Changing Other People's Flight Bookings Is Too Easy (computerworld.com)

← Back to Stories (view on slashdot.org)

Changing Other People's Flight Bookings Is Too Easy (computerworld.com)

Posted by EditorDavid on Sunday January 1, 2017 @04:34PM from the airline-insecurity dept.

"The security of online travel booking systems are stuck in the 1990s, according to security researchers," reports Computerworld. An anonymous reader quotes their article, which argues that the ancient systems are also "woefully insecure": This allows attackers to easily modify other people's reservations, cancel their flights and even use the refunds to book tickets for themselves, according a team of researchers who analyzed this online ecosystem... They presented their findings Tuesday at the 33rd Chaos Communications Congress in Hamburg. The three major Global Distribution Systems operators...store Passenger Name Records for hundreds of millions of travelers at any given time.

Any data added or modification made to a booking is stored in their systems and all that's required to access that information is typically a last name and a six-character booking code. There are multiple access points into these systems and this includes the websites operated by airlines and travel agencies, but also third-party websites like CheckMyTrip... The booking code itself is far from secret. It's printed on luggage tags that most people throw away after each flight -- even if their entire trip has not concluded yet -- and is also embedded in the QR codes printed on tickets that an alarmingly large number of travellers photograph and post on social media websites, the researchers said.

39 of 75 comments (clear)

Min score:

Reason:

Sort:

Take the bus by colinrichardday · 2017-01-01 16:37 · Score: 1

Take the bus? But that might be limiting.
1. Re:Take the bus by Anonymous Coward · 2017-01-01 17:01 · Score: 5, Insightful
  
  Not to sound like a /. shill, but I've given up on flights that are to major cities less than 500 miles from where I live (Nashville). Greyhound or Superbus are much better deals for all three: money, time, and hassle. I can get a round trip bus ticket for less than 100$ to the furthest city I would want to go to (Cleveland), the bus takes ~10 hours from door-to-door. When you read that it sounds like a lot, but consider that the bus makes stops at places with food/restroom. And for their 'express(read new)' buses it has WiFi and power outlets for each seat now and enough let room for me (6ft) to _stretch_ my legs.
  Also, I've book a round trip to Cleveland for a week less than 3 hours before the bus left for ... I think 89$.. (Emergency to help friend) and there would have been no way for me to book a flight on such short notice....
  If you can't get a direct flight to where you are going or need to book it ASAP, the cost can easily be 4~5x that (if not more) and the total time invested (after you account for TSA Security Theatre + waiting for baggage, etc....) is about roughly the same. Direct flights can save time, but I still feel the cost+hassle savings is worth it.
  I rode the bus a good 20 times and only had one issue where there was a guy who smelled. (and I've had that on airline flights too... so *shrugs*)
2. Re:Take the bus by Ol+Olsoc · 2017-01-01 17:22 · Score: 1, Funny
  
  I rode the bus a good 20 times and only had one issue where there was a guy who smelled. (and I've had that on airline flights too... so *shrugs*)
  One time my wife wanted to visit her father in Florida who just had an operation. I offered to drive her down from PA, and drive back then do it again a coupe weeks later, since I had some big meetings I couldn't get out of.
  She said no, she would take the bus. I told her that was the last thing she wanted to do. I pleaded, I begged a cajoled. However, she is an alpha chick, and does not take telling. So the bus she took.
  After coming back into town a couple weeks later, the bus was three hours late. I asked her how the trip was.
  She was thrown up on
  She spent time in filthy bus stations that were populated by addicts and hookers
  She was propostioned for sex several times, and thought she was going to be raped once.
  She was offered drugs to either buy or exchange for a blow job on the bus.
  She was offered money for her underwear.
  And the reason she was three hours late? The bus driver from the last leg of her ride pulled over and went on a lost mind jeezuz rant and someone had to call and get him taken off the bus.
  I did throw a shitfit and told her that if she wanted to take another Greyhound bus trip, it would be as a single parent. She is quite headstrong, but if that was all the respect I'd get after having to worry about what I knew was going to happen, fuck it .
  Wasn't a fun time for her, but I gave no sympathy. Well, yeah after a week or so.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
3. Re: Take the bus by jason-eric · 2017-01-01 17:42 · Score: 1
  
  If you altered someones reservations how lucrative would it be? What are the chances of getting caught? Is it worth the possibility of a long jail term for wire fraud?
  
