German Cyber Expert warned after a remarkable hacking experiment saying "Almost anyone with basic computer skills can change online bookings and steal flights". Online booking often provides more convenience for passengers, but ageing computer systems used for the purpose are vulnerable to fairly primitive hacks.
The system used by millions of travellers each day which is inter-connected and is used to share data between travel agencies, airlines, passengers and websites is incredibly insecure. The attackers can easily modify other people’s reservations, cancel their flights and even use the refunds to book their own tickets.
German security firm SR Labs said that only a traveller's surname and a six-digit Passenger Name Record (PNR) is needed to enumerate the personal information about people as well as make changes to their bookings. Details such as names, addresses, credit card information and travel plans are all easily accessible by exploiting the insecure direct references of a traveller's surname and PNR exposed.
These outdated systems permits the travellers to check-in online and allows the price comparison websites to do their listings. But its reliance on surname and PNR is its weakest link.
The PNR being the most sensitive information should be protected from disclosures and during storage. But the PNR information isn't kept secret. It is printed on every piece of luggage. It used to be printed on boarding passes, until it disappeared and they replaced it with a barcode. Currently, the barcoded version of data can also be easily read, and travellers often make things easy for would-be hackers by simply throwing their boarding passes in the trash, or even posting photos of them online as part of their travel excitement.
The potential harm that could be caused with the combined use of surname and PNR is great enough, which can be further used to launch targeted phishing attacks. This isn't the first time though, however, in August, a researcher said the names, credit card numbers and flight data belonging to millions of airline passengers in Europe could be accessed due to online security gaps revealed at Germany’s largest wholesale ticket.
The newspaper even reported that every link to an itinerary receipt distributed by wholesale dealer Aerticket, ended with an 8-digit number. But, the itinerary reports were not stored securely on the server. An attacker can change the digits at the end of each itinerary receipt link, thereby allowing the user to view other travellers’ tickets, invoices, routes and credit card numbers.
The system used by millions of travellers each day which is inter-connected and is used to share data between travel agencies, airlines, passengers and websites is incredibly insecure. The attackers can easily modify other people’s reservations, cancel their flights and even use the refunds to book their own tickets.
German security firm SR Labs said that only a traveller's surname and a six-digit Passenger Name Record (PNR) is needed to enumerate the personal information about people as well as make changes to their bookings. Details such as names, addresses, credit card information and travel plans are all easily accessible by exploiting the insecure direct references of a traveller's surname and PNR exposed.
These outdated systems permits the travellers to check-in online and allows the price comparison websites to do their listings. But its reliance on surname and PNR is its weakest link.
The PNR being the most sensitive information should be protected from disclosures and during storage. But the PNR information isn't kept secret. It is printed on every piece of luggage. It used to be printed on boarding passes, until it disappeared and they replaced it with a barcode. Currently, the barcoded version of data can also be easily read, and travellers often make things easy for would-be hackers by simply throwing their boarding passes in the trash, or even posting photos of them online as part of their travel excitement.
The potential harm that could be caused with the combined use of surname and PNR is great enough, which can be further used to launch targeted phishing attacks. This isn't the first time though, however, in August, a researcher said the names, credit card numbers and flight data belonging to millions of airline passengers in Europe could be accessed due to online security gaps revealed at Germany’s largest wholesale ticket.
The newspaper even reported that every link to an itinerary receipt distributed by wholesale dealer Aerticket, ended with an 8-digit number. But, the itinerary reports were not stored securely on the server. An attacker can change the digits at the end of each itinerary receipt link, thereby allowing the user to view other travellers’ tickets, invoices, routes and credit card numbers.
No comments:
Post a Comment