Changing Other People's Flight Bookings Is Too Easy

"The security of online travel booking systems are stuck in the 1990s, according to security researchers," reports Computerworld. An anonymous reader quotes their article, which argues that the ancient systems are also "woefully insecure": This allows attackers to easily modify other people's reservations, cancel their flights and even use the refunds to book tickets for themselves, according a team of researchers who analyzed this online ecosystem... They presented their findings Tuesday at the 33rd Chaos Communications Congress in Hamburg. The three major Global Distribution Systems operators...store Passenger Name Records for hundreds of millions of travelers at any given time.

Any data added or modification made to a booking is stored in their systems and all that's required to access that information is typically a last name and a six-character booking code. There are multiple access points into these systems and this includes the websites operated by airlines and travel agencies, but also third-party websites like CheckMyTrip... The booking code itself is far from secret. It's printed on luggage tags that most people throw away after each flight -- even if their entire trip has not concluded yet -- and is also embedded in the QR codes printed on tickets that an alarmingly large number of travellers photograph and post on social media websites, the researchers said.

Re:Take the bus

Not to sound like a /. shill, but I've given up on flights that are to major cities less than 500 miles from where I live (Nashville). Greyhound or Superbus are much better deals for all three: money, time, and hassle. I can get a round trip bus ticket for less than 100$ to the furthest city I would want to go to (Cleveland), the bus takes ~10 hours from door-to-door. When you read that it sounds like a lot, but consider that the bus makes stops at places with food/restroom. And for their 'express(read new)' buses it has WiFi and power outlets for each seat now and enough let room for me (6ft) to _stretch_ my legs.

Also, I've book a round trip to Cleveland for a week less than 3 hours before the bus left for ... I think 89$.. (Emergency to help friend) and there would have been no way for me to book a flight on such short notice....

If you can't get a direct flight to where you are going or need to book it ASAP, the cost can easily be 4~5x that (if not more) and the total time invested (after you account for TSA Security Theatre + waiting for baggage, etc....) is about roughly the same. Direct flights can save time, but I still feel the cost+hassle savings is worth it.

I rode the bus a good 20 times and only had one issue where there was a guy who smelled. (and I've had that on airline flights too... so *shrugs*)

Re:Take the bus

[sid+crimson]

I did throw a shitfit and told her that if she wanted to take another Greyhound bus trip, it would be as a single parent. She is quite headstrong, but if that was all the respect I'd get after having to worry about what I knew was going to happen, fuck it .

Wow man - what kind of ultimatum is that for your wife?
Cherish her, love her, support her. Dude, someday you'll wish you had these kinds of problems. Until then, enjoy life /with/ her.

Re:Fixing this is too expensive

[plover]

The problem is too expensive to fix, but not for the reason you mentioned.

Many passengers struggle with flying, due to inexperience, carelessness, distractions, or fear of flying, or they lack the mental capacity to understand everything they need to do. These people need the simplest possible way to access their flight info. That means helping them as much as possible by printing the booking code on the luggage tags, flight coupons, boarding passes, everything.

So far, it's much cheaper to accept the risk of a few people messing with the flight info, rather than dealing with millions of scared, confused, and/or angry travelers stuck in an unplanned layover because they didn't have the ability to access their connecting flight information.

That could change if someone figures out how to monetize this hack safely, but that's very unlikely. The booking code isn't the only security measure in place. The hackers can change a flight, but a passenger complaining at a gate will win out over an online change; anyone attempting to cash in on the fraudulently changed ticket risks felony theft and fraud charges.

Re:Take the bus

[arglebargle_xiv]

I rode the bus a good 20 times and only had one issue where there was a guy who smelled.

I rode the bus once. It smelled like a locker room, there was junk all over the floor. We were already packed in like sardines, and then they stopped to pick up more! There was a suitcase poking me in the ribs, and an elbow in my ear, and at one point I had a smelly old bum standing next to me who hadn't showered in a year. The window wouldn't open and the fan was broke, my face was turning blue. I don't think I'd been in a crowd like this since I went to see the Who.

Re:Take the bus

[mjwx]

I live in Europe, that means taking the train or the bus isn't viewed as COMMUNIST and often is a sensible option. Although I only live 44 miles from Central London, I'd still rather take the train, then the tube to my destination because its honestly less hassle and the trains are not that bad here.

That being said, flying isn't bad either. Last time I went to Heathrow I was through check in and security faster that it took to get from the car park to the terminal (to be fair, the car park was 25 minutes away). Automation has made things a crapload faster at airports as you can open dozens of automated terminals compared to a few desks (the automated terminals can also handle multiple flights from different airlines).

Going through security was a breeze, they dont make you take your shoes off, just jackets and belts.

To go to Brussels or Paris, I'd choose to fly as its easier for me to get to Heathrow than St Pancras.

Point in short, flying doesn't have to be painful, it's just that Americans have made it that way.

Re: Take the bus

[mjwx]

If you altered someones reservations how lucrative would it be? What are the chances of getting caught? Is it worth the possibility of a long jail term for wire fraud?

Difficult to do for financial gain, but also quite difficult to get caught.

The security of GDSs (Global Distribution Systems) is archaic. To access my booking and make changes all you need to know is my six character booking number and surname. Realistically you can socially engineer the booking reference from the airline just by knowing my name.

Most airlines rely on two external methods to fix this. PCI, which is useless as I can pay with a different card and notifying the user which is the strongest security they've implemented but still largely useless as it required the end user to act on any information they receive.

When I make changes to a booking, I usually receive an email or text message from the airline notifying me of this. What makes this largely useless is the fact most people will ignore this information thinking that the airline will take care of everything for them. Whilst that is to a large extent, true in this case as far as the airline knows the end user made the changes.

GDS providers really need to up their game when it comes to security, but as per usual nothing will happen until someone loses billions over it.

Re:Fixing this is too expensive

[hey!]

Well, the most straightforward way is to book a ticket for yourself; but that obviously leads back to you, which is probably why fixing this isn't a top priority.

That said, the ability to work malice and mischief has value to some. And in some cases that could have economic value (e.g. making sure key people from your competitors don't make it to a critical meeting).

Re:Take the bus

[Pikoro]

Another one rides the bus.... And another comes on, and another comes on... another one rides the bus ehhh!