  --
  United States
4. Re:Take the bus by sid+crimson · 2017-01-01 17:49 · Score: 4, Insightful
  
  I did throw a shitfit and told her that if she wanted to take another Greyhound bus trip, it would be as a single parent. She is quite headstrong, but if that was all the respect I'd get after having to worry about what I knew was going to happen, fuck it .
  Wow man - what kind of ultimatum is that for your wife?
  Cherish her, love her, support her. Dude, someday you'll wish you had these kinds of problems. Until then, enjoy life /with/ her.
5. Re:Take the bus by arglebargle_xiv · 2017-01-01 22:26 · Score: 2
  
  I rode the bus a good 20 times and only had one issue where there was a guy who smelled.
  I rode the bus once. It smelled like a locker room, there was junk all over the floor. We were already packed in like sardines, and then they stopped to pick up more! There was a suitcase poking me in the ribs, and an elbow in my ear, and at one point I had a smelly old bum standing next to me who hadn't showered in a year. The window wouldn't open and the fan was broke, my face was turning blue. I don't think I'd been in a crowd like this since I went to see the Who.
6. Re:Take the bus by mjwx · 2017-01-02 01:42 · Score: 2
  
  I live in Europe, that means taking the train or the bus isn't viewed as COMMUNIST and often is a sensible option. Although I only live 44 miles from Central London, I'd still rather take the train, then the tube to my destination because its honestly less hassle and the trains are not that bad here.
  
  That being said, flying isn't bad either. Last time I went to Heathrow I was through check in and security faster that it took to get from the car park to the terminal (to be fair, the car park was 25 minutes away). Automation has made things a crapload faster at airports as you can open dozens of automated terminals compared to a few desks (the automated terminals can also handle multiple flights from different airlines).
  
  Going through security was a breeze, they dont make you take your shoes off, just jackets and belts.
  
  To go to Brussels or Paris, I'd choose to fly as its easier for me to get to Heathrow than St Pancras.
  
  Point in short, flying doesn't have to be painful, it's just that Americans have made it that way.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
7. Re: Take the bus by mjwx · 2017-01-02 01:51 · Score: 2
  
  If you altered someones reservations how lucrative would it be? What are the chances of getting caught? Is it worth the possibility of a long jail term for wire fraud?
  Difficult to do for financial gain, but also quite difficult to get caught.
  
  The security of GDSs (Global Distribution Systems) is archaic. To access my booking and make changes all you need to know is my six character booking number and surname. Realistically you can socially engineer the booking reference from the airline just by knowing my name.
  
  Most airlines rely on two external methods to fix this. PCI, which is useless as I can pay with a different card and notifying the user which is the strongest security they've implemented but still largely useless as it required the end user to act on any information they receive.
  
  When I make changes to a booking, I usually receive an email or text message from the airline notifying me of this. What makes this largely useless is the fact most people will ignore this information thinking that the airline will take care of everything for them. Whilst that is to a large extent, true in this case as far as the airline knows the end user made the changes.
  
  GDS providers really need to up their game when it comes to security, but as per usual nothing will happen until someone loses billions over it.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
8. Re:Take the bus by Cinnamon+Beige · 2017-01-02 02:37 · Score: 1
  
  This sort of thing varies by the passenger's sex, age, and general body language...and the era at which you take the trip, since some of these problems have dropped simply because the bus is becoming more and more the choice of people who are not merely too poor to get a plane ticket.
  My own preference--admittedly helped by the fact that there's actually a station near enough me for it to be feasible--is to take the train...when I can actually find a route that gets me where I want. With all the talk about how awesome public transit is, you'd think some money would be getting put into getting the rail system nudged back towards where it doesn't seem to skip some states entirely.
  Admittedly, some of the problem here seems to be people being just plain idiots--I actually am used to the luggage tags my suitcases get being very clearly intended to stay on through a transfer or two because the airport code for offloading is typically not the next stop on my journey, and my social media is being kept very much away from such things as my legal name. I'd think that doing things like posting pics of plane tickets with things like QR codes not censored is begging for Bad Things to happen--the only surprise here is that includes 'having your flight booking altered.'
9. Re:Take the bus by Pikoro · 2017-01-02 02:37 · Score: 2
  
  Another one rides the bus.... And another comes on, and another comes on... another one rides the bus ehhh!
  
