Report says hackers have easy access to flight bookings due to legacy systems

flight bookings hackers legacy systems pay for expedited boarding
stanislaw/123RF
Your flight itinerary for your next trip may be hacked. According to new research from SR Labs, the legacy systems for managing travel bookings are terribly insecure.

At the recent Chaos Communication Congress, a cybersecurity conference in Germany, two researchers from SR Labs showed how the three major global distribution systems (GDS) are not using secure authentication. GDS is a system used for managing travel reservations where data is shared among travel agencies, airlines, and the passengers. The top three GDS providers in the field are Sabre, Amadeus, and Travelport.

Researchers Karsten Nohl and Nemanja Nikodijevic claimed that malicious actors could infiltrate these booking systems to alter passenger information and even cancel bookings. Most worryingly, the researchers said that they didn’t need much effort to do it, just the passenger’s last name and the six-digit Passenger Name Record (PNR).

The main problem? The GDS systems simply haven’t been updated. SR Labs claims that many of the legacy systems are failing to properly authenticate passengers beyond the PNR number. To add insult to injury, this PNR number is frequently shared in customer emails and can even in some cases be found printed on your luggage tags.

“While the rest of the Internet is debating which second and third factors to use, GDSs do not offer a first authentication factor,” said SR Labs in its report. “Instead, the booking code (aka PNR Locator, a six-digit alphanumeric string such as 8EI29V) is used to access and change travelers’ information.”

Accessing a traveler’s account would allow a hacker to not only mess around with their flight arrangement but potentially obtain payment data or further information to carrying out phishing attacks.

“Global booking systems have pioneered many technologies including cloud computing. Now is the time to add security best practices that other cloud users have long taken for granted,” said SR Labs. “In the short-term, all websites that allow access to traveler records should require proper brute-force protection in the form of Captchas and retry limits per IP address.”

Features

Has Columbus, Ohio raised its IQ yet? A progress report from the mayor

Two years ago, the city of Columbus in Ohio received $40 million to pursue smart city initiatives. So, what’s happened since then? We spoke with its mayor, Andrew Ginther, to discuss progress and what’s ahead.
Mobile

Apple's iOS 12.1.1 makes it easier to switch cameras in FaceTime

After months of betas, the final version of iOS 12 is here to download. The latest OS comes along with tons of new capabilities, from grouped notifications to Siri Shortcuts. Here are all the features you'll find in iOS 12.
Movies & TV

The best shows on Netflix, from 'Haunting of Hill House’ to ‘Twilight Zone’

Looking for a new show to binge? Lucky for you, we've curated a list of the best shows on Netflix, whether you're a fan of outlandish anime, dramatic period pieces, or shows that leave you questioning what lies beyond.
Computing

An inside look at Qualcomm’s Snapdragon 8cx, a revolutionary laptop processor

Six years after Microsoft’s failed foray into ARM computing with Windows RT, its second effort with Always-Connected PC is now showing early signs of success. Microsoft partner Qualcomm told us how the Snapdragon 8cx might revolutionize…
Computing

Windows 10 user activity logs are sent to Microsoft despite users opting out

Windows 10 Privacy settings may not be enough to stop PCs from releasing user activity data to Microsoft. Users discovered that opting out of having their data sent to Microsoft does little to prevent it from being released.
Computing

Intel's discrete graphics will be called 'Xe,' IGP gets Adapative Sync next year

Intel has officially dubbed its discrete graphics product Intel Xe, and the company also provided details about its Gen11 IGP. The latter will include adaptive sync support and will arrive in 2019.
Computing

Intel answers Qualcomm's new PC processors by pairing Core and Atom in 'Foveros'

Intel has announced a new packaging technology called 'Foveros' that makes it easier for the company to place multiple chips together on one package. That includes chips based on different Intel architectures, like Core and Atom.
Computing

Razer’s classic DeathAdder Elite gaming mouse drops to $40 on Amazon

If you're looking to pick up a new gaming mouse for the holidays, Amazon has you covered with this great deal on the classic Razer DeathAdder Elite gaming mouse with customizable buttons, RGB lighting, and a 16,000 DPI optical sensor.
Computing

Intel's dedicated GPU is not far off -- here's what we know

Did you hear? Intel is working on a dedicated graphics card. It's called Arctic Sound and though we don't know a lot about it, we know that Intel has some ex-AMD Radeon graphics engineers developing it.
Computing

Firefox 64 helps keep your numerous tabs under control

Mozilla officially launched Firefox 64 by placing new features into the laps of its users including new tab management abilities, intelligent suggestions, and a task manager for keeping Firefox's power consumption under control.
Computing

Here's our guide to how to charge your laptop using a USB-C cable

Charging via USB-C is a great way to power up your laptop. It only takes one cable and you can use the same one for data as well as power -- perfect for new devices with limited port options.
Computing

Apple MacBook Air vs. Microsoft Surface Pro 6

The MacBook Air was updated with more contemporary components and a more modern design, but is that enough to compete with standouts like Microsoft's Surface Pro 6 detachable tablet?
Computing

Installing fonts in Windows 10 is quick and easy -- just follow these steps

Want to know how to install fonts in Windows 10? Here's our guide on two easy ways to get the job done, no matter how many you want to add to your existing catalog, plus instructions for deleting fonts.
Computing

Email take-backsies! Gmail's unsend feature is one of its best

Everyone has sent a message they wish they could take back. How great would it be if you could undo that impulsive email? If you're a Gmail user, you can. Here's how to recall an email in Gmail.