Share on social networks the image of your ticket, boarding before a trip has become a common practice… but obviously risky. Indeed, it is the conclusion of two computer security experts who have shared their work at the 33rd edition of the Chaos Communication Congress, the work relayed by the World.
Specifically, the problem lies at the level of the computer system managing the bookings of flight tickets (GDS for Global Distribution Systems) that would be a nest of flaws, to get “a few clicks” to the data of millions of passengers and even modify this data.
Karsten Nohl and Nemanja Nikodijevic explain that the GDS store a very large number of personal data (address, e-mail, phone number, loyalty card number, and sometimes credit card number), gathered in the passenger name records (or PNR) and duplicated in several GDS.
“No hacking was required” to access these data, ” says Karsten Nohl, simply because these computer systems are very old (1960s), and little or no protected or encrypted : the key boils down to the assocoaition passenger’s name + the booking code.
So, explain the experts, with these two information, it would be possible for the employees in the sector (airlines, travel sites…) to access the entirety of the personal data of a traveler regardless of his or her trip, or the company used.
Most frightening anyone can finally access the PNR by having only the name of the passenger and the reservation number via the websites of airlines who do not associate these data with a password.
And to obtain these data, it is sufficient to obtain a boarding pass, which, in some cases, included the booking number (the name of the traveller is still shown). And if the number does not appear in the clear, it is contained in the bar code which also can be decrypted very easily. Where the risk of photographing and sharing her ticket…
And this ne st not finished. Karsten Nohl had demonstrated that it was possible to obtain the booking number associated with a name simply by testing all combinations. What, edit the post, undo, etc… or Even get a refund.
in the Face of these threats, some experts of GDS as the leader Amadeus have already put in place measures of protection but which, according to the researchers is still insufficient. Only the introduction of level passwords editing a ticket online (and not only the reference ticket) could constitute a good defence. But such an approach would require a redesign most profound of these old GDS.
No comments:
Post a Comment