  --
  "Freedom in the USA is not the ability to do what you want. It is the ability to stop others from doing what THEY want"
10. Re:Take the bus by Ol+Olsoc · 2017-01-02 03:11 · Score: 1
  
  Wow man - what kind of ultimatum is that for your wife? Cherish her, love her, support her. Dude, someday you'll wish you had these kinds of problems. Until then, enjoy life /with/ her.
  The sort of ultimatum you give someone when if they haven't learned to listen to you when you know they are going to drive off a cliff, are determined to drive off the cliff, and nothing is going to stop them driving off that cliff, but you want to exercise your option to get out of the car before they drive off the cliff.
  I don't know if you've been involved with an alpha chick or not, but a headstrong one can be remarkably stubborn. So you would suggest that I tell her that I support her right to be sexually assaulted, and will support her decision to put herself in harms way? Beat her? Chain her to the bed?
  So I respected her incredibly stupid decision to take the bus, and when it was clear that I was right, I told her that this would not happen again with me in the picture. 6 months later, she drove down to visit her father again. I still offered to drive, but she still didn't want to "put me out of my way". But I didn't need to plead, and that trip went off just fine.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
11. Re:Take the bus by Ol+Olsoc · 2017-01-02 03:21 · Score: 1
  
  I did throw a shitfit and told her that if she wanted to take another Greyhound bus trip, it would be as a single parent. She is quite headstrong, but if that was all the respect I'd get after having to worry about what I knew was going to happen, fuck it .
  Way to be a complete dick to your wife after what sounds like a traumatic ride.
  We'll just ignore that part about her completely ignoring everything I told her, and her actually suffering less trauma than what I was expecting. I'm a big strong guy, and I wouldn't take a bus.
  I gave her plenty of options, like flying, or delivering her to Florida myself, but she wouldn't accept either of them. For some reason or other, she was determined to take that stupid bus.
  
  Maybe she'd be better off without you.
  Maybe.
  Or she could have just admitted I was right, which she did, and now swears off ever setting foot on a bus or in a bus station ever again - like she did. Next time, she drove down, and she, her father, and myself were much happier.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
12. Re:Take the bus by eth1 · 2017-01-02 06:05 · Score: 1
  
  Not to sound like a /. shill, but I've given up on flights that are to major cities less than 500 miles from where
  My math goes something like this:
  Min door-to-door flight time is usually 45 min to airport, 45 min from airport, 30 min+ for security & bag check, 1hr safety margin, 15-30 min taxiing, plus flight time.
  That's 3-4 hours+ (~200 mile drive) just dealing with the hassles surrounding air travel. Add another 50 miles driven for every hour you spend in the air.
  Then, I personally am willing to deal with another hour or two of driving (+100mi) because I don't have to worry about transportation once I get where I'm going, maybe another hour or two because I can pack as much as I want of whatever I want, and significantly more time if I'm going with someone (no increase in cost, plus a relief driver).
13. Re:Take the bus by Solandri · 2017-01-02 07:38 · Score: 1
  
  Normally I'd agree with you. But in this case the instigator was the wife - she refused to take her husband's wishes into account in her initial decision to take the bus. The husband is merely adopting a tit-for-tat strategy - refusing to take her wishes into account if she does not take his wishes into account. Tit-for-tat has been proven to be one of the best solutions to the iterated Prisoner's Dilemma problem, maximizing the positive outcome for both parties despite its slightly confrontational nature.
14. Re:Take the bus by Billly+Gates · 2017-01-02 08:37 · Score: 1
  
