By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
10alert.com10alert.com
  • Threats
    • WordPress ThreatsDanger
    Threats
    A cyber or cybersecurity threat is a malicious act that seeks to damage data, steal data, or disrupt digital life in general. Cyber threats include…
    Show More
    Top News
    A Malware Classification -Kaspersky Daily
    8 months ago
    Superfish: adware preinstalled on Lenovo laptops
    8 months ago
    Russian-speaking cyber spies from Turla APT group exploit satellites
    8 months ago
    Latest News
    Triangulation: Trojan for iOS | Kaspersky official blog
    5 days ago
    Wordfence Intelligence Weekly WordPress Vulnerability Report (May 22, 2023 to May 28, 2023)
    5 days ago
    Safeguards against firmware signed with stolen MSI keys
    7 days ago
    WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
    7 days ago
  • Fix
    Fix
    Troubleshooting guide you need when errors, bugs or technical glitches might ruin your digital experience.
    Show More
    Top News
    Surface Pro released and the 128 GB version already sold out at the online Microsoft Store [Updated]
    8 months ago
    Windows 11 build 22622.590 (KB5017846) outs in the Beta Channel
    8 months ago
    How to protect computer from virus and hackers on Windows 11
    8 months ago
    Latest News
    How automatically delete unused files from my Downloads folder?
    4 months ago
    Now you can speed up any video in your browser
    4 months ago
    How to restore access to a file after EFS or view it on another computer?
    4 months ago
    18 Proven Tips to Speed Up Your WordPress Site and Improve SEO | 2023 Guide
    5 months ago
  • How To
    How ToShow More
    Nine years of Project Galileo and how the last year has changed it
    Nine years of Project Galileo and how the last year has changed it
    17 hours ago
    Dynamic data collection with Zaraz Worker Variables
    Dynamic data collection with Zaraz Worker Variables
    4 days ago
    Reduce latency and increase cache hits with Regional Tiered Cache
    Reduce latency and increase cache hits with Regional Tiered Cache
    5 days ago
    Cloudflare is deprecating Railgun
    Cloudflare is deprecating Railgun
    5 days ago
    What is two-factor authentication | Kaspersky official blog
    1 week ago
  • News
    News
    This category of resources includes the latest technology news and updates, covering a wide range of topics and innovations in the tech industry. From new…
    Show More
    Top News
    Easter egg “I am a teapot” on Google
    8 months ago
    How to block ads with Adguard DNS in Android
    8 months ago
    How to reduce video quality in Chrome?
    8 months ago
    Latest News
    How to generate SSH keys on Windows 11
    7 hours ago
    How to enable file sharing on WSA for Windows 11
    7 hours ago
    How to add CPU, GPU, RAM widgets on Windows 11
    5 days ago
    How to create virtual drive (VHD, VHDX, Dev Drive) on Windows 11
    1 week ago
  • Glossary
  • My Bookmarks
Reading: Booking systems’ insecurity allows free flights and more
Share
Notification Show More
Aa
Aa
10alert.com10alert.com
  • Threats
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
  • Threats
    • WordPress ThreatsDanger
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
Follow US
Threats

Booking systems’ insecurity allows free flights and more

Tom Grant
Last updated: 13 October
Tom Grant 8 months ago
Share
9 Min Read

People post photos of their tickets online. Why shouldn’t they? Instagram alone contains thousands of images showing concert, airplane, and even lottery tickets.

If everyone does it, why shouldn’t you?

In fact, the last thing you should ever do with a ticket or boarding pass is post it online. This piece of paper contains data that allows anybody to steal your ticket (we’re not exaggerating!), rack up air miles, or even play a low-down trick on you. More than a year ago we discussed just what kind of bad jokes people can make with ticket information. Recently, security researchers Karsten Nohl and Nemanja Nikodijevic raised the topic again, at the Chaos Communication Congress (33С3).

