New research from Security Research Labs (SR Labs) has revealed fundamental security and authentication weaknesses across major flight booking systems, leaving them vulnerable to hacking.
Fraudsters are easily able to hack boarding pass shortcode to alter flight information or steal travelers’ personal data, said SR Labs. The security researchers said that the six-digit passenger name records (PNRs), which are used to store flight reservations, have links to customers’ names, travel itinerary and flight details, phone and email contacts, travel agents, and credit card numbers.
The three major global distribution systems (GDS) used to manage the majority of travel reservations — Amadeus, Sabre, and Travelport — reportedly lack secure authentication. In a statement, researchers at SR Labs were quoted as saying, “While the rest of the Internet is debating which second and third factors to use, GDSs do not offer a first authentication factor. Instead, the booking code (aka PNR locator, a six-digit alphanumeric string such as 8EI29V) is used to access and change travelers’ information.”
“Given only passengers’ last names, their bookings codes can be found over the Internet with little effort,” said SR Labs’ Karsten Nohl. Given a passenger’s booking code, the researchers warn that fraudsters can access sensitive data, steal flights, divert frequent flyer points and miles, and conduct phishing scams.
A company spokesperson from Amadeus, one of the three major global distribution systems, was quoted as saying, “Amadeus is assessing the findings of SR Labs on travel industry security. We will take these findings into account and work together with our partners in the industry to address the issues that have been exposed here and seek solutions to potential problems.”
Travelers are unable to see who has accessed their personal information, the researchers said. PNR data is not logged, so users don’t have the ability to secure these codes themselves since the credentials are assigned at random by airlines.