  Take the bus? But that might be limiting.
  How Bob that sounds great. Can you met up on the east coast today so we can close this contract and make millions before a competitor shows up?
  A bus is too much too lose. Yes, that was one such crazy scenario, but in business traveling there is a reason CEO's love their corporate jets. Not just to show off but in business many things are deadline driven and very quick access can make you or break you in a complex world
  
  --
  http://saveie6.com/
15. Re:Take the bus by antdude · 2017-01-02 16:15 · Score: 1
  
  Too slow. I wished we had fully working t(rans/ele)porters now. Cars, planes, etc. are too slow. I hate waiting and long commutes. :P I wished Concord was still around too.
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
16. Re:Take the bus by I75BJC · 2017-01-03 05:46 · Score: 1
  
  The remedy for USA airport travel interaction with the TSA/DHS/Local LEOs? Move to UK! Regrettably, that won't work for most Americans. I do prefer the UK airport security that I have actually experienced to the average/now normal USA airport Security Theatre. Personally I prefer British Airways to any USA airline I have ever flown.
17. Re:Take the bus by mjwx · 2017-01-03 06:46 · Score: 1
  
  The remedy for USA airport travel interaction with the TSA/DHS/Local LEOs? Move to UK! Regrettably, that won't work for most Americans. I do prefer the UK airport security that I have actually experienced to the average/now normal USA airport Security Theatre. Personally I prefer British Airways to any USA airline I have ever flown.
  If you think BA is a good airline, you should fly someone like Singapore.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
Maybe by Ol+Olsoc · 2017-01-01 17:06 · Score: 1, Insightful

Just maybe, we might just sorta think about how we could not even book flights until the intertoobz came along. All of those jets sitting on the runwaysnot in use because without the internet, there was absolutely no way to reserve a flight. Sarcasm much intended.
Because for some strange reason, once we try doing something on the internet, possibly the most insecure and interference pronemethod of doing anything, we forget how millions of us use to fly all of the time, without these sort of problems.

--
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
1. Re:Maybe by Dutch+Gun · 2017-01-01 17:15 · Score: 1
  
  Was it as easy as changing previously posted Slashdot headlines?
  
  --
  Irony: Agile development has too much intertia to be abandoned now.
2. Re: Maybe by Anonymous Coward · 2017-01-01 17:25 · Score: 1
  
  I don't know how people booked travel before the Internet, but let's speculate.
  They used phones, perhaps? Also insecure, authentication was probably pretty much as bad as it is today. Went to speak with a travel agent in person? The travel agent could check ID, but did they? And then they would have to call or otherwise contact the airline on the traveler's behalf.
  Only dealing directly with the airline, in person, could be considered secure, and that is if they always request ID.
  The truth is, there's little to gain here by exploiting the weaknesses. Fares are mostly bought with credit cards, so cash refunds don't apply (and you'd have to show up in person). Canceling a ticket and buying another on your name might work but there's a paper trail and you'd get caught. Only the "screwing with a person's travel plans" scenario seems likely to me, and that takes some pretty serious or specific motivation.
3. Re:Maybe by mjwx · 2017-01-02 01:44 · Score: 1
  
  Just maybe, we might just sorta think about how we could not even book flights until the intertoobz came along. All of those jets sitting on the runwaysnot in use because without the internet, there was absolutely no way to reserve a flight. Sarcasm much intended.
  Because for some strange reason, once we try doing something on the internet, possibly the most insecure and interference pronemethod of doing anything, we forget how millions of us use to fly all of the time, without these sort of problems.
  I also remember getting ripped off.
  
  Travel agents are going the way of the VCR rental store and good riddance.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
4. Re: Maybe by Ol+Olsoc · 2017-01-02 02:56 · Score: 1
  
  I don't know how people booked travel before the Internet, but let's speculate.
  They used phones, perhaps? Also insecure, authentication was probably pretty much as bad as it is today. Went to speak with a travel agent in person? The travel agent could check ID, but did they? And then they would have to call or otherwise contact the airline on the traveler's behalf.
  Sounds pretty damn hard. Yes, Either my staff assistant, or myself spoke to our travel agent, who knew us. When I'd travel for work, we had an authorization number so no changes happened without that number and a number that replaced it.
  