Airlines, travel agents, price comparison websites, and many other services work together to provide easy booking opportunities to passengers. The industry uses Global Distribution Systems (GDS) to check flight availability, ensure that seats are not double-booked, and so forth. GDSs are tightly interwoven with Web services — but not with best Web protection practices. As the result, today’s GDS technology remains outdated in terms of protection and provides criminals with a huge attack surface.

Although about 20 GDS vendors exist at the moment, the security duo Nohl and Nikodijevic focused on the three main systems: Sabre (founded in 1960), Amadeus (founded in 1987), and Galileo (now a unit of Travelport). These systems administer more than 90% of flight reservations, as well as hotel, car, and other travel bookings.

For example, Lufthansa and AirBerlin work with Amadeus, and with the tour operator Expedia. American Airlines and Russian airline Аeroflot stick to Sabre. Anyway, it’s hard to say for sure which GDS stores the private data of a particular passenger: For instance, if you book a ticket for American Airlines flight on Expedia, both Amadeus and Sabre record the transaction.

Depends on the booking system’s rules, GDS records usually contain a passenger’s name, phone number, date of birth, and passport data, as well as their ticket number, departure and destination ports, and flight date and time. It also includes payment information (such as a credit card number). Quite sensitive information, in other words.

Nohl and Nikodijevic pointed out that a lot of people have access to this data, including airlines workers, tour operators, hotels representatives, and other agents. Researchers suppose that governmental agencies can read this data as well. But it’s only the tip of the iceberg.

To access and change this information, GDSs use a traveler’s name as login and a 6-digit booking code (most travelers know it as a PNR) as password. Yes, that’s the PNR that is openly printed on boarding passes and luggage tags. As a password.

People post photos of their tickets online. Why shouldn't they? Instagram alone contains thousands of images showing concert, airplane, and even lottery tickets.

“If the PNR is supposed to be a secure password, then it should be treated like one,” Nohl said at the conference. “But they don’t keep it a secret: It is printed on every piece of luggage. It used to be printed on boarding passes, until it disappeared and they replaced it with a bar code.” That bar code, by the way, still contains the PNR.

The majority of travelers don’t understand the inner workings of the flight industry, so they eagerly publish their tickets online together with PNR, encrypted into a bar code. However, a bar code is not a mystery; special software can read it. So anybody who takes a photo of your luggage tag at an airport or found your ticket online can access your private data. You don’t need to be a hacker to exploit PNR vulnerabilities — you just have to know where to look. In the video below you can see how Nohl and Nikodijevic decoded the bar code from an Instagram photo of an airline ticket.

In addition, many airlines and trip-checking websites don’t block users who enter wrong codes numerous times. As the result, malefactors can choose popular last names like Smith and simply brute-force PNRs of these passengers. It’s not hard: The code consists of six digits, and code generation algorithms often suffer from certain weaknesses. For example, some of them iterate the first two characters sequentially, and all PNRs generated on a particular date begin with the same characters. Other providers use specific codes for certain airlines. These practices narrow the range of digits an attacker has to guess.

At the Chaos Communication Congress, Nohl and Nikodijevic demonstrated that hacking a PNR takes just minutes. About 30 to 45 minutes into the same video, you’ll find a detailed explanation of how this works as well as real-time demonstration of the whole process.

The upshot is, criminals can farm GDSs for sensitive passenger data and use it for advanced phishing. Consider this scenario: Mr. Smith books a flight to Berlin and 10 minutes later receives an e-mail from his airline asking him to confirm his credit card information. The letter includes his first and last name, port of destination and other precise booking details. Does it seem believable? For sure! Mr. Smith is very likely to click the link in the e-mail and provide his credit card information — but to a fake website.

Also, using a PNR and having searched for some other personal data, hackers might be able to change the ticket data. They might cancel the ticket and have the money refunded to their own account. Or they could change the ticket holder’s name, surname, and passport number so that another person could take the trip (surprisingly, but certain services allow this). A more cautious or generous criminal might simply change the frequent flyer data and get the miles that the original ticket owner would’ve earned. Ultimately, by using PNRs as passwords, GDSs basically offer hackers free flights, unlimited miles, and even money.

