Skip to main content

Report says hackers have easy access to flight bookings due to legacy systems

flight bookings hackers legacy systems pay for expedited boarding
Your flight itinerary for your next trip may be hacked. According to new research from SR Labs, the legacy systems for managing travel bookings are terribly insecure.

At the recent Chaos Communication Congress, a cybersecurity conference in Germany, two researchers from SR Labs showed how the three major global distribution systems (GDS) are not using secure authentication. GDS is a system used for managing travel reservations where data is shared among travel agencies, airlines, and the passengers. The top three GDS providers in the field are Sabre, Amadeus, and Travelport.

Researchers Karsten Nohl and Nemanja Nikodijevic claimed that malicious actors could infiltrate these booking systems to alter passenger information and even cancel bookings. Most worryingly, the researchers said that they didn’t need much effort to do it, just the passenger’s last name and the six-digit Passenger Name Record (PNR).

The main problem? The GDS systems simply haven’t been updated. SR Labs claims that many of the legacy systems are failing to properly authenticate passengers beyond the PNR number. To add insult to injury, this PNR number is frequently shared in customer emails and can even in some cases be found printed on your luggage tags.

“While the rest of the Internet is debating which second and third factors to use, GDSs do not offer a first authentication factor,” said SR Labs in its report. “Instead, the booking code (aka PNR Locator, a six-digit alphanumeric string such as 8EI29V) is used to access and change travelers’ information.”

Accessing a traveler’s account would allow a hacker to not only mess around with their flight arrangement but potentially obtain payment data or further information to carrying out phishing attacks.

“Global booking systems have pioneered many technologies including cloud computing. Now is the time to add security best practices that other cloud users have long taken for granted,” said SR Labs. “In the short-term, all websites that allow access to traveler records should require proper brute-force protection in the form of Captchas and retry limits per IP address.”

Jonathan Keane
Former Digital Trends Contributor
Jonathan is a freelance technology journalist living in Dublin, Ireland. He's previously written for publications and sites…
Best router deals: Save on mesh networks and Wi-Fi 6 routers
The Netgear Nighthawk AXE11000 Tri-Band Wi-Fi 6E Router on a table.

Strangely enough, routers have had a huge technological bump in the last few years due to the number of devices that need to be connected to the internet. That's one of the main aspects of the new Wi-Fi 6, a standard that not only increases speeds and quality of the connection but addresses the issue with ten devices or more needing to connect to the internet constantly without impacting quality. To that end, if you haven't upgraded your router or mesh network in three to five or more years but are increasingly buying more smart-home products, grabbing a modern router with the latest technology is probably a good idea.

Best Router Deals

Read more
Intel says AMD’s Ryzen 7000 is snake oil
AMD CEO Lisa Su holding an APU chip.

In what is one of the most bizarrely aggressive pieces of marketing material I've seen, Intel is comparing AMD's Ryzen 7000 mobile chips to snake oil. Over the weekend, Intel posted its Core Truths playbook, which lays out how AMD's mobile processor naming scheme misleads customers.

There's an element of truth to that, which I'll get to in a moment, but first, the playbook. Intel starts with claiming that there's a "long history of selling half-truths to unsuspecting customers" alongside images of a snake oil salesman and a suspicious used car seller. This sets up a comparison between the Ryzen 5 7520U and the Core i5-1335U. Intel's chip is 83% faster, according to the presentation, due to the older architecture that AMD's part uses.

Read more
Don’t miss these deals on the Meta Quest 2 and Meta Quest Pro
A model poses with a Meta Quest Pro over a colorful background.

Meta isn’t just the parent company of Facebook, it’s also become a pioneer in the new wave of virtual reality. It has a lineup of virtual reality headsets to shop, and a couple of them are seeing deals today. Both the Meta Quest 2 and the Meta Quest Pro have their price dropped at Best Buy, with the more affordable Quest 2 seeing a sale price of $250 and the high-end Quest Pro discounted to $924. Best Buy is including free shipping with a purchase of either VR headset.
Meta Quest 2 VR headset — $250, was $300

The Meta Quest 2 isn’t the newest Meta Quest on the market, but it holds up really well when it comes to offering an immersive virtual experience. It has a super fast process and a high resolution display, both of which manage to handle the strains of virtual reality processing. The experience remains seamless and smooth even with more current software. If you want something brand new, the Meta Quest 3 is on the market, but both the Meta Quest 3 and Quest 2 offer total immersion with 3D positional audio, hand tracking, and haptic feedback that makes virtual worlds feel real. With the Meta Quest 2 you can explore more than 250 software titles across categories like gaming, fitness, socials and entertainment.

Read more