A Reuters report has warned that travel booking systems are vulnerable to hackers due to their lack of a proper way to authenticate air travellers
The short codes on many boarding passes, says the report, are easy to alter or use to steal sensitive information, including the traveller’s name, travel dates, itinerary, ticket details and credit card details.
The research, by Berlin-based Security Research Labs, found that the codes are highly insecure, even when compared to consumers’ simple usernames and passwords.
“While the rest of the world is debating which second and third factors to use, global distribution systems do not offer a first authentication factor,” said the researchers. They found they were able to use only passengers’ last names to gain access to their booking codes online, therefore gaining access to their travel records.
The researchers claimed that the issue with the systems that most travel sites use - Amadeus, Sabre and Travelport – do not allow travellers to see who has accessed their data, as passenger name record (PNR) information is not logged. These codes, which some systems simply assign sequentially, cannot be secured by users.
Security Research Labs stated that the online portal most at risk from the ‘brute-force computer guesswork’ that would allow a hacker access to sensitive information is Amadeus, though a spokesperson for the company told Reuters that there are measures in place to stop this happening.
Researchers, including Edward Hasbrouck – who has been campaigning on the issue for several years – have called for airlines to adopt modern safeguards, such as limiting the number of PNR requests per internet address and offering passengers a changeable password, to try to protect travellers from these threats.