On travel reservation security...

[ajd]

From 33c3, the 33rd Chaos Communication Congress, presented by a couple of guys from a German information security research firm. Aimed at techies but reasonably understandable nonetheless.

https://www.youtube.com/watch?v=n8WVo-YLyAg

I'm sure many AFFers are aware of the basic issues with the security of travel reservation systems (requiring nothing more than a PNR and a surname to login to MMB, for example), but there's plenty of stuff in this talk that's rather disturbing. In particular, it turns out that even if everyone followed good practice in shredding boarding passes, not posting them on Instagram, and so on... if you don't need to target a specific individual, it's actually not that hard to simply guess random PNRs until you find one that looks interesting and use it to steal a ticket...

 

[bryanjones]

i wonder how much mileage fraud is going on - you would think if it was we would have members commenting here

 

[harvyk]

I was always under the assumption that there was at least rate limiting and logging to prevent abuse. Turns out you learn something new (and scary) every day.

 

[harvyk]

i wonder how much mileage fraud is going on - you would think if it was we would have members commenting here

I think the saving grace there is that at some point the fraudster needs to show up at a predetermined place and time it would carry a fair amount of risk to actually benefit from this. Vandals on the other hand...

 

[ajd]

i wonder how much mileage fraud is going on - you would think if it was we would have members commenting here

Indeed, it doesn't look like there's a huge amount of that going on else you'd hear more about the victims. But I would not at all be surprised if there were at least a few people doing it on a small scale.

I'm curious how much PNR lookups are used for espionage, of both the governmental and corporate types. Certainly there are plenty of high-level corporate executives/government officials/politicians working on commercially or politically sensitive projects who would rather not have other people piecing together their business travel records.

 

[scottz95]

i wonder how much mileage fraud is going on - you would think if it was we would have members commenting here

Mileage fraud I imagine happens reasonably regularly, it depends on the attack scenario and circumstances as to whether it would be detected or not.

Lets assume that you were selling cheap airfares bought with miles in premium cabins. The miles you obtain are fraudulent.

Now lets assume you employ at least one of these attack methods described in the video to get a PNR. You now know it belongs to Grandma Smith who is travelling in Business to somewhere. And look, she hasn't put in a frequent flyer number (she probably doesn't have one). Great, theres a dead easy way to fraudlently collect some miles in the program of your choice with almost no chance of detection as the traveller wouldn't be aware of it.

In the case you land on a frequent flyers PNR, you could keep an eye on the booking until a day out or even an hour or so out (they would have their boarding pass by then in most cases), you jump in and change it. Again, collecting the miles and unlikely to cause suspicion for a while as I'm sure most of us would just assume that the airline is taking a while to process. I think it's fair to assume that most of us will give it at least a fortnight until we ring the airline asking what's up, where's my points?

In both cases, you have the miles easily with little alert unless you targeted the likes of a vigiliant, security conscious traveller. You redeem the fraudlently collected miles and flog the airfares off to a customer. You don't have to speak to anyone, you can anonymously (hiding your IP through Tor although I realise there are ways to get around it, most companies wont do this) book the ticket via the internet and never have to show their face or anything else that makes them identifiable.

Thus the fraudster gets his or her money and either won't be detected or will be detected too late and nothing could be done about it.

 

[drron]

Quite frankly I am not surprised.I doubt there is any system in the world that is not hackable.
There is this-
15-year-old Teenage Hacker Arrested Over FBI Computer Hack

Another 15-year-old teenager got arrested from the land of cakes, Scotland, by British Police for breaking into the FBI Systems on 16th February.

Note the source and the links on how to hack.
then this-
https://en.wikipedia.org/wiki/Kristoffer_von_Hassel

Then if you are in the US every email,phone call etc is captured and stored by the NSA.You have no secrets.Probably goes on elsewhere.
Reading about cyber security I am glad I still have a dumb phone.

 

[williamsf1]

i wonder how much mileage fraud is going on - you would think if it was we would have members commenting here

There is quite a bit going on world wide ... how and why it happens is kept very quiet to stop copy cats

 

[bryanjones]

The video is sadly pretty much a how to guide. Also seems very easy to brute force the PNR with CC details.

 

[marki]

From 33c3, the 33rd Chaos Communication Congress, presented by a couple of guys from a German information security research firm. Aimed at techies but reasonably understandable nonetheless.

https://www.youtube.com/watch?v=n8WVo-YLyAg

I'm sure many AFFers are aware of the basic issues with the security of travel reservation systems (requiring nothing more than a PNR and a surname to login to MMB, for example), but there's plenty of stuff in this talk that's rather disturbing. In particular, it turns out that even if everyone followed good practice in shredding boarding passes, not posting them on Instagram, and so on... if you don't need to target a specific individual, it's actually not that hard to simply guess random PNRs until you find one that looks interesting and use it to steal a ticket...