  Only the "screwing with a person's travel plans" scenario seems likely to me, and that takes some pretty serious or specific motivation.
  But still a good illustration of people forgetting how to do stuff once we take it to the intertoobz.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
5. Re:Maybe by Wrath0fb0b · 2017-01-02 03:18 · Score: 1
  
  Just maybe, we might just sorta think about how we could not even book flights until the intertoobz came along. All of those jets sitting on the runwaysnot in use because without the internet, there was absolutely no way to reserve a flight. Sarcasm much intended.
  Look at the history of airfare (chart or articleand before the internet, flying also cost twice as much (even after adding in the dreaded "fees" for shit that most people don't need) and was far less accessible to people of modest means. When people talk about how dignified air service was in the 70s, what they usually meant is that poor people weren't flying.
  Of course the internet isn't responsible for the entire drop in prices. But the direct-booking (vs paying travel agents for working the system) and fare comparison contributed something.
6. Re: Maybe by aaarrrgggh · 2017-01-02 06:09 · Score: 1
  
  No, the security was in the ticket stock. You needed an actual, magnetically coded ticket to board the plane.
  
  More secure, but an awful process.
7. Re:Maybe by Solandri · 2017-01-02 07:28 · Score: 1
  That graph is extremely deceptive because the scale starts at $250, not $0.
  
  Travelocity was the first online direct flight booking site that gave you access to most of the airlines. It was a spinoff from Sabre, the company which managed the airline reservation system that airlines and travel agents used. It didn't begin operating online until 1996
  
  The vast majority of the ticket price drop ($600 to $400) happened before 1996. From 1996 to present there's only bee about a $50 ($400 to $350).
  
  So the Internet is only responsible for about 1/5 of the drop in your chart. Or (starting with a 1996 baseline) a 12% drop in prices.
  
  The main factor which caused the drop in prices was deregulating the airlines in 1978.
8. Re: Maybe by Ol+Olsoc · 2017-01-02 07:50 · Score: 1
  
  No, the security was in the ticket stock. You needed an actual, magnetically coded ticket to board the plane. More secure, but an awful process.
  Gotta say, I never gave it a thought about how awful it was. I enjoyed getting out of the office for a bit, and chatting with the people at the travel agency. The internet has changed us, and normal and easy things are now much too much trouble. If we can't just click clicky, it is a burden too far.
  Well okay then. We have to have no effort on a system that is insecure by design. I guess we put up with what happens to us then, and quite willingly in fact.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
9. Re:Maybe by Wrath0fb0b · 2017-01-02 10:45 · Score: 1
  
  (1) More room for your legs
  (2) Fewer seats per plane
  (3) Higher ticket prices
  What do these three things have in common?
10. Re:Maybe by Wrath0fb0b · 2017-01-02 10:49 · Score: 1
  
  Pretty much agreed.
  To be fair though, from 1996 to the present, oil went up considerably (and then recently dropped back down) and so the decline in prices in the face of rising costs (gas is 30% of the total bill) is actually fairly impressive.
  Also Southwest :-)
Re:Fixing this is too expensive by plover · 2017-01-01 19:13 · Score: 5, Informative

The problem is too expensive to fix, but not for the reason you mentioned.
Many passengers struggle with flying, due to inexperience, carelessness, distractions, or fear of flying, or they lack the mental capacity to understand everything they need to do. These people need the simplest possible way to access their flight info. That means helping them as much as possible by printing the booking code on the luggage tags, flight coupons, boarding passes, everything.
So far, it's much cheaper to accept the risk of a few people messing with the flight info, rather than dealing with millions of scared, confused, and/or angry travelers stuck in an unplanned layover because they didn't have the ability to access their connecting flight information.
That could change if someone figures out how to monetize this hack safely, but that's very unlikely. The booking code isn't the only security measure in place. The hackers can change a flight, but a passenger complaining at a gate will win out over an online change; anyone attempting to cash in on the fraudulently changed ticket risks felony theft and fraud charges.

