Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Transportation Security

Changing Other People's Flight Bookings Is Too Easy (computerworld.com) 75

"The security of online travel booking systems are stuck in the 1990s, according to security researchers," reports Computerworld. An anonymous reader quotes their article, which argues that the ancient systems are also "woefully insecure": This allows attackers to easily modify other people's reservations, cancel their flights and even use the refunds to book tickets for themselves, according a team of researchers who analyzed this online ecosystem... They presented their findings Tuesday at the 33rd Chaos Communications Congress in Hamburg. The three major Global Distribution Systems operators...store Passenger Name Records for hundreds of millions of travelers at any given time.

Any data added or modification made to a booking is stored in their systems and all that's required to access that information is typically a last name and a six-character booking code. There are multiple access points into these systems and this includes the websites operated by airlines and travel agencies, but also third-party websites like CheckMyTrip... The booking code itself is far from secret. It's printed on luggage tags that most people throw away after each flight -- even if their entire trip has not concluded yet -- and is also embedded in the QR codes printed on tickets that an alarmingly large number of travellers photograph and post on social media websites, the researchers said.

This discussion has been archived. No new comments can be posted.

Changing Other People's Flight Bookings Is Too Easy

Comments Filter:
  • Take the bus? But that might be limiting.

    • Re:Take the bus (Score:5, Insightful)

      by Anonymous Coward on Monday January 02, 2017 @12:01AM (#53591049)

      Not to sound like a /. shill, but I've given up on flights that are to major cities less than 500 miles from where I live (Nashville). Greyhound or Superbus are much better deals for all three: money, time, and hassle. I can get a round trip bus ticket for less than 100$ to the furthest city I would want to go to (Cleveland), the bus takes ~10 hours from door-to-door. When you read that it sounds like a lot, but consider that the bus makes stops at places with food/restroom. And for their 'express(read new)' buses it has WiFi and power outlets for each seat now and enough let room for me (6ft) to _stretch_ my legs.

      Also, I've book a round trip to Cleveland for a week less than 3 hours before the bus left for ... I think 89$.. (Emergency to help friend) and there would have been no way for me to book a flight on such short notice....

      If you can't get a direct flight to where you are going or need to book it ASAP, the cost can easily be 4~5x that (if not more) and the total time invested (after you account for TSA Security Theatre + waiting for baggage, etc....) is about roughly the same. Direct flights can save time, but I still feel the cost+hassle savings is worth it.

      I rode the bus a good 20 times and only had one issue where there was a guy who smelled. (and I've had that on airline flights too... so *shrugs*)

      • Re: (Score:2, Funny)

        by Ol Olsoc ( 1175323 )

        I rode the bus a good 20 times and only had one issue where there was a guy who smelled. (and I've had that on airline flights too... so *shrugs*)

        One time my wife wanted to visit her father in Florida who just had an operation. I offered to drive her down from PA, and drive back then do it again a coupe weeks later, since I had some big meetings I couldn't get out of.

        She said no, she would take the bus. I told her that was the last thing she wanted to do. I pleaded, I begged a cajoled. However, she is an alpha chick, and does not take telling. So the bus she took.

        After coming back into town a couple weeks later, the bus was three hours late. I

        • Re:Take the bus (Score:5, Insightful)

          by sid crimson ( 46823 ) on Monday January 02, 2017 @12:49AM (#53591135)

          I did throw a shitfit and told her that if she wanted to take another Greyhound bus trip, it would be as a single parent. She is quite headstrong, but if that was all the respect I'd get after having to worry about what I knew was going to happen, fuck it .

          Wow man - what kind of ultimatum is that for your wife?
          Cherish her, love her, support her. Dude, someday you'll wish you had these kinds of problems. Until then, enjoy life /with/ her.

          • Wow man - what kind of ultimatum is that for your wife? Cherish her, love her, support her. Dude, someday you'll wish you had these kinds of problems. Until then, enjoy life /with/ her.

            The sort of ultimatum you give someone when if they haven't learned to listen to you when you know they are going to drive off a cliff, are determined to drive off the cliff, and nothing is going to stop them driving off that cliff, but you want to exercise your option to get out of the car before they drive off the cliff.

            I don't know if you've been involved with an alpha chick or not, but a headstrong one can be remarkably stubborn. So you would suggest that I tell her that I support her right to be sexu

          • Normally I'd agree with you. But in this case the instigator was the wife - she refused to take her husband's wishes into account in her initial decision to take the bus. The husband is merely adopting a tit-for-tat strategy - refusing to take her wishes into account if she does not take his wishes into account. Tit-for-tat [wikipedia.org] has been proven to be one of the best solutions to the iterated Prisoner's Dilemma problem, maximizing the positive outcome for both parties despite its slightly confrontational natur
        • I did throw a shitfit and told her that if she wanted to take another Greyhound bus trip, it would be as a single parent. She is quite headstrong, but if that was all the respect I'd get after having to worry about what I knew was going to happen, fuck it .

          Way to be a complete dick to your wife after what sounds like a traumatic ride.

