The how is designed the system of booking air tickets makes it many accessible personal data and can even allow you to change reservations.
World | • updated | By
The policies of european écharpent for years on the issue of the sharing of air passengers ‘ personal data. Probably not do they know not that they are, already, available on a first come basis. In just a few clicks, it is easy to access the personal information of hundreds of millions of airline passengers – and even change or cancel their flight in some cases – because of the lack of security, if not non-existent, the booking system.
This is the alarming situation is compiled by Karsten Nohl and Nemanja Nikodijevic, two computer security specialists, who presented their findings Tuesday, December 27, in Hamburg, in the framework of the 33e edition of the Chaos Communication Congress (CCC), the large mass of hackers.
Read also : The Chaos Communication Congress, a stronghold of the counter-culture digital
The two experts are interested in the Global Distribution Systems (GDS) : of the companies that make the link between the sellers of airline tickets and airlines. These last provide the price of each flight they offer, as well as their availability, as the GDS relay to ticket sellers – sites Internet travel, for example.
But the GDS can also keep in memory the bookings made with the airlines, and store to this end a very large number of personal data : address, email address, phone number, loyalty card number, and sometimes even credit card number. These data, called in the jargon data of passenger name records (more known under the name of NRP), are sometimes duplicated in several GDS.
” No hacking was required “
“ [of protection] data of air passengers has been the subject of many debates in Europe. One might think that this system, at the forefront of these disagreements, is secure, ” explains Karsten Nohl, a regular at the JCC, who heads the company’s Security Research Labs. In reality, ” no hacking was necessary ” to access this data, he says.
indeed, the GDS and the entire ecosystem of the surrounding have been in place for a few decades, and any meaningful measure of protection of the data they contain does not appear to have been put in place.
First problem : the personal information stored by the GDS are available at very many employees within the sites of sale of travel and airlines, according to the two experts. Just use the booking reference and the passenger name.
According to the two experts, the security procedures surrounding this access are very weak : a password very often basic to the employees of the agency or travel site, or even no password at all for the employees of the airlines. the ” The protections ridiculously low “, regrets Karsten Nohl.
data is accessible to almost all
there’s a more disturbing : this information is not only accessible to employees of the sector due to a structural weakness. The regulars of the flight bookings are well aware of : for retrieving the details of his flight, and manage the details, for example on the website of the airline, just bring the reservation number to 6 digits and letters and the name of the passenger.
It is very rare that the additional information (a password for example), is necessary to access this information. This means that, provided with only the booking reference number and passenger last name, anyone can access the personal data of the latter.
However, it is relatively easy to obtain these two pieces of information : in some cases, the booking number is on the boarding pass and can, therefore, be recovered after they have been laid. Not to mention that thousands of surfers on a daily basis, posting photos of their boarding pass on the social networks !
And even when this reference or the name of the passenger are not directly visible, it is possible to find them thanks to the bar code on the boarding pass. Internet sites allow you to read, very easily, these codes.
The character very little discreet boarding pass was already partially known. But the two researchers have also discovered a way to easily get a reservation number, even without access to these cards. For various reasons, these numbers are not generated at random, and testing them very quickly thousands of possibilities, it is possible to obtain the booking number associated to a given name.
Karsten Nohl has demonstrated to the German television channel WDR : it has managed to find the ticket of one of the journalists and to the change.
3 billion air passengers
The dangers vary according to the protection mechanisms put in place on websites to recover the personal data with the reservation number and the name (airlines, sites, GDS, etc.). But it is possible to change the name of the passenger, the e-mail and the date of the flight, and therefore to travel to the place of his victim.
It is also possible to obtain a refund of the flight, for example, in loyalty points. It is as well as the two researchers, in their presentation, accessed the folder of a passenger travelling from Munich to Seattle and having committed the imprudence to post his boarding pass on Instagram.
in the wake of the remarks of the two scientists, several sites of businesses that handle GDS and airlines have put in place these last days of the mechanisms that are supposed to make more difficult the access to passengers ‘ personal data, without that it does not change the logic of functioning of the system.
However, the sensitive nature and the amount of data which are allowed to access require further protection, said Mr. Nohl, for example by introducing a password, necessary for the traveller to access his / her booking and the change.
According to the world Bank, over 3 billion passengers were transported by air in 2015. The GDS system is de facto one of the databases of personal information the richest ever created, and probably one of the least secure.
No comments:
Post a Comment