Almost anyone having general computer skills can alter online bookings and steal flights, The issue lies with booking systems being too primitive, said German cyber security experts.
Online booking often provides more convenience for passengers, but ageing computer systems used for the purpose are vulnerable to fairly primitive hacks, added the cyber security experts.
Flight bookings worldwide are managed by a certain Global Distributed System (GDS) that connects travel agencies, online booking websites, airlines and passengers in a network. Amadeus, Sabre, and Travelport, the three largest GDS networks, administer more than 90 percent of the bookings as well as numerous hotel, car, and other travel reservations, according to Security Research Labs (SR Labs), a Berlin-based hacking research collective.
Online check-ins and the EU’s visa-free Schengen zone mean that most European passengers do not have to show their IDs at airports while traveling in the bloc. Changing departure time and email address increases the possibility that the actual passenger would know nothing of his data breach.
Nohl said that nothing happens if the hacker-generated booking code is wrong. Modern websites and computer systems actually limit the number of attempts to try a code from a single IP address, but archaic systems operated by many airlines have no such limit. “This is an industry-wide problem,” he asserted.
It is not the first time passengers’ privacy has been exposed as vulnerable to security flaws. In August, Sueddeutsche Zeitung said the names, credit card numbers and flight data belonging to millions of airline passengers in Europe could be accessed due to online security gaps revealed at Germany’s largest wholesale ticket.
While other online booking websites use randomly-generated codes that include both digits and letters, that was not the case at Aerticket, the newspaper reported. Aerticket reportedly eliminated the vulnerability within hours of the newspaper report.