PrivacyLegacy travel booking systems do not protect travelers’ private information

Published 4 January 2017

Travel bookings worldwide are maintained in a handful of systems. The three largest — Global Distributed Systems (GDS) Amadeus, Sabre, and Travelport — administer more than 90 percent of flight reservations as well as numerous hotel, car, and other travel bookings. The most important security feature lacking from all three GDSs is a proper way to authenticate travelers.

Travel bookings worldwide are maintained in a handful of systems. The three largest — Global Distributed Systems (GDS) Amadeus, Sabre, and Travelport — administer more than 90 percent of flight reservations as well as numerous hotel, car, and other travel bookings.

Today’s GDSs go back to the 1970s and 1980s, built around mainframe computers, and leased lines. The systems have since been interwoven with Web services, but still lack several web security best practices.

Weak authentication
In a blog post, SRLabs says that the most important security feature lacking from all three GDSs is a proper way to authenticate travelers. While the rest of the Internet is debating which second and third factors to use, GDSs do not offer a first authentication factor. Instead, the booking code (aka PNR Locator, a 6-digit alphanumeric string such as 8EI29V) is used to access and change travelers’ information.

The authenticator is printed on boarding passes and luggage tags.Any person able to find or take a photo of the pass or tag can access the traveler’s information — including e-mail address and phone number — through the GDS’s or airline’s web site.

Weak Web services
Traveler information is also at risk to online hacking because authenticators are brute-forceable. The way 6-digit booking codes are chosen makes them weaker than a 5-digit password (<28.5 bits), which would be considered insecure for most applications. Two of the three main GDSs assign booking codes sequentially, further shrinking the search space. Finally, many GDS and airline web sites allow trying many thousand booking codes from a single IP address. Given only passengers’ last names, their bookings codes can be found over the Internet with little effort.

Abuse potential
Given a passenger’s booking code, an intruder can:

  • Invade travelers’ privacy. The booking overview typically contains contact information such as phone number, e-mail, and postal address, travel dates and preferences, and often passport information
  • Steal flights. Most airlines allow flight changes, some even cancellations for a voucher, allowing a fraudster to travel for free
  • Divert miles. By changing the frequent flyer information in the booking, a fraudster can steal miles without taking any flights
  • Conduct phishing/vishing. By knowing details of a booking that has just been made – which is possible in GDSs that use sequential booking codes – an intruder can target travelers for social engineering, asking for their payment info or frequent traveler credentials

The way ahead
SRLabsnotes that global booking systems have pioneered many technologies including Cloud computing. Now is the time to add security best practices that other Cloud users have long taken for granted.

In the short-term, all Web sites that allow access to traveler records should require proper brute-force protection in the form of Captchas and retry limits per IP address.

In the mid-term, traveler bookings need to be secured with proper authentication, at the very least with a changeable password.

— For more information, see these outline, slides and video from a 27 December 2016 conference presentation. Much more information is available on Edward Hasbrouck’s blog.