Changing Other People's Flight Bookings Is Too Easy (computerworld.com)

← Back to Stories (view on slashdot.org)

Changing Other People's Flight Bookings Is Too Easy (computerworld.com)

Posted by EditorDavid on Sunday January 1, 2017 @04:34PM from the airline-insecurity dept.

"The security of online travel booking systems are stuck in the 1990s, according to security researchers," reports Computerworld. An anonymous reader quotes their article, which argues that the ancient systems are also "woefully insecure": This allows attackers to easily modify other people's reservations, cancel their flights and even use the refunds to book tickets for themselves, according a team of researchers who analyzed this online ecosystem... They presented their findings Tuesday at the 33rd Chaos Communications Congress in Hamburg. The three major Global Distribution Systems operators...store Passenger Name Records for hundreds of millions of travelers at any given time.

Any data added or modification made to a booking is stored in their systems and all that's required to access that information is typically a last name and a six-character booking code. There are multiple access points into these systems and this includes the websites operated by airlines and travel agencies, but also third-party websites like CheckMyTrip... The booking code itself is far from secret. It's printed on luggage tags that most people throw away after each flight -- even if their entire trip has not concluded yet -- and is also embedded in the QR codes printed on tickets that an alarmingly large number of travellers photograph and post on social media websites, the researchers said.

75 comments

Min score:

Reason:

Sort:

Take the bus by colinrichardday · 2017-01-01 16:37 · Score: 1

Take the bus? But that might be limiting.
1. Re:Take the bus by Anonymous Coward · 2017-01-01 17:01 · Score: 5, Insightful
  
  Not to sound like a /. shill, but I've given up on flights that are to major cities less than 500 miles from where I live (Nashville). Greyhound or Superbus are much better deals for all three: money, time, and hassle. I can get a round trip bus ticket for less than 100$ to the furthest city I would want to go to (Cleveland), the bus takes ~10 hours from door-to-door. When you read that it sounds like a lot, but consider that the bus makes stops at places with food/restroom. And for their 'express(read new)' buses it has WiFi and power outlets for each seat now and enough let room for me (6ft) to _stretch_ my legs.
  Also, I've book a round trip to Cleveland for a week less than 3 hours before the bus left for ... I think 89$.. (Emergency to help friend) and there would have been no way for me to book a flight on such short notice....
  If you can't get a direct flight to where you are going or need to book it ASAP, the cost can easily be 4~5x that (if not more) and the total time invested (after you account for TSA Security Theatre + waiting for baggage, etc....) is about roughly the same. Direct flights can save time, but I still feel the cost+hassle savings is worth it.
  I rode the bus a good 20 times and only had one issue where there was a guy who smelled. (and I've had that on airline flights too... so *shrugs*)
2. Re: Take the bus by Anonymous Coward · 2017-01-01 17:14 · Score: 0
  
  For the people who regularly travel from coast to coast or to other countries, no, taking the bus isn't a viable option. And I'm confident Greyhound or Megabus don't have very secure reservation systems as well.
  I've considered this issue myself, but if the airlines don't seem to care, it's because it's not causing them headaches.
3. Re:Take the bus by Ol+Olsoc · 2017-01-01 17:22 · Score: 1, Funny
  
  I rode the bus a good 20 times and only had one issue where there was a guy who smelled. (and I've had that on airline flights too... so *shrugs*)
  One time my wife wanted to visit her father in Florida who just had an operation. I offered to drive her down from PA, and drive back then do it again a coupe weeks later, since I had some big meetings I couldn't get out of.
  She said no, she would take the bus. I told her that was the last thing she wanted to do. I pleaded, I begged a cajoled. However, she is an alpha chick, and does not take telling. So the bus she took.
  After coming back into town a couple weeks later, the bus was three hours late. I asked her how the trip was.
  She was thrown up on
  She spent time in filthy bus stations that were populated by addicts and hookers
  She was propostioned for sex several times, and thought she was going to be raped once.
  She was offered drugs to either buy or exchange for a blow job on the bus.
  She was offered money for her underwear.
  And the reason she was three hours late? The bus driver from the last leg of her ride pulled over and went on a lost mind jeezuz rant and someone had to call and get him taken off the bus.
  I did throw a shitfit and told her that if she wanted to take another Greyhound bus trip, it would be as a single parent. She is quite headstrong, but if that was all the respect I'd get after having to worry about what I knew was going to happen, fuck it .
  Wasn't a fun time for her, but I gave no sympathy. Well, yeah after a week or so.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
4. Re: Take the bus by jason-eric · 2017-01-01 17:42 · Score: 1
  
  If you altered someones reservations how lucrative would it be? What are the chances of getting caught? Is it worth the possibility of a long jail term for wire fraud?
  