--
John
Re:Fixing this is too expensive by whoever57 · 2017-01-01 21:03 · Score: 1

Remember also that people are traveling, so they can't read the post-it note on their monitor, or whatever they use to store their password.

--
The real "Libtards" are the Libertarians!
Easier when they are stupid... by bungo · 2017-01-01 22:34 · Score: 1

I had someone use my email address to get the confirmation for the out and return flights for himself and his partner.
I have a gmail address, which I got back in the time when it was still invitation only, which I set up as my initial and last name @gmail.com. This person with the same initial (but different first name) and same last name decided that my email address must be his, so he used it when booking his tickets. Normally I just delete these emails, as this guy was the 4th person who has made the same mistake, but as they were for flights, I decided to be kind and contacted him - he was easy to find, as I had the city where he lived.
I can't believe how stupid some people are.
For a short period of time, I was thinking of where I could send him, maybe change his return flight to Juneau Alaska and see if he noticed.

--
"The best part? I became an ordained minister while not wearing pants." -- CleverNickName
1. Re:Easier when they are stupid... by CanadianMacFan · 2017-01-02 05:31 · Score: 1
  
  That's when you hope that they are going to someplace that has the same name in places such as Sydney, Australia and Sydney, Nova Scotia, Canada. Then you just send them to one of them. For example, instead of Boston, Mass send them to Boston, Kentucky.
Wonderful Security by Coditor · 2017-01-02 01:41 · Score: 1

For when it was designed in the 1960's. Note that much of the system is still rooted in the original designs. I worked in that industry and it wasn't any kind of secret how terrible this 50 year old security was. A lot of the design decisions such as no support for a year (all dates are in the future with no year indicated, so limited to about 330 days out) and the PNR code itself, plus storing the data in the record (everything vanishes on the day the last leg of the flight is complete). No one in the industry wants to change anything since every part of the travel industry is dependent on nothing changing. Even if hacking becomes rampant nothing will change.
Re:Fixing this is too expensive by hey! · 2017-01-02 02:31 · Score: 2

Well, the most straightforward way is to book a ticket for yourself; but that obviously leads back to you, which is probably why fixing this isn't a top priority.
That said, the ability to work malice and mischief has value to some. And in some cases that could have economic value (e.g. making sure key people from your competitors don't make it to a critical meeting).

--
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Re:That is why we can't have nice things by radarskiy · 2017-01-02 02:46 · Score: 1

Since it never involves talking to a person, isn't it anti-social engineering?
Re:Fixing this is too expensive by Cinnamon+Beige · 2017-01-02 03:12 · Score: 1

Actually, as smartphones get more ubiquitous and even dumbphones gain more capabilities, the cost of fixing the problem should drop--we're already seeing a shift towards electronic ticketing, how much more effort would be needed to simply have it set up so you can have your phone self-update with the connecting flight information as you go, so it'll be up-to-date and you will know things like "Oh, hey, my connecting flight changed" as soon as possible.
Interesting .... but .... by King_TJ · 2017-01-02 06:36 · Score: 1

Again, at least *some* of this strikes me as cases of, "Sure...the technology may let you do it, but you're still creating a trail to get caught!"
I mean, ok --- the relatively weak security might let me log in to a web portal and cancel a guy's flight. But if that's a flexible ticket (the most expensive kind) that lets me reschedule it under another name? Don't you think he might *notice* that happened? And when they investigate, it wouldn't be too tough to figure out who DID use that rescheduled flight.
I'd be more worried about the possibility of mischievous hackers screwing up people's booked flights for amusement and general rabble-rousing. But even something as simple as putting your own frequent flier ID in under someone else's flights to earn their miles means you can be tracked down and caught/punished for theft of them.
Sales/Corporate sabatage by Billly+Gates · 2017-01-02 08:34 · Score: 1

I can assholes screwing competitors out of contracts and sales opportunities by making sure the other guy doesn't show up for the pitch.
Surprisingly I heard of crazy stuff including geeks taking down wifi hotspots when a competitor comes in for a sale on the road etc.

--
http://saveie6.com/