          Maybe she'd be better off without you.

          Oh and there is no such thing as "alpha" and "beta" people. Theres absolutely nothing in sociology or psychology that supports the idea,

          • I did throw a shitfit and told her that if she wanted to take another Greyhound bus trip, it would be as a single parent. She is quite headstrong, but if that was all the respect I'd get after having to worry about what I knew was going to happen, fuck it .

            Way to be a complete dick to your wife after what sounds like a traumatic ride.

            We'll just ignore that part about her completely ignoring everything I told her, and her actually suffering less trauma than what I was expecting. I'm a big strong guy, and I wouldn't take a bus.

            I gave her plenty of options, like flying, or delivering her to Florida myself, but she wouldn't accept either of them. For some reason or other, she was determined to take that stupid bus.

            Maybe she'd be better off without you.

            Maybe.

            Or she could have just admitted I was right, which she did, and now swears off ever setting foot on a bus or in a bu

        • This sort of thing varies by the passenger's sex, age, and general body language...and the era at which you take the trip, since some of these problems have dropped simply because the bus is becoming more and more the choice of people who are not merely too poor to get a plane ticket.

          My own preference--admittedly helped by the fact that there's actually a station near enough me for it to be feasible--is to take the train...when I can actually find a route that gets me where I want. With all the talk about

      • I rode the bus a good 20 times and only had one issue where there was a guy who smelled.

        I rode the bus once. It smelled like a locker room, there was junk all over the floor. We were already packed in like sardines, and then they stopped to pick up more! There was a suitcase poking me in the ribs, and an elbow in my ear, and at one point I had a smelly old bum standing next to me who hadn't showered in a year. The window wouldn't open and the fan was broke, my face was turning blue. I don't think I'd been in a crowd like this since I went to see the Who.

        • by Pikoro ( 844299 )

          Another one rides the bus.... And another comes on, and another comes on... another one rides the bus ehhh!

      • by mjwx ( 966435 )
        I live in Europe, that means taking the train or the bus isn't viewed as COMMUNIST and often is a sensible option. Although I only live 44 miles from Central London, I'd still rather take the train, then the tube to my destination because its honestly less hassle and the trains are not that bad here.

        That being said, flying isn't bad either. Last time I went to Heathrow I was through check in and security faster that it took to get from the car park to the terminal (to be fair, the car park was 25 minutes
        • by I75BJC ( 4590021 )
          The remedy for USA airport travel interaction with the TSA/DHS/Local LEOs? Move to UK! Regrettably, that won't work for most Americans. I do prefer the UK airport security that I have actually experienced to the average/now normal USA airport Security Theatre. Personally I prefer British Airways to any USA airline I have ever flown.
          • by mjwx ( 966435 )

            The remedy for USA airport travel interaction with the TSA/DHS/Local LEOs? Move to UK! Regrettably, that won't work for most Americans. I do prefer the UK airport security that I have actually experienced to the average/now normal USA airport Security Theatre. Personally I prefer British Airways to any USA airline I have ever flown.

            If you think BA is a good airline, you should fly someone like Singapore.

      • by eth1 ( 94901 )

        Not to sound like a /. shill, but I've given up on flights that are to major cities less than 500 miles from where

        My math goes something like this:
        Min door-to-door flight time is usually 45 min to airport, 45 min from airport, 30 min+ for security & bag check, 1hr safety margin, 15-30 min taxiing, plus flight time.
        That's 3-4 hours+ (~200 mile drive) just dealing with the hassles surrounding air travel. Add another 50 miles driven for every hour you spend in the air.
        Then, I personally am willing to deal with another hour or two of driving (+100mi) because I don't have to worry about transportation once I get where I

    • Take the bus? But that might be limiting.

      How Bob that sounds great. Can you met up on the east coast today so we can close this contract and make millions before a competitor shows up?

      A bus is too much too lose. Yes, that was one such crazy scenario, but in business traveling there is a reason CEO's love their corporate jets. Not just to show off but in business many things are deadline driven and very quick access can make you or break you in a complex world

    • by antdude ( 79039 )

      Too slow. I wished we had fully working t(rans/ele)porters now. Cars, planes, etc. are too slow. I hate waiting and long commutes. :P I wished Concord was still around too.

  • Maybe (Score:2, Insightful)

    by Ol Olsoc ( 1175323 )
    Just maybe, we might just sorta think about how we could not even book flights until the intertoobz came along. All of those jets sitting on the runwaysnot in use because without the internet, there was absolutely no way to reserve a flight. Sarcasm much intended.

    Because for some strange reason, once we try doing something on the internet, possibly the most insecure and interference pronemethod of doing anything, we forget how millions of us use to fly all of the time, without these sort of problems.

    • Was it as easy as changing previously posted Slashdot headlines?

    • by Anonymous Coward

      I don't know how people booked travel before the Internet, but let's speculate.

      They used phones, perhaps? Also insecure, authentication was probably pretty much as bad as it is today. Went to speak with a travel agent in person? The travel agent could check ID, but did they? And then they would have to call or otherwise contact the airline on the traveler's behalf.

