Budget airline Ryanair has reacted with indignation to suggestions that its booking system ought to be more secure. While most airlines only allow modifications to bookings once a passenger has verified themselves using a password and booking reference, Ryanair adopts a lower standard. German newspaper Der Tagesspiegel found …
I don't know why they are complaining...
It's a golden opportunity for them.
1) Provide username/password to user at time of booking
2) If they didn't print it off at the time, charge them £40 for a reminder
Or something along those lines. Whatever needs to be changed, Ryanair will work out a way to milk a profie from it.
RyanAir care more about the security of the self loading cargos personal details than they do about the comfort and convenience of the cargo itself?
You pay peanuts? You get monkeys.
Ryanair: By cheapskates. For cheapskates.
(Downvote all you want. It won't help you get your money back :0) )
Anyone who supports the revenue stream of ChavAir deserves all they get.
Some of us just don't have a choice
There's simply no competition on some routes, thus making ryanAir almost compulsory.
That doesn't make us, its users, cheapscapes, or less deserving of good, friendly customer services and travelling in relative comfort and stress free environment, none of which is applicable to travelling with ryanAir at the moment.
Being characteristically arrogant is surely more important.
Ah yes, I'd love you to tell me all the other ways I could fly to Jutland. RyanAir is more often than not, not only the cheapest, but the only way.
"...more often than not..." ? So you do have a choice then.
As ever, it depends where your flying from. But KLM, British Airways, Lufthansa, Sun Air et al. can all get you to Billund.
If the drive to an alternative airport (Vs. having secure flight/booking details(?)) bothers you, then I refer you to previous cheapskate/ChavAir comments above.
Good day to you Sir.
A case of speaking too soon then
There's no evidence that miscreants have subverted Ryanair's booking system
Now that the exploit is wekk known thans to EL Reg then I'd expect that jhonny crim will be up to no good very soon.
Kudos to El Reg. Ryan-I-will-get-round-to-charging-you-for-the-air-that-you-breath-Air are by a long way the worst airline I've ever had the misfortune to fly with. It takes a lot to beat some of the ex-Areoflot routes I flew in the early 1990's.
Problem with this
There is a problem with the attack described in this article. It assumes that there is no lockout after X invalid login attempts. Such a system would be almost too easy to implement.
All a hacker would need is access to a botnet, then no lock out!
Could be based on email address. After 5 invalid login attempts from an email address account is locked. Simples.
Yep then when the original customer wanted to access their details they would just have to ... oh.
The Ultimate Tweak
"Ryanair would do well to consider making tweaks to its website."
Like taking it off the internet forever, along with its late-90s style flashing ads for hotels and car hire.
Just been to their website - never visited it before - hello 1999! If that's any sign of how competent their web developer(s) are then this really doesn't come as a surprise.
It's an excellent site
for what it (probably) cost...
Black Helicopter because Rendition is the only way to fly with less frills than Ryanair
Ryanair won't give a damn about this
If your booking is modified they will assume it was your fault for giving out your account details. If it is then possible to change the booking back they will charge you a re-booking fee. If your booking is not modified then no harm no foul. Either way it is better for their bottom line - they make more out of the punters or they save money on hiring web developers.
In reality no-one actually chooses to fly with Ryanair. people who use Ryanair either do so because there is no-one else flying from their local airport to their chosen destination or because they are unable / unwilling to pay the extra money other airlines charge. Ryanair have already lost all the customers it is possible for them to lose so why should they bother about this?
The sooner Aer Lingus start doing off-peak flights between my local airport and Dublin, the better.
Better than National Geographic
The National Geographic website only needs your subscription number in order to access your account settings. This would be the account number that is printed on the shipping label of every issue I receive. Granted, the scope for mischief is somewhat smaller, but it would appear that you can do things like change the delivery address this way.
I contacted their customer support to express my concerns only to receive a rather generic response that they would take the comments in to consideration. In comparison Ryanair's security methods seem positively robust.
Thank You Ryanair!
I look forward to you contributions to the UK tax payer via the £500k ICO fines, every time you loose personal data through management stupity.
the current statements from the ICO basically go along the lines of if you do not take basic precautions, then don't be surprised if you get the book thrown at you when the screw up occurs.
I'm only unhappy that the government chickened out and didn't give the ICO the same data breach fining capabilities as the FSA.