  --
  United States
5. Re: Take the bus by Anonymous Coward · 2017-01-01 17:48 · Score: 0
  
  If you're just trying to ruin someone's travels, you should be able to get away with it, just disguise yourself somehow, Tor should do it if the exit nodes aren't blacklisted.
  Profiting from it directly sounds risky, though.
6. Re:Take the bus by sid+crimson · 2017-01-01 17:49 · Score: 4, Insightful
  
  I did throw a shitfit and told her that if she wanted to take another Greyhound bus trip, it would be as a single parent. She is quite headstrong, but if that was all the respect I'd get after having to worry about what I knew was going to happen, fuck it .
  Wow man - what kind of ultimatum is that for your wife?
  Cherish her, love her, support her. Dude, someday you'll wish you had these kinds of problems. Until then, enjoy life /with/ her.
7. Re: Take the bus by Anonymous Coward · 2017-01-01 19:15 · Score: 0
  
  "Profiting from it directly sounds risky, though." Thanks Poindexter.
8. Re: Take the bus by Anonymous Coward · 2017-01-01 19:33 · Score: 0
  
  Just switched h some addict celebrity out of business class into economy and it will get attention. They'll bring in premier class secure booking and make you pay extra for that. Anyone else who complains will be blacklisted.
9. Re:Take the bus by sg_oneill · 2017-01-01 20:02 · Score: 0
  
  I did throw a shitfit and told her that if she wanted to take another Greyhound bus trip, it would be as a single parent. She is quite headstrong, but if that was all the respect I'd get after having to worry about what I knew was going to happen, fuck it .
  Way to be a complete dick to your wife after what sounds like a traumatic ride.
  Maybe she'd be better off without you.
  Oh and there is no such thing as "alpha" and "beta" people. Theres absolutely nothing in sociology or psychology that supports the idea, its just nonsense that the pick-up-artist scene invented. Hell even dogs dont have "alpha" males and females.
  
  --
  Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
10. Re:Take the bus by Anonymous Coward · 2017-01-01 21:30 · Score: 0
  
  It affects flights with Boeing planes too.
11. Re:Take the bus by arglebargle_xiv · 2017-01-01 22:26 · Score: 2
  
  I rode the bus a good 20 times and only had one issue where there was a guy who smelled.
  I rode the bus once. It smelled like a locker room, there was junk all over the floor. We were already packed in like sardines, and then they stopped to pick up more! There was a suitcase poking me in the ribs, and an elbow in my ear, and at one point I had a smelly old bum standing next to me who hadn't showered in a year. The window wouldn't open and the fan was broke, my face was turning blue. I don't think I'd been in a crowd like this since I went to see the Who.
12. Re: Take the bus by Anonymous Coward · 2017-01-02 01:32 · Score: 0
  
  Oh yeah, take the bus. Because, you know, if you take greyhound in Canada, you might lose you head. Literally.
13. Re:Take the bus by Anonymous Coward · 2017-01-02 01:36 · Score: 0
  
  Compare their safety records. I'd drive myself twice or fly five thousand times before I set foot on a Greyhound bus.
14. Re:Take the bus by Anonymous Coward · 2017-01-02 01:39 · Score: 0
  
  Their safety record is probably shit too, if that's any consolation (it's not). Bus services like Greyhound are all of the risk of driving yourself, with the added risk of being assaulted by a passenger or killed in a flaming wreck by an underpaid undertrained half-asleep driver.
15. Re:Take the bus by mjwx · 2017-01-02 01:42 · Score: 2
  
  I live in Europe, that means taking the train or the bus isn't viewed as COMMUNIST and often is a sensible option. Although I only live 44 miles from Central London, I'd still rather take the train, then the tube to my destination because its honestly less hassle and the trains are not that bad here.
  
