Airline Booking Software Vulnerable to Hacking
Posted by: Timothy Weaver on 12/31/2016 01:26 PM
[
Comments
]
Several legacy flaws have been found on the computer systems that are responsible for 90% of all airline ticketing systems.
Security Research Labs (SRL) reports that the three major booking systems, Amadeus, Sabre and Travelport, all suffer from weak authentication and web services. The reason behind these flaws is that all the Global Distributed Systems (GDS), the flight booking software, was built in the 1970s and 1980s to operate on mainframe computers and dedicated lines. However, these systems have been updated to work on the internet.
Because of these flaws, hackers would be able to obtain a wide variety of passenger data, including personally identifiable information, flights can be stolen or altered, and mileage can be swiped. The stolen information could also be used for phishing attacks.
The major flaw is that there seems to be a total lack of authentication. The authenticator is actually printed on the ticker itself.
“While the rest of the Internet is debating which second and third factors to use, GDSs do not offer a first authentication factor. Instead, the booking code (aka PNR Locator, a 6-digit alphanumeric string such as 8EI29V) is used to access and change travelers' information,” the SRL report stated.
“Two of the three main GDSs assign booking codes sequentially, further shrinking the search space. Finally, many GDS and airline web sites allow trying many thousand booking codes from a single IP address. Given only passengers' last names, their bookings codes can be found over the Internet with little effort,” the report stated.
Security Labs is proposing a simple solution that would involve only employing Captchas and limiting the number of access attempts per IP address.
Source: SCMagazine
Security Research Labs (SRL) reports that the three major booking systems, Amadeus, Sabre and Travelport, all suffer from weak authentication and web services. The reason behind these flaws is that all the Global Distributed Systems (GDS), the flight booking software, was built in the 1970s and 1980s to operate on mainframe computers and dedicated lines. However, these systems have been updated to work on the internet. Because of these flaws, hackers would be able to obtain a wide variety of passenger data, including personally identifiable information, flights can be stolen or altered, and mileage can be swiped. The stolen information could also be used for phishing attacks.
The major flaw is that there seems to be a total lack of authentication. The authenticator is actually printed on the ticker itself.
“While the rest of the Internet is debating which second and third factors to use, GDSs do not offer a first authentication factor. Instead, the booking code (aka PNR Locator, a 6-digit alphanumeric string such as 8EI29V) is used to access and change travelers' information,” the SRL report stated.
“Two of the three main GDSs assign booking codes sequentially, further shrinking the search space. Finally, many GDS and airline web sites allow trying many thousand booking codes from a single IP address. Given only passengers' last names, their bookings codes can be found over the Internet with little effort,” the report stated.
Security Labs is proposing a simple solution that would involve only employing Captchas and limiting the number of access attempts per IP address.
Source: SCMagazine
Comments