One more extremely disappointing fact: Despite experts and media raising this question numerous times in recent years, GDS companies still refuse to log PNR accesses. That’s why nobody can trace the vast majority of abuse cases. Few incidents even become known — for example, when criminals outright stole tickets from travelers and victims complained. As for the more intelligent fraud and data theft, specialists are unable to evaluate the scope of the problem.

Nohl and Nikodijevic feel certain that customers cannot expect substantial changes anytime soon. The entire booking system needs to be rewritten, and unfortunately, the only thing that can make airlines do this is the rise of PNR fraud.

For now, we recommend two simple courses of action: stay vigilant and never, ever post your boarding passes online. Even an old ticket gives away a lot of your personal information.


Source: kaspersky.com

Translate this article

TAGGED: Phishing, PoC, Port scanning, Security, Software, Threats, Vulnerabilities, YouTube
Tom Grant October 13, 2022 October 7, 2022
Share this Article
Facebook Twitter Reddit Telegram Email Copy Link Print

STAY CONECTED

24.8k Followers Like
253.9k Followers Follow
33.7k Subscribers Subscribe
124.8k Members Follow

LAST 10 ALERT

How to generate SSH keys on Windows 11
News 10 hours ago
How to enable file sharing on WSA for Windows 11
News 10 hours ago
Nine years of Project Galileo and how the last year has changed it
Nine years of Project Galileo and how the last year has changed it
Apps 17 hours ago
Dynamic data collection with Zaraz Worker Variables
Dynamic data collection with Zaraz Worker Variables
Apps 4 days ago
How to add CPU, GPU, RAM widgets on Windows 11
News 5 days ago

Recent Posts

  • How to generate SSH keys on Windows 11
  • How to enable file sharing on WSA for Windows 11
  • Nine years of Project Galileo and how the last year has changed it
  • Dynamic data collection with Zaraz Worker Variables
  • How to add CPU, GPU, RAM widgets on Windows 11

You Might Also Like

News

How to generate SSH keys on Windows 11

10 hours ago
Nine years of Project Galileo and how the last year has changed it
Apps

Nine years of Project Galileo and how the last year has changed it

17 hours ago
Dynamic data collection with Zaraz Worker Variables
Apps

Dynamic data collection with Zaraz Worker Variables

4 days ago
Reduce latency and increase cache hits with Regional Tiered Cache
Apps

Reduce latency and increase cache hits with Regional Tiered Cache

5 days ago
Show More

Related stories

How to Use Cloudflare to Secure Your WordPress Site
How To Starting Chrome from the command line
How to fix error 0x80070057 in Chrome?
Windows 10 How To Disable Slide to Shutdown
Windows search not working (FIX)
How to watch movies and TV series for free on Kinopoisk?
Previous Next

10 New Stories

Reduce latency and increase cache hits with Regional Tiered Cache
Cloudflare is deprecating Railgun
Triangulation: Trojan for iOS | Kaspersky official blog
Wordfence Intelligence Weekly WordPress Vulnerability Report (May 22, 2023 to May 28, 2023)
Safeguards against firmware signed with stolen MSI keys
WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
Previous Next
Hot News
How to generate SSH keys on Windows 11
How to enable file sharing on WSA for Windows 11
Nine years of Project Galileo and how the last year has changed it
Dynamic data collection with Zaraz Worker Variables
How to add CPU, GPU, RAM widgets on Windows 11
10alert.com10alert.com
Follow US

© 10 Alert Network. All Rights Reserved.

  • Privacy Policy
  • Contact
  • Customize Interests
  • My Bookmarks
  • Glossary
Go to mobile version
adbanner
AdBlock Detected
Our site is an advertising supported site. Please whitelist to support our site.
Okay, I'll Whitelist
Welcome Back!

Sign in to your account

Lost your password?