  That being said, flying isn't bad either. Last time I went to Heathrow I was through check in and security faster that it took to get from the car park to the terminal (to be fair, the car park was 25 minutes away). Automation has made things a crapload faster at airports as you can open dozens of automated terminals compared to a few desks (the automated terminals can also handle multiple flights from different airlines).
  
  Going through security was a breeze, they dont make you take your shoes off, just jackets and belts.
  
  To go to Brussels or Paris, I'd choose to fly as its easier for me to get to Heathrow than St Pancras.
  
  Point in short, flying doesn't have to be painful, it's just that Americans have made it that way.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
16. Re: Take the bus by mjwx · 2017-01-02 01:51 · Score: 2
  
  If you altered someones reservations how lucrative would it be? What are the chances of getting caught? Is it worth the possibility of a long jail term for wire fraud?
  Difficult to do for financial gain, but also quite difficult to get caught.
  
  The security of GDSs (Global Distribution Systems) is archaic. To access my booking and make changes all you need to know is my six character booking number and surname. Realistically you can socially engineer the booking reference from the airline just by knowing my name.
  
  Most airlines rely on two external methods to fix this. PCI, which is useless as I can pay with a different card and notifying the user which is the strongest security they've implemented but still largely useless as it required the end user to act on any information they receive.
  
  When I make changes to a booking, I usually receive an email or text message from the airline notifying me of this. What makes this largely useless is the fact most people will ignore this information thinking that the airline will take care of everything for them. Whilst that is to a large extent, true in this case as far as the airline knows the end user made the changes.
  
  GDS providers really need to up their game when it comes to security, but as per usual nothing will happen until someone loses billions over it.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
17. Re:Take the bus by Anonymous Coward · 2017-01-02 02:01 · Score: 0
  
  Oh and there is no such thing as "alpha" and "beta" people. Theres absolutely nothing in sociology or psychology that supports the idea, its just nonsense that the pick-up-artist scene invented. Hell even dogs dont have "alpha" males and females.
  No. the concept comes from a study on apes.
  The dominant male was called the alpha and was a violent rapist. Any human behaving like that would be put in jail or executed.
  Beta males would bring gifts to the females in the form of fruits or objects they considered pretty and when given the choice the females would prefer to mate with beta males.
  In particular alpha females preferred beta males over the alpha male.
  There is nothing that says that this group structure is similar among different apes or even other groups of the same species.
18. Re: Take the bus by Anonymous Coward · 2017-01-02 02:11 · Score: 0
  
  Do trolls have women too, then?
  Jeez. You gotta learn something new on the Intertubes each day.
19. Re:Take the bus by Cinnamon+Beige · 2017-01-02 02:37 · Score: 1
  
  This sort of thing varies by the passenger's sex, age, and general body language...and the era at which you take the trip, since some of these problems have dropped simply because the bus is becoming more and more the choice of people who are not merely too poor to get a plane ticket.
  My own preference--admittedly helped by the fact that there's actually a station near enough me for it to be feasible--is to take the train...when I can actually find a route that gets me where I want. With all the talk about how awesome public transit is, you'd think some money would be getting put into getting the rail system nudged back towards where it doesn't seem to skip some states entirely.
  Admittedly, some of the problem here seems to be people being just plain idiots--I actually am used to the luggage tags my suitcases get being very clearly intended to stay on through a transfer or two because the airport code for offloading is typically not the next stop on my journey, and my social media is being kept very much away from such things as my legal name. I'd think that doing things like posting pics of plane tickets with things like QR codes not censored is begging for Bad Things to happen--the only surprise here is that includes 'having your flight booking altered.'
20. Re:Take the bus by Pikoro · 2017-01-02 02:37 · Score: 2
  
  Another one rides the bus.... And another comes on, and another comes on... another one rides the bus ehhh!
  
