Report says hackers have easy access to flight bookings due to legacy systems

flight bookings hackers legacy systems pay for expedited boarding
stanislaw/123RF
Your flight itinerary for your next trip may be hacked. According to new research from SR Labs, the legacy systems for managing travel bookings are terribly insecure.

At the recent Chaos Communication Congress, a cybersecurity conference in Germany, two researchers from SR Labs showed how the three major global distribution systems (GDS) are not using secure authentication. GDS is a system used for managing travel reservations where data is shared among travel agencies, airlines, and the passengers. The top three GDS providers in the field are Sabre, Amadeus, and Travelport.

Researchers Karsten Nohl and Nemanja Nikodijevic claimed that malicious actors could infiltrate these booking systems to alter passenger information and even cancel bookings. Most worryingly, the researchers said that they didn’t need much effort to do it, just the passenger’s last name and the six-digit Passenger Name Record (PNR).

The main problem? The GDS systems simply haven’t been updated. SR Labs claims that many of the legacy systems are failing to properly authenticate passengers beyond the PNR number. To add insult to injury, this PNR number is frequently shared in customer emails and can even in some cases be found printed on your luggage tags.

“While the rest of the Internet is debating which second and third factors to use, GDSs do not offer a first authentication factor,” said SR Labs in its report. “Instead, the booking code (aka PNR Locator, a six-digit alphanumeric string such as 8EI29V) is used to access and change travelers’ information.”

Accessing a traveler’s account would allow a hacker to not only mess around with their flight arrangement but potentially obtain payment data or further information to carrying out phishing attacks.

“Global booking systems have pioneered many technologies including cloud computing. Now is the time to add security best practices that other cloud users have long taken for granted,” said SR Labs. “In the short-term, all websites that allow access to traveler records should require proper brute-force protection in the form of Captchas and retry limits per IP address.”

Computing

Is your PC safe? Foreshadow is the security flaw Intel should have predicted

Three new processor vulnerabilities have appeared under the 'Foreshadow' banner. They're similar in nature to Meltdown and Spectre, only they steal data from different memory spaces. Here's everything you need to know.
Mobile

Airport’s low-tech solution to digital chaos involves the humble whiteboard

A U.K. airport has suffered a major computer error, caused by data connection problems, which has stopped flight boards from showing crucial passenger information. The solution is wonderfully low-tech.
Mobile

Sixth public beta of iOS 12 still lacks one key feature

At this year's Worldwide Developer Conference, Apple unveiled its latest operating system, iOS 12. From app updates to group FaceTime, ARKit 2.0, and more, here are all the new features in iOS 12.
Social Media

Instagram hackers are changing account info into Russian email addresses

Have you logged in to your Instagram lately? A hack circulating this month has Instagram users locked out of their accounts because a hacker changed all the profile data, according to a report.
Product Review

Asus ZenBook 3 Deluxe (late 2017) review

As our Asus ZenBook 3 Deluxe (late 2017) review shows, adding an 8th-gen Intel Core processor to an excellent thin and light chassis makes for a great combination.
Computing

Reluctant to give your email address away? Here's how to make a disposable one

Want to sign up for something without the risk of flooding your inbox with copious amounts of spam and unwanted email? You might want to consider using disposable email addresses with one of these handy services.
Computing

Logitech’s distinctive new ergonomic mouse looks as good as it feels

Logitech's first true ergonomic mouse sports an interesting tilted design that encourages less muscle strain. We spent some time with the MX Vertical to see how comfortable it is and determine whether or not we'd prefer it to a standard…
Computing

Both the Razer Blade and XPS 15 are capable laptops, but which is better?

We pit the latest Dell XPS 15 against the latest Razer Blade 15 to see which machine meets the needs of most people. Both are a fast, attractive, and well-built, but they still appeal to different users.
Computing

Use one of these password managers to stay safe online

The internet can be a scary place, especially if you don't have a proper passcode manager. This guide will show you the best password managers you can get right now, including both premium and free options. Find the right password software…
Computing

Here’s how to watch Nvidia’s GeForce event at Gamescom

Today is August 20, and that means Nvidia may showcase its GeForce RTX 20 Series of add-in graphics cards for gamers. We’re sticking with that name rather than the previous GTX 11 Series brand due to today’s date.
Computing

HTC breaks down VR barriers by bringing Oculus Rift titles to Viveport

HTC's Viveport store and subscription service will be opened to Oculus Rift users in September this year, letting them buy titles directly and take advantage of the monthly game-delivery service.
Computing

Dell’s new fast-refresh Freesync display could be your next great gaming screen

Dell has debuted a pair of new gaming TN displays, each offering high refresh rates and fast response times to gamers alongside Freesync technology. There are 24- and 27-inch versions of the new screens available now.
Computing

Nvidia’s GeForce RTX 20 Series starts at $500 and features real-time ray tracing

Nvidia revealed its new GeForce RTX 2000 Series of add-in desktop graphics cards for gamers during its pre-show Gamescom press event. The new family is based on Nvidia’s new “Turing” architecture focusing on real-time ray tracing.
Computing

Nvidia GeForce RTX GPUs are coming to Alienware and Predator gaming desktops

Dell and Acer have both announced support for Nvidia's new GeForce RTX 2000 graphics cards in refreshed gaming desktops, including Predator Orion series systems and Alienware desktops.