Frequent Flyer Points Put at Risk By Website Flaws

Airline booking systems lack basic security checks that would stop attackers changing flight details or stealing rewards, warn experts. From a report on BBC: The problems emerge because the six-digit codes booking systems use to identify travellers are easy to guess. Two researchers demonstrated the weaknesses by changing a flight booking and seat assignment for a reporter. The security investigators presented their findings at the Chaos Communications Congress in Germany. In a blog detailing their work Karsten Nohl and Nemanja Nikodijevic of Security Research Labs (SRL) said the computer systems behind the airlines' travel bookings system dated from the 1970s and 1980s. Though these have been updated with web services they lack security systems that would prevent abuse, they said. In particular, they added, the systems have no way to check, or authenticate, who is querying the system for flight details.

now even /. puts out this overblown story

Yes, it is easy to get access to flexible tickets. In many cases, figuring out last name plus eight digit booking code is enough.

This allows a hacker to rebook the flight (presumably, to an earlier date) free of charge. However, this leaves the issue of changing the name on the passenger name record. Even with the most expensive flex tickets, changing of the name is subject to fees. The airlines will require a payment and presumably apply the same security checks as it would with the purchase of a brand-new ticket.

So in the end, it's not an easier way to steal airline tickets...