  --
  "Freedom in the USA is not the ability to do what you want. It is the ability to stop others from doing what THEY want"
21. Re:Take the bus by Ol+Olsoc · 2017-01-02 03:11 · Score: 1
  
  Wow man - what kind of ultimatum is that for your wife? Cherish her, love her, support her. Dude, someday you'll wish you had these kinds of problems. Until then, enjoy life /with/ her.
  The sort of ultimatum you give someone when if they haven't learned to listen to you when you know they are going to drive off a cliff, are determined to drive off the cliff, and nothing is going to stop them driving off that cliff, but you want to exercise your option to get out of the car before they drive off the cliff.
  I don't know if you've been involved with an alpha chick or not, but a headstrong one can be remarkably stubborn. So you would suggest that I tell her that I support her right to be sexually assaulted, and will support her decision to put herself in harms way? Beat her? Chain her to the bed?
  So I respected her incredibly stupid decision to take the bus, and when it was clear that I was right, I told her that this would not happen again with me in the picture. 6 months later, she drove down to visit her father again. I still offered to drive, but she still didn't want to "put me out of my way". But I didn't need to plead, and that trip went off just fine.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
22. Re:Take the bus by Ol+Olsoc · 2017-01-02 03:21 · Score: 1
  
  I did throw a shitfit and told her that if she wanted to take another Greyhound bus trip, it would be as a single parent. She is quite headstrong, but if that was all the respect I'd get after having to worry about what I knew was going to happen, fuck it .
  Way to be a complete dick to your wife after what sounds like a traumatic ride.
  We'll just ignore that part about her completely ignoring everything I told her, and her actually suffering less trauma than what I was expecting. I'm a big strong guy, and I wouldn't take a bus.
  I gave her plenty of options, like flying, or delivering her to Florida myself, but she wouldn't accept either of them. For some reason or other, she was determined to take that stupid bus.
  
  Maybe she'd be better off without you.
  Maybe.
  Or she could have just admitted I was right, which she did, and now swears off ever setting foot on a bus or in a bus station ever again - like she did. Next time, she drove down, and she, her father, and myself were much happier.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
23. Re:Take the bus by eth1 · 2017-01-02 06:05 · Score: 1
  
  Not to sound like a /. shill, but I've given up on flights that are to major cities less than 500 miles from where
  My math goes something like this:
  Min door-to-door flight time is usually 45 min to airport, 45 min from airport, 30 min+ for security & bag check, 1hr safety margin, 15-30 min taxiing, plus flight time.
  That's 3-4 hours+ (~200 mile drive) just dealing with the hassles surrounding air travel. Add another 50 miles driven for every hour you spend in the air.
  Then, I personally am willing to deal with another hour or two of driving (+100mi) because I don't have to worry about transportation once I get where I'm going, maybe another hour or two because I can pack as much as I want of whatever I want, and significantly more time if I'm going with someone (no increase in cost, plus a relief driver).
24. Re:Take the bus by Solandri · 2017-01-02 07:38 · Score: 1
  
  Normally I'd agree with you. But in this case the instigator was the wife - she refused to take her husband's wishes into account in her initial decision to take the bus. The husband is merely adopting a tit-for-tat strategy - refusing to take her wishes into account if she does not take his wishes into account. Tit-for-tat has been proven to be one of the best solutions to the iterated Prisoner's Dilemma problem, maximizing the positive outcome for both parties despite its slightly confrontational nature.
25. Re:Take the bus by Billly+Gates · 2017-01-02 08:37 · Score: 1
  
  Take the bus? But that might be limiting.
  How Bob that sounds great. Can you met up on the east coast today so we can close this contract and make millions before a competitor shows up?
  A bus is too much too lose. Yes, that was one such crazy scenario, but in business traveling there is a reason CEO's love their corporate jets. Not just to show off but in business many things are deadline driven and very quick access can make you or break you in a complex world
  
  --
  http://saveie6.com/
26. Re:Take the bus by antdude · 2017-01-02 16:15 · Score: 1
  
  Too slow. I wished we had fully working t(rans/ele)porters now. Cars, planes, etc. are too slow. I hate waiting and long commutes. :P I wished Concord was still around too.
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
27. Re:Take the bus by I75BJC · 2017-01-03 05:46 · Score: 1
  
  The remedy for USA airport travel interaction with the TSA/DHS/Local LEOs? Move to UK! Regrettably, that won't work for most Americans. I do prefer the UK airport security that I have actually experienced to the average/now normal USA airport Security Theatre. Personally I prefer British Airways to any USA airline I have ever flown.
28. Re:Take the bus by mjwx · 2017-01-03 06:46 · Score: 1
  
