systems are failing to properly authenticate passengers beyond the PNR number. To add insult to injury, this PNR number is frequently shared in customer emails and can even in some cases be found printed on your luggage tags.
“While the rest of the Internet is debating which second and third factors to use, GDSs do not offer a first authentication factor,” said SR Labs in its report. “Instead, the booking code (aka PNR Locator, a six-digit alphanumeric string such as 8EI29V) is used to access and change travelers’ information.”
Accessing a traveler’s account would allow a hacker to not only mess around with their flight arrangement but potentially obtain payment data or further information to carrying out phishing attacks.
“Global booking systems have pioneered many technologies including cloud computing. Now is the time to add security best practices that other cloud users have long taken for granted,” said SR Labs. “In the short-term, all websites that allow access to traveler records should require proper brute-force protection in the form of Captchas and retry limits per IP address.”