Wow had no idea it was this easy thanks for putting it up and opening my eyes!

 

[moa999]

The video is sadly pretty much a how to guide. Also seems very easy to brute force the PNR with CC details.

Definitely scary stuff, particularly if you have a common surname... Be wary of any emails, even if they contain details of an upcoming trip.

Hopefully however the industry closes the brute force stuff pretty quickly.

 

[harvyk]

Quite frankly I am not surprised.I doubt there is any system in the world that is not hackable.

It's not that systems can not be hacked, it more that the airline reservations system is so insanely bad at security that it's not even laughable. It's a system designed in the 70's which appears to have never been given a security upgrade since. To put this into a non IT context, it would be like a bank stating it was the place to store your money as it had reached an 1850's level of security (in 2017).

Hopefully however the industry closes the brute force stuff pretty quickly.

I would not be holding your breath for that, serious $$$ would need to be at stake. Security is something that most people pay lip service to but convince will always win out. For security to get proper look in it typically requires the threat of legal action or loss of business. Neither of those events are likely.

 

[GDSman]

I think this is all very well known stuff in the industry and no surprise - most of what was shown could be exploited for nuisance value rather than fraud/theft (which would leave an easy to follow trail in most cases).
I think the presenters set out to make a point and did so very effectively. Legacy GDS systems are easy to exploit. The real issues are around privacy and govt access as the data is increasingly rich and widely shared and accessible to numerous govt agencies in jurisdictions around the world.

 

[Lemon_Party]

Pretty interesting. If someone was able to pull out name, address, email, passport #, DOB from a PNR they could be well on the way to ID stealing.

Potential for burglars to follow the boarding pass # as well - scope out who's away in their local city!

Agree with previous comments, risk from vandals is probably biggest concern.

I would expect frequent flyer points to only post if name on booking matches FF account, so for people to steal a meaningful amount of points from upcoming flights it would take a lot of effort?

 

[bryanjones]

I would not be holding your breath for that, serious $$$ would need to be at stake. Security is something that most people pay lip service to but convince will always win out. For security to get proper look in it typically requires the threat of legal action or loss of business. Neither of those events are likely.

At least they could do the rate limiting/Captcha stuff pretty quickly. It took 2 of the sites in the video only a couple of days, and being in computers myself I can't believe that its such a big task for the remaining airlines, etc that have access to GDS to do the same. GDS should make it a condition of access and then I'm sure it would be fixed in a week.

Of course they could still leave the backdoor open for the government agencies who use all of this (and hence why they don't want the logging). The Freedom of information request the journalist made in the video was very interesting

 

[wandering_fred]

Perhaps messing with your ex's travel plans will be the next revenge opportunity. Cancel the trip with the new partner?

Happy wandering

Fred

 

[harvyk]

The problem is simply adding on rate limiting and captchas is that it does not address the fact that the security is fundamentally flawed.

Rate limiting and captchas make cracking into a system more difficult, the fact is that those sorts of things are nothing more than a minor annoyance for anyone with skills beyond script kiddie.

One of the design philosophies I always follow when designing a secure system is that security needs to be as close to the data as possible. The second part of the design is that all channels to access that data are forced to go via the secure method. No back doors for convenience.

So to put this into an aviation context, security should be done at the travel reservation system (TRS) level. Proper passwords, proper accounts with permissions limited to the minimum required to preform the required task, all airlines must pass through authentication to the TRS. Access to reservations details limited by purpose, for example, the account which the boarding pass scanner uses is limited to being able to confirm if a boarding pass is valid for the flight it is boarding. The numbers encoded on a boarding pass can only be used to validate that it is a valid boarding pass, no additional information contained on it so photos of the pass do not compromise it. Airlines would be welcome to store a copy of such information against frequent traveler profiles.

Any access to a reservation should have a log entry stating date / time / account / reason. Before anyone says "but that's now a new account I'd need to keep track of, we already receive emails and / or other information from airlines when we book, an additional piece of information on the email (or even a simple link) stating how to view your booking online is hardly going to be a bother.

The problem is anything less than a TRS solution and it leaves loopholes (eg one website implements a weaker captcha than the other), and loopholes are exactly what crackers (in my case - ethical) look for when breaking into systems.

 

[theweaselsteve]

I knew that posting photos of boarding passes was a "no no" but was unsure exactly why. This is scarily easy for anyone to access your information. Safe to say my friends and family are all now acutely aware of the dangers.

Thanks OP for posting, enlightening stuff.

 

[Strategic Aviation]

Perhaps messing with your ex's travel plans will be the next revenge opportunity. Cancel the trip with the new partner?

Or rebook them in the most expensive room at the most expensive rate. Someone Changed My Hotel Reservation (Without My Permission) - One Mile at a Time

The Real Security Threat to Your Travel Reservations - View from the Wing