  The remedy for USA airport travel interaction with the TSA/DHS/Local LEOs? Move to UK! Regrettably, that won't work for most Americans. I do prefer the UK airport security that I have actually experienced to the average/now normal USA airport Security Theatre. Personally I prefer British Airways to any USA airline I have ever flown.
  If you think BA is a good airline, you should fly someone like Singapore.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
Maybe by Ol+Olsoc · 2017-01-01 17:06 · Score: 1, Insightful

Just maybe, we might just sorta think about how we could not even book flights until the intertoobz came along. All of those jets sitting on the runwaysnot in use because without the internet, there was absolutely no way to reserve a flight. Sarcasm much intended.
Because for some strange reason, once we try doing something on the internet, possibly the most insecure and interference pronemethod of doing anything, we forget how millions of us use to fly all of the time, without these sort of problems.

--
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
1. Re:Maybe by Dutch+Gun · 2017-01-01 17:15 · Score: 1
  
  Was it as easy as changing previously posted Slashdot headlines?
  
  --
  Irony: Agile development has too much intertia to be abandoned now.
2. Re: Maybe by Anonymous Coward · 2017-01-01 17:25 · Score: 1
  
  I don't know how people booked travel before the Internet, but let's speculate.
  They used phones, perhaps? Also insecure, authentication was probably pretty much as bad as it is today. Went to speak with a travel agent in person? The travel agent could check ID, but did they? And then they would have to call or otherwise contact the airline on the traveler's behalf.
  Only dealing directly with the airline, in person, could be considered secure, and that is if they always request ID.
  The truth is, there's little to gain here by exploiting the weaknesses. Fares are mostly bought with credit cards, so cash refunds don't apply (and you'd have to show up in person). Canceling a ticket and buying another on your name might work but there's a paper trail and you'd get caught. Only the "screwing with a person's travel plans" scenario seems likely to me, and that takes some pretty serious or specific motivation.
3. Re: Maybe by Anonymous Coward · 2017-01-01 17:56 · Score: 0
  
  Pretty much, yeah. If you could convince the phone operator you were the ticket holder you could do whatever you wanted. Going through a travel agent was harder, but even that could be gamed.
4. Re:Maybe by mjwx · 2017-01-02 01:44 · Score: 1
  
  Just maybe, we might just sorta think about how we could not even book flights until the intertoobz came along. All of those jets sitting on the runwaysnot in use because without the internet, there was absolutely no way to reserve a flight. Sarcasm much intended.
  Because for some strange reason, once we try doing something on the internet, possibly the most insecure and interference pronemethod of doing anything, we forget how millions of us use to fly all of the time, without these sort of problems.
  I also remember getting ripped off.
  
  Travel agents are going the way of the VCR rental store and good riddance.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
5. Re: Maybe by Ol+Olsoc · 2017-01-02 02:56 · Score: 1
  
  I don't know how people booked travel before the Internet, but let's speculate.
  They used phones, perhaps? Also insecure, authentication was probably pretty much as bad as it is today. Went to speak with a travel agent in person? The travel agent could check ID, but did they? And then they would have to call or otherwise contact the airline on the traveler's behalf.
  Sounds pretty damn hard. Yes, Either my staff assistant, or myself spoke to our travel agent, who knew us. When I'd travel for work, we had an authorization number so no changes happened without that number and a number that replaced it.
  
  Only the "screwing with a person's travel plans" scenario seems likely to me, and that takes some pretty serious or specific motivation.
  But still a good illustration of people forgetting how to do stuff once we take it to the intertoobz.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
6. Re:Maybe by Wrath0fb0b · 2017-01-02 03:18 · Score: 1
  
  Just maybe, we might just sorta think about how we could not even book flights until the intertoobz came along. All of those jets sitting on the runwaysnot in use because without the internet, there was absolutely no way to reserve a flight. Sarcasm much intended.
  Look at the history of airfare (chart or articleand before the internet, flying also cost twice as much (even after adding in the dreaded "fees" for shit that most people don't need) and was far less accessible to people of modest means. When people talk about how dignified air service was in the 70s, what they usually meant is that poor people weren't flying.
  Of course the internet isn't responsible for the entire drop in prices. But the direct-booking (vs paying travel agents for working the system) and fare comparison contributed something.
7. Re:Maybe by Anonymous Coward · 2017-01-02 06:03 · Score: 0
  
