from a simple photo of a boarding pass, it is possible to access the information of its owner and of the change.
the name of The passenger, his seat in the aircraft, its destination, its banking details or the account associated with the refund in case of cancellation… This information is easily retrievable and most importantly, editable, from a simple photograph posted on social networks. This is the worrying discovery that have shared the experts in cyber security Karsten Nohl and Nemanja Nikodijevic at the 33rd annual meeting of hackers, the Chaos Communication Congress (CCC), on the 27th of December. In question, the dilapidated state of a reservation system common to airlines and travel agencies, through which pass billions of personal information without security measures it sufficient, say the researchers.
“The reservation systems lacking a safety device that we use on all other computer systems – that is to say a password”, explained Karsten Kohl to the Süddeutsche Zeitung. On many sites, all it takes is the name of the passenger and a booking code of only six characters for access to particularly sensitive data.
A database colossal
regardless of the airline or the travel agency, air ticketing goes through the major players like Amadeus, Sabre and Travelport. All caregivers of a reservation system, a centralized (“Global Distribution System” or GDS), which enables you to manage millions of bookings by linking each ticket to a client folder (containing the name, email address, telephone number, passport number or bank details of the buyer, but also ancillary information such as bookings for cars or hotels completed or its loyalty programs). In 2015, the Amadeus and busy data of 747 million passengers for the account of airlines such as Air France, Lufthansa or Iberia, but also of sites of travel bookings, according to the Suddeutsche Zeitung.
Created in the 1960s, the GDSS have not been re-engineered to meet the demands of security in today’s computing, so that their databases maintain and share sensitive issues of the customers to the airlines or travel agencies. Their employees are sometimes not even need a password to access it: just type in the name of a passenger. More serious still, anyone can access a reservation record with the name of a passenger and the passenger’s reservation code to six characters. However, this code is often written on the boarding cards or the labels of the luggage. Just search Instagram and the tag #boardingpass or even the garbage of an airport to find copies.
Travel free of charge, or collect loyalty points
Without even moving or raking Instagram, a hacker can find the sesame. In Amadeus, for example, the assigned numbers follow each other in time, said Nohl at the site Tageschau. In Sabre, the first and last characters are always letters. But most of all, lots of Web sites of airlines do not limit the number of queries sent, which enables it to try automatically all the possible codes until it works. A malicious person can then cancel a flight and use the available credit to choose a new one, where it will use its own identity to travel free of charge.
This practice, however, leaves traces. “To pass unnoticed, just change the account name of fidelity, to that of the victim, which is sometimes possible. Otherwise, we can very well create a new account from fidelity. Of persons engaged already to this type of fraud, simply by collecting the login credentials on Instagram,” explains Karsten Nohl. The expert also stressed that the consultation of a folder, for information, remains invisible because the reservation systems GDS have logs for write access but not for read access.
A spokesman for Amadeus has confirmed Tageschau that a “flaw maintenance temporary” had left to filter a dozen automatic request in the past. The team of researchers Nohl affirms, however, have been able to test two million different combinations. It has even helped to install, a reporter for the ARD next to the member of parliament Thomas Jarzombek.
“From our study, some of the [GDS] have begun to put in place devices, such as captchas or a limit of requests per IP address”, was keen to reassure Karsten Nohl at the conference. “In spite of these revelations, responsible, as we do in this moment, things don’t seem to go towards a better system for the moment,” he, however, entrusted to the site Motherboard. In 2015 already, the expert in cyber-security, Brian Krebs warned of risks to throw away his boarding pass.
No comments:
Post a Comment