Slashdot Mirror

← Back to Stories (view on slashdot.org)

Frequent Flyer Points Put at Risk By Website Flaws (bbc.com)

Posted by msmash on from the security-woes dept.

Airline booking systems lack basic security checks that would stop attackers changing flight details or stealing rewards, warn experts. From a report on BBC: The problems emerge because the six-digit codes booking systems use to identify travellers are easy to guess. Two researchers demonstrated the weaknesses by changing a flight booking and seat assignment for a reporter. The security investigators presented their findings at the Chaos Communications Congress in Germany. In a blog detailing their work Karsten Nohl and Nemanja Nikodijevic of Security Research Labs (SRL) said the computer systems behind the airlines' travel bookings system dated from the 1970s and 1980s. Though these have been updated with web services they lack security systems that would prevent abuse, they said. In particular, they added, the systems have no way to check, or authenticate, who is querying the system for flight details.

19 comments

  1. now even /. puts out this overblown story by Anonymous Coward · · Score: 2, Informative

    Yes, it is easy to get access to flexible tickets. In many cases, figuring out last name plus eight digit booking code is enough.

    This allows a hacker to rebook the flight (presumably, to an earlier date) free of charge. However, this leaves the issue of changing the name on the passenger name record. Even with the most expensive flex tickets, changing of the name is subject to fees. The airlines will require a payment and presumably apply the same security checks as it would with the purchase of a brand-new ticket.

    So in the end, it's not an easier way to steal airline tickets...

    1. Re:now even /. puts out this overblown story by matbury · · Score: 1

      True. It's more a source of annoyance and possibly sabotage than theft. After discovering that it's trivial to read passengers' personal and flight details as well as gain access to online booking from the QR codes on boarding passes, I now shred or archive all my printed travel materials. Certainly, never throw them in the garbage!

    2. Re: now even /. puts out this overblown story by Anonymous Coward · · Score: 0

      Actually, I want to apologize for my idiotic comment. The real issue is that Europeans don't know how to write quality software, so you end up with vulnerable garbage like this. Had the software been developed by American programmers, it wouldn't be vulnerable, and we wouldn't be having this conversation. I'd like to apologize for my previous post, which was moronic and contributed nothing of value to the discussion.

    3. Re: now even /. puts out this overblown story by Anonymous Coward · · Score: 0

      I look forward to your future post that apologizes for your latest post.

    4. Re:now even /. puts out this overblown story by ceoyoyo · · Score: 2

      Assigning all the frequent flier rewards to yourself is as good as stealing tickets if you can do it frequently enough.

    5. Re:now even /. puts out this overblown story by Anonymous Coward · · Score: 0

      My airline doesn't allow name changes at all unless the person has the same last name. If the person doesn't have the same last name, they issue a refund to the credit card, then buy you a new ticket for the same seat.

  2. Who cares? by 110010001000 · · Score: 0

    Seriously, who cares? Not everything needs to be 100% secure. Oh wait, some slashdotter will point out that some assassin will use this to change some journalists seat on an airplane so they can attack them or something. Codes have been six digits for decades and it hasn't been a problem.

    1. Re:Who cares? by Anonymous Coward · · Score: 0

      Some slashdotter should also point out that this can be used to change flight dates and access a flyer's personal information.

      True, not everything needs to be secure. This does.

  3. SABRE! by Anonymous Coward · · Score: 0

    Loves ya baby! It's the American way to fly!

    1. Re: SABRE! by Anonymous Coward · · Score: 0

      Same AC here. I'm an idiot. The story is clearly about inferior and vulnerable European software, which should surprise nobody at all. In my haste to make a stupid comment about Americans, I failed to notice that this story is about poorly-designed software created by Europeans. Please disregard my previous post.

    2. Re: SABRE! by Anonymous Coward · · Score: 0

      I agree with the second statement in your most recent post.

  4. Go ahead, try to steal my points by damn_registrars · · Score: 2

    All my points disappeared without notice a while back when I went over a year without flying. Thanks a lot, United Airlines. Glad my loyalty meant so much to you. Not that I could have done anything useful with 30,000 miles any ways...

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
    1. Re:Go ahead, try to steal my points by Anonymous Coward · · Score: 0

      I "lost" over 100,000 miles at one time when I thought there was no expiration, and the policy was changed so they expired after 18 months with no activity. I called customer service, and got them back for a limited time. I then bought a $40 item on the "Sky Mall" extending the miles for another 18 months. Later, my wife and I flew to the UK first class...best flight ever. Thanks United! (no guarantee that this will work for you...but did you try?).

    2. Re:Go ahead, try to steal my points by Obfuscant · · Score: 1

      All my points disappeared without notice a while back when I went over a year without flying. Thanks a lot, United Airlines.

      The MilagePlus website shows the expiration date for accrued miles. Mine is sometime in 2018, currently.

      For those who don't use United, they used to have a four digit PIN code to go with the MileagePlus identifier. It was published how easy it was to break in using that system, so United went to a system with a user selectable password. In addition, they now alert whenever a user accesses through an unrecognized device, prompting a two or three security question test before allowing access.

      I don't know what the "six-digit code" being referred to is. There is a six character record identifier attached to each itinerary. The difference between 1 million possibilities and the 2,176,782,336 (>2 billion) is significant when it comes to "guessing".

    3. Re:Go ahead, try to steal my points by damn_registrars · · Score: 1

      I "lost" over 100,000 miles at one time when I thought there was no expiration, and the policy was changed so they expired after 18 months with no activity. I called customer service, and got them back for a limited time. I then bought a $40 item on the "Sky Mall" extending the miles for another 18 months.

      They sent me a letter at one point telling me that my miles were going to expire and listing a few things I could do to prevent them that would only cost me some time (online surveys and similar crap). I did some of them, and my miles still expired. In my current situation though I fly about as much as a penguin so it didn't really matter that much. It was frustrating that after having flown quite a bit for several years, accruing a fair number of (admittedly worthless) miles, they all just went away.

      --
      Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
    4. Re:Go ahead, try to steal my points by Anonymous Coward · · Score: 0

      Easy come, easy go. It sounds like you weren't banking on them anyway.

  5. Link to the original talk by Anonymous Coward · · Score: 0

    Here's the original talk - it contains many more interesting facts about the booking systems: https://www.youtube.com/watch?v=m6IgrMCMW8k

  6. IHG (Holiday Inn parent) is worse - 4-digit PINs by Anonymous Coward · · Score: 0

    I just wish someone would write an article about IHG's loyalty program. Their site uses only 4-digit PINs. I've tried contacting them online to tell them how pathetic that is but haven't managed to get a response.