  No, dignified because there was room for your legs, the seats were bigger and the behinds were smaller. Also, attendants (er, stews) were much more plentiful.
  I hated flying in the 70s, the cigarette smoke was inescapable. Flying was best just after smoking was banned domestically and before the seat pitch
8. Re: Maybe by aaarrrgggh · 2017-01-02 06:09 · Score: 1
  
  No, the security was in the ticket stock. You needed an actual, magnetically coded ticket to board the plane.
  
  More secure, but an awful process.
9. Re:Maybe by Solandri · 2017-01-02 07:28 · Score: 1
  That graph is extremely deceptive because the scale starts at $250, not $0.
  
  Travelocity was the first online direct flight booking site that gave you access to most of the airlines. It was a spinoff from Sabre, the company which managed the airline reservation system that airlines and travel agents used. It didn't begin operating online until 1996
  
  The vast majority of the ticket price drop ($600 to $400) happened before 1996. From 1996 to present there's only bee about a $50 ($400 to $350).
  
  So the Internet is only responsible for about 1/5 of the drop in your chart. Or (starting with a 1996 baseline) a 12% drop in prices.
  
  The main factor which caused the drop in prices was deregulating the airlines in 1978.
10. Re: Maybe by Ol+Olsoc · 2017-01-02 07:50 · Score: 1
  
  No, the security was in the ticket stock. You needed an actual, magnetically coded ticket to board the plane. More secure, but an awful process.
  Gotta say, I never gave it a thought about how awful it was. I enjoyed getting out of the office for a bit, and chatting with the people at the travel agency. The internet has changed us, and normal and easy things are now much too much trouble. If we can't just click clicky, it is a burden too far.
  Well okay then. We have to have no effort on a system that is insecure by design. I guess we put up with what happens to us then, and quite willingly in fact.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
11. Re:Maybe by Wrath0fb0b · 2017-01-02 10:45 · Score: 1
  
  (1) More room for your legs
  (2) Fewer seats per plane
  (3) Higher ticket prices
  What do these three things have in common?
12. Re:Maybe by Wrath0fb0b · 2017-01-02 10:49 · Score: 1
  
  Pretty much agreed.
  To be fair though, from 1996 to the present, oil went up considerably (and then recently dropped back down) and so the decline in prices in the face of rising costs (gas is 30% of the total bill) is actually fairly impressive.
  Also Southwest :-)
Duping Slashdot "Editors" [sic] Is All Too Easy by Anonymous Coward · 2017-01-01 17:10 · Score: 0

Comment is title.
I read about this on Slashdot a week ago by Anonymous Coward · 2017-01-01 17:54 · Score: 0

There were 50 comments. Low traffic story. So........... post it again.
ALL TOO EASY! by Anonymous Coward · 2017-01-01 17:54 · Score: 0

Changing other people's flight bookings is ALL TOO EASY like Vader being really good at RODEO!
If it ain't broke... by Anonymous Coward · 2017-01-01 18:21 · Score: 0

Is this really a problem? It might be easy to maliciously change a booking, but unless this is actually happening regularly it seems like adding layers of security would just create obstacles for people making legitimate changes.
-={ATTENTION!}=- M_o_d_e_r_a_t_o_r_S!!! by Anonymous Coward · 2017-01-01 18:44 · Score: 0

mod parent up
1. Re:-={ATTENTION!}=- M_o_d_e_r_a_t_o_r_S!!! by Anonymous Coward · 2017-01-02 04:13 · Score: 0
  
  Never on an AC post.
Re:Fixing this is too expensive by plover · 2017-01-01 19:13 · Score: 5, Informative

The problem is too expensive to fix, but not for the reason you mentioned.
Many passengers struggle with flying, due to inexperience, carelessness, distractions, or fear of flying, or they lack the mental capacity to understand everything they need to do. These people need the simplest possible way to access their flight info. That means helping them as much as possible by printing the booking code on the luggage tags, flight coupons, boarding passes, everything.
So far, it's much cheaper to accept the risk of a few people messing with the flight info, rather than dealing with millions of scared, confused, and/or angry travelers stuck in an unplanned layover because they didn't have the ability to access their connecting flight information.
That could change if someone figures out how to monetize this hack safely, but that's very unlikely. The booking code isn't the only security measure in place. The hackers can change a flight, but a passenger complaining at a gate will win out over an online change; anyone attempting to cash in on the fraudulently changed ticket risks felony theft and fraud charges.