      Only dealing directly with the airline, in person, could be considered secure, and that is if they always request ID.

      The truth is, there's little

      • I don't know how people booked travel before the Internet, but let's speculate.

        They used phones, perhaps? Also insecure, authentication was probably pretty much as bad as it is today. Went to speak with a travel agent in person? The travel agent could check ID, but did they? And then they would have to call or otherwise contact the airline on the traveler's behalf.

        Sounds pretty damn hard. Yes, Either my staff assistant, or myself spoke to our travel agent, who knew us. When I'd travel for work, we had an authorization number so no changes happened without that number and a number that replaced it.

        Only the "screwing with a person's travel plans" scenario seems likely to me, and that takes some pretty serious or specific motivation.

        But still a good illustration of people forgetting how to do stuff once we take it to the intertoobz.

        • No, the security was in the ticket stock. You needed an actual, magnetically coded ticket to board the plane.

          More secure, but an awful process.
          • No, the security was in the ticket stock. You needed an actual, magnetically coded ticket to board the plane. More secure, but an awful process.

            Gotta say, I never gave it a thought about how awful it was. I enjoyed getting out of the office for a bit, and chatting with the people at the travel agency. The internet has changed us, and normal and easy things are now much too much trouble. If we can't just click clicky, it is a burden too far.

            Well okay then. We have to have no effort on a system that is insecure by design. I guess we put up with what happens to us then, and quite willingly in fact.

    • by mjwx ( 966435 )

      Just maybe, we might just sorta think about how we could not even book flights until the intertoobz came along. All of those jets sitting on the runwaysnot in use because without the internet, there was absolutely no way to reserve a flight. Sarcasm much intended.

      Because for some strange reason, once we try doing something on the internet, possibly the most insecure and interference pronemethod of doing anything, we forget how millions of us use to fly all of the time, without these sort of problems.

      I also remember getting ripped off.

      Travel agents are going the way of the VCR rental store and good riddance.

    • Just maybe, we might just sorta think about how we could not even book flights until the intertoobz came along. All of those jets sitting on the runwaysnot in use because without the internet, there was absolutely no way to reserve a flight. Sarcasm much intended.

      Look at the history of airfare (chart [aei.org] or article [theatlantic.com]and before the internet, flying also cost twice as much (even after adding in the dreaded "fees" for shit that most people don't need) and was far less accessible to people of modest means. When people talk about how dignified air service was in the 70s, what they usually meant is that poor people weren't flying.

      Of course the internet isn't responsible for the entire drop in prices. But the direct-booking (vs paying travel agents for working the system) and fa

        • That graph is extremely deceptive because the scale starts at $250, not $0.
        • Travelocity [wikipedia.org] was the first online direct flight booking site that gave you access to most of the airlines. It was a spinoff from Sabre, the company which managed the airline reservation system that airlines and travel agents used. It didn't begin operating online until 1996
        • The vast majority of the ticket price drop ($600 to $400) happened before 1996. From 1996 to present there's only bee about a $50 ($400 to $350).

        So the Int

        • Pretty much agreed.

          To be fair though, from 1996 to the present, oil went up considerably (and then recently dropped back down) and so the decline in prices in the face of rising costs (gas is 30% of the total bill) is actually fairly impressive.

          Also Southwest :-)

  • I had someone use my email address to get the confirmation for the out and return flights for himself and his partner.

    I have a gmail address, which I got back in the time when it was still invitation only, which I set up as my initial and last name @gmail.com. This person with the same initial (but different first name) and same last name decided that my email address must be his, so he used it when booking his tickets. Normally I just delete these emails, as this guy was the 4th person who has made the sam

    • That's when you hope that they are going to someplace that has the same name in places such as Sydney, Australia and Sydney, Nova Scotia, Canada. Then you just send them to one of them. For example, instead of Boston, Mass send them to Boston, Kentucky.

  • For when it was designed in the 1960's. Note that much of the system is still rooted in the original designs. I worked in that industry and it wasn't any kind of secret how terrible this 50 year old security was. A lot of the design decisions such as no support for a year (all dates are in the future with no year indicated, so limited to about 330 days out) and the PNR code itself, plus storing the data in the record (everything vanishes on the day the last leg of the flight is complete). No one in the indu
  • Again, at least *some* of this strikes me as cases of, "Sure...the technology may let you do it, but you're still creating a trail to get caught!"

    I mean, ok --- the relatively weak security might let me log in to a web portal and cancel a guy's flight. But if that's a flexible ticket (the most expensive kind) that lets me reschedule it under another name? Don't you think he might *notice* that happened? And when they investigate, it wouldn't be too tough to figure out who DID use that rescheduled flight.

    I'

  • I can assholes screwing competitors out of contracts and sales opportunities by making sure the other guy doesn't show up for the pitch.

    Surprisingly I heard of crazy stuff including geeks taking down wifi hotspots when a competitor comes in for a sale on the road etc.

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...