### Most of the airline booking systems were designed in the 70s and 80s, and have not been updated with newer technology, leaving customers extremely vulnerable to hackers who want to gain access to the system and change the data.

<center><img src="http://www.steemimg.com/images/2016/12/29/booking-flightad594.jpg" alt="booking-flightad594.jpg" border="0"><br/><em><a href="http://www.huffingtonpost.com/2015/02/23/dont-book-flights-early_n_6646836.html">source</a></em></center>

Karsten Noh and Nemanja Nikodijevic are two researchers working for the German security firm *Security Research Labs*. Their findings were presented on Dec. 27th at the [Chaos Communication Congress 2016](https://events.ccc.de/). Their research undertook the task of assessing the security strengths and weaknesses of the three largest airline booking systems. The booking systems are called Global Distribution Systems (GDS).

These old systems from the 70s and 80s that were designed for leased lines, have been interwoven with web services but still **lack web security**.

The main seurity issues are as follows:
- Weak authentication
- Weak web services
- Abuse potential
- Invade travelers’ privacy
- Steal flights
- Divert miles
- Conduct phishing/vishing

While the rest of the world is debating which second and third factor authentication systems to use, the **old GDS's do not offer even a first authentication factor**. This is the main problem that the research uncovered.

A Passenger Name Record (PNR) Locator is a six digit alphanumeric string, like 8EI29V, used to access and change the travelers information.

The problem with these, is that they are a restricted access code, meaning that parts of the sequence of characters must fall within a predetermined range. The customers last names associated with the PNR, which means that hackers can use a travelers common name to run through all the possibilities until they find the proper access code through brute fore attack.

### To demonstrate the feasibility of this security flaw, the researchers reassigned a reporter to sit next to a politician on a real flight. They also showed how a hacker can tie their own frequent flyer number to many other flights and give themselves credit for thousands of miles.

<center><img src="http://www.steemimg.com/images/2016/12/29/plane582b3.jpg" alt="plane582b3.jpg" border="0"><br/><em><a href="https://techxplore.com/news/2016-12-experts-reveal-vulnerability-airline-reservation.html">source</a></em></center>

*The problems don't stop there.*

### All of this information that they can get about you from your flight records, can be used to track you, get additional information and possibly steal your identity. 

All three of the booking systems have been advised of their security flaws, which they are working on. One of them will have corrections out shortly, while the two others have much older systems that require a full rewrite of the system.

In the meantime, you can take measures yourself to ensure that the airline your booking with uses a trusted system. Make sure that the website uses a proper brute force protection, such as captchas and retry limits per IP address. In the mid-term, the researchers say travel bookings need to implement proper secure authentication with a changeable password at the very least.

---
#### Thank you for your time and attention! I appreciate the knowledge reaching more people. Take care. Peace.

---
References:
- [Security experts reveal vulnerability with airline reservation systems](https://techxplore.com/news/2016-12-experts-reveal-vulnerability-airline-reservation.html)
- [Legacy booking systems disclose travelers’ private information](https://srlabs.de/bites/travel-hacking/)

---
##### If you appreciate and value the content, please consider: 
<center>Upvoting, Sharing, and Resteeming below.</center>

[![Follow](https://www.steemimg.com/images/2016/08/30/follow2be5e.png)](https://steemit.com/@krnel) me for more content to come!

---
@krnel
2016-12-29, 5pm