--
John
By design by Anonymous Coward · 2017-01-01 19:16 · Score: 0

We all know that it is totally insecure, but the flight company doesn't care, this is in the spec, so we must implement it like this, no matter what. Like I care, whatever.
1. Re:By design by Anonymous Coward · 2017-01-02 01:11 · Score: 0
  
  Why care about the small bugs when you have a major security bug -- government keeps permanent track of every place you have ever flown? I bet these "security researchers" have zero interest in providing solutions that problem (via anonymous flight travel within the country).
Well done! by Anonymous Coward · 2017-01-01 20:40 · Score: 0

Well done "superhackers" off CCC. You just found out that you need only a last name and booking reference to change your flight.
What serious accomplishment...
Re:Fixing this is too expensive by whoever57 · 2017-01-01 21:03 · Score: 1

Remember also that people are traveling, so they can't read the post-it note on their monitor, or whatever they use to store their password.

--
The real "Libtards" are the Libertarians!
Easier when they are stupid... by bungo · 2017-01-01 22:34 · Score: 1

I had someone use my email address to get the confirmation for the out and return flights for himself and his partner.
I have a gmail address, which I got back in the time when it was still invitation only, which I set up as my initial and last name @gmail.com. This person with the same initial (but different first name) and same last name decided that my email address must be his, so he used it when booking his tickets. Normally I just delete these emails, as this guy was the 4th person who has made the same mistake, but as they were for flights, I decided to be kind and contacted him - he was easy to find, as I had the city where he lived.
I can't believe how stupid some people are.
For a short period of time, I was thinking of where I could send him, maybe change his return flight to Juneau Alaska and see if he noticed.

--
"The best part? I became an ordained minister while not wearing pants." -- CleverNickName
1. Re:Easier when they are stupid... by CanadianMacFan · 2017-01-02 05:31 · Score: 1
  
  That's when you hope that they are going to someplace that has the same name in places such as Sydney, Australia and Sydney, Nova Scotia, Canada. Then you just send them to one of them. For example, instead of Boston, Mass send them to Boston, Kentucky.
That is why we can't have nice things by Anonymous Coward · 2017-01-02 01:15 · Score: 0

This is just social engineering.
1. Re:That is why we can't have nice things by radarskiy · 2017-01-02 02:46 · Score: 1
  
  Since it never involves talking to a person, isn't it anti-social engineering?
Alarming, huh? by Anonymous Coward · 2017-01-02 01:41 · Score: 0

Derp.

and is also embedded in the QR codes printed on tickets that an alarmingly large number of travellers photograph and post on social media websites, the researchers said.
Well, it wouldn't be alarming if there were some form of security implemented.
Wonderful Security by Coditor · 2017-01-02 01:41 · Score: 1

For when it was designed in the 1960's. Note that much of the system is still rooted in the original designs. I worked in that industry and it wasn't any kind of secret how terrible this 50 year old security was. A lot of the design decisions such as no support for a year (all dates are in the future with no year indicated, so limited to about 330 days out) and the PNR code itself, plus storing the data in the record (everything vanishes on the day the last leg of the flight is complete). No one in the industry wants to change anything since every part of the travel industry is dependent on nothing changing. Even if hacking becomes rampant nothing will change.
1. Re:Wonderful Security by Anonymous Coward · 2017-01-02 02:01 · Score: 0
  
  No one in the industry wants to change anything since every part of the travel industry is dependent on nothing changing. Even if hacking becomes rampant nothing will change.
  Those are quite strong proclamations, the second of which is at odds with historical fact and common sense.
Re:Fixing this is too expensive by Anonymous Coward · 2017-01-02 01:42 · Score: 0

I still don't understand how they'd get the money from a change. Every time I've downgraded a refundable ticket to a restricted fare, the refund goes back to the original method of payment (a credit card). I can't use the ticket if I don't have the same name. The worst someone can do is DoS me – a minor inconvenience for me, and a felony for them. The cost/benefit isn't there for this sort of fraud IMO.
Re:Fixing this is too expensive by hey! · 2017-01-02 02:31 · Score: 2

Well, the most straightforward way is to book a ticket for yourself; but that obviously leads back to you, which is probably why fixing this isn't a top priority.
That said, the ability to work malice and mischief has value to some. And in some cases that could have economic value (e.g. making sure key people from your competitors don't make it to a critical meeting).

