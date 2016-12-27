| HAMBURG
HAMBURG Dec 27 Major travel booking systems
lack a proper way to authenticate air travellers, making it easy
to hack the short code used on many boarding passes to alter
flight details or steal sensitive personal data, security
researchers warned on Tuesday.
Passenger Name Records (PNR) are used to store reservations
with links to a traveller's name, travel dates, itinerary,
ticket details, phone and email contacts, travel agent, credit
card numbers, seat number and baggage information.
The six-digit codes act as pincodes for locating travel
records, albeit with vital differences that make them highly
insecure compared with even the simple usernames and passwords
that consumers use to access email or websites, the researchers
said.
The world's three major global distribution systems (GDS) -
Amadeus, Sabre and Travelport -
manage a majority of travel reservations but face growing
competition from airlines and corporate travel and online
booking sites.
"While the rest of the Internet is debating which second and
third factors to use, GDSs do not offer a first authentication
factor," researchers at Berlin-based Security Research Labs said
in a statement.
Multi-factor authentication works when users offer separate
pieces of evidence of their identity such as something they
know, like a password, pincode or security question, and
something they possess, like a bankcard or a phone linked to
them.
With just a passenger's last name, the researchers were able
to use computer guess work to find associated booking codes
within hours and thereby gain access to travel records.
"Given only passengers' last names, their bookings codes can
be found over the Internet with little effort," said SRLabs'
Karsten Nohl, who, with co-author Nemanja Nikodijevic, will
detail their research this week at the Chaos Communications
Congress, Europe's biggest annual event on hacking.
Nohl has previously exposed major security threats in
phones, cars, payment terminals and data storage devices.
Security Research Labs acts as a security consultant to
major global clients, including banks.
Two of the three big booking systems - Amadeus and
Travelport - assign booking codes sequentially, making
brute-force computer guesswork easier. Of the three, Amadeus,
through its web portal CheckMyTrip, is especially vulnerable,
Nohl said.
"Amadeus is assessing the findings of SR Labs on travel
industry security," a company spokeswoman told Reuters.
"We will take these findings into account and work together
with our partners in the industry to address the issues that
have been exposed here and seek solutions to potential
problems," she said, referring to airlines and other travel
industry partners.
"As a matter of course Amadeus does protect its systems,
including Check My Trip, from the type of automated robotic
attacks outlined in this report."
Sabre told Reuters: "We have numerous layers of security in
place. Discussing how we maintain security and the privacy of
travellers undermines those safeguards and the security of our
systems."
Travelport did not respond to a request for comment.
LONG-KNOWN VULNERABILITIES
Travellers will never know who accessed their information,
because PNR data is not logged, the researchers said. Users have
no option to secure these codes themselves because the
credentials are arbitrarily assigned by airlines using the
booking systems.
The researchers call for the airlines to adopt modern
safeguards against brute force attacks such as limiting the
number of PNR requests per Internet address and offer passengers
a changeable password as minimal protections against such
attacks.
Nohl said the vulnerabilities he found with travel databases
are not new. They have been described, conceptually, by San
Francisco-based travel privacy campaigner Edward Hasbrouck, who
has waged a sometimes lonely campaign to expose them for years.
Hasbrouck, author of the 2001 traveller's rights book "The
Practical Nomad Guide to the Online Travel Marketplace", said
that since the 9/11 airline attacks on U.S. cities, industry and
public attention has focused on government access to travel data
to insure flight safety instead of such data's commercial abuse.
Fifteen years ago, he warned: "Privacy is the Achilles' heel
of Internet travel planning".
Hasbrouck said the SRL research vindicates his arguments.
"If the data protection laws that have been in effect since
the early 1990s in the EU and Canada had been enforced, (travel
systems) would have been required to make changes that would
have significantly reduced some of the vulnerabilities... and
that SRLabs has now demonstrated can be exploited", he said.
(Editing by Hugh Lawson)