--
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Re:Fixing this is too expensive by Cinnamon+Beige · 2017-01-02 03:12 · Score: 1

Actually, as smartphones get more ubiquitous and even dumbphones gain more capabilities, the cost of fixing the problem should drop--we're already seeing a shift towards electronic ticketing, how much more effort would be needed to simply have it set up so you can have your phone self-update with the connecting flight information as you go, so it'll be up-to-date and you will know things like "Oh, hey, my connecting flight changed" as soon as possible.
Until they get slammed for fraud by Anonymous Coward · 2017-01-02 04:35 · Score: 0

"even use the refunds to book tickets for themselves" yeah fat chance of that. I haven't heard of anybody being able to do that in that industry, and I have worked there for 20 years. What I heard of is agent doing fraudulent stuff (I even participated indirectly indicting one by setting up programs to catch whatever action that agent did). Fraud on the consumer side is much harder, as you can't easily refund (it has to be refunded to the original payment) , and doing refund-buy another leave trace, if only because you have to present yourself to fly that second ticket you fraudulently bought. For similar reason there is no security on check in stub and you can print yourself at home, the problem with fraud with a plane ticket is that at some point you have to be present in person.
Interesting .... but .... by King_TJ · 2017-01-02 06:36 · Score: 1

Again, at least *some* of this strikes me as cases of, "Sure...the technology may let you do it, but you're still creating a trail to get caught!"
I mean, ok --- the relatively weak security might let me log in to a web portal and cancel a guy's flight. But if that's a flexible ticket (the most expensive kind) that lets me reschedule it under another name? Don't you think he might *notice* that happened? And when they investigate, it wouldn't be too tough to figure out who DID use that rescheduled flight.
I'd be more worried about the possibility of mischievous hackers screwing up people's booked flights for amusement and general rabble-rousing. But even something as simple as putting your own frequent flier ID in under someone else's flights to earn their miles means you can be tracked down and caught/punished for theft of them.
Sales/Corporate sabatage by Billly+Gates · 2017-01-02 08:34 · Score: 1

I can assholes screwing competitors out of contracts and sales opportunities by making sure the other guy doesn't show up for the pitch.
Surprisingly I heard of crazy stuff including geeks taking down wifi hotspots when a competitor comes in for a sale on the road etc.

--
http://saveie6.com/
Re:Fixing this is too expensive by Anonymous Coward · 2017-01-02 09:40 · Score: 0

This is the future. No more passwords, no more checkout steps, everything one-click, but that's OK because they already know everything about you from your browser cookies. Of course you won't be allowed to hide these from them or not be social enough on the network. And Trump in power.
hacking by Anonymous Coward · 2017-01-03 03:45 · Score: 0

I agree that if you plan to stay with a cheater don't try to find any information. However, in my case I needed it in my state in order to file for a divorce and come out of the relationship. You can't just say I think courts want proof or you end up spending a lot of time and money to fight it out! Finding out was hard, but I was relieved that I wasn't crazy and it's making my divorce go a lot smoother. He would never confess; therefore, I did the best thing for me...find out, no doubt, move on!!!contact hotcyberlord@gmail.com..he's a professional and will surely help you out,tell him from Ninah
Stuck in the 90's? by Anonymous Coward · 2017-01-05 21:34 · Score: 0

FYI, stuck in the 60's is more like it. Some of those commercial airline ticket management systems have implementations of the NP-Complete Traveling Salesman Problem written in COBOL. Even those flashy MSIE front-ends you see on the airport kiosks are clients adapted to the legacy technology. Oracle Tuxedo adapts COBOL applications to J2EE.
Regards,
@decalresponds