The title is required, and must contain letters and/or digits.
The ICO are useless when it comes to data protection. Just look at the way BT sent their customer details to ACS:Law in an unecrypted and unsecure format despite a court order and the ICO's complete lack of action as a result.
Thinking that the ICO will actually do their job is pointless since they've already refused on multiple occasions now to do it. It's just a pity that it's not one of those quangos on Cameron's hit list.
possible != probable
So there's a possibility (Q: has it ever, actually happened) that a bad person could change the details of a fliers booking, or cancel it. So, apart from doing mischeif what the hell would be the point? There's no possibility the bad person could make a financial gain for themselves from this - which therefore rules out 99.9 ... percent of the motivation for doing bad things to other people via the internet.
At best the miscreant would cause an unknown amount of inconvenience to a person they've never met. [If the target was someone they knew, they would surely have more direct ways of annoying them and could use their knowledge of that person to much greater effect].
So, yes. In theory this sort of activity may be possible. In practice the reasons for doing so would be so slight that an argument could be put that the person doing it had a mental health problem. In the real world it would be interesting to hear if there were any stories of this happening - either proven or even hearsay, to let us quantify the actual size of the problem.
you're missing the point
The point is that to stop it happening at all is so simple that whether or not it will/has happened is irrelevant.
Reasons for doing so...?
You're right, that's ridiculous. Why would anybody want to do that? That's almost as silly as sending out billions of email messages advertising for Viagra or online poker sites. What's the point? Nobody would do that.
Still, I'll bet that it will happen in less than two weeks.
Paris, for obvious reasons. Beauvais, though, not Charles de Gaulle.
The title is required, and must contain letters and/or digits.
Mas cancellations would be one thing competitors might be interested in doing, or perhaps even unhappy employees that think their own company is taking the piss might try. Think BA and BASSA for example, or BA and Virgin (if memory serves BA were found guilty in a court of law of persuing a dirty tricks campaign against Virgin some years ago - poaching Virgin customers was apparently one of the tricks used). Make the mechanism for viewing a booking too simple and this sort of tactic becomes possible. After all, with Ryanair if all that's needed is the email address then a bot could go through and try different values until one or more is accepted.
It could cause quite a few financial problems for the company concerned if they suddenly faced a large number of mysterious cancellations and had to pay back all the money associated with those trips. There's also the damage to the reputation of the company to take into account when they have to face the customers that didn't know this had happened (and for all we know could turn up at the terminal thinking they still had a flight to catch).
British Airways are almost as bad
They just send out an email with a hyperlink to the booking. Anybody who has been forwarded that email for whatever reason can change the booking. If anybody else manages to access the message then they can make changes too. The web page itself once you go to it is not protected in any way beyond the security-by-obscurity of having to know the exact URL. Once you're in, you're in and can make pretty much whatever changes you want to.
It's not just RyanAir
A lot of airlines have 'login' systems for flight modifications that those of us with an understanding of how it should be done would turn our noses up at. Normally all you need is the record locator and perhaps the passenger surname which admittedly isn't as poor as the email/date/origin example in the article but it isn't exactly what you'd consider a strong password either - they're typically 6 character alpha-numeric codes.
Last year, my mother flew BA to visit me. To make sure I had the right flight numbers, arrival times, etc, she forwarded the itinerary email which contained a direct link to edit her booking (no login required) and do anything from the silly like order a special meal to the serious like cancellation, modifications and entering passport numbers, etc. You'd think that the airline would be smart enough to separate the itinerary (which they must realise some people are going to forward) and the account/e-ticket information into separate emails.
You'd think in this day and age (and I mean of computer security not 'terr-ists') that they'd have a clue about how to write a login system but I guess not?
Ryanair charge for changes
This isn't really too much of an issue as Ryanair require you to enter card details to make any changes to the booking (even cancelling or name changes). And it doesn't get automatically charged to the card used.
Worst someone can do (for free) is checkin for your flight for you with incorrect passport details (still against your name). (Which to be honest I doubt are checked properly by ryanair anyway).
Seems a hell of a lot to go through just to cause someone a minor bit of hassle?
British Airways only require the booking ref and passenger's surname to access a booking. OK, I don't think you can add any paid-for items without having to pay for them there and then but still, seems a bit double standards to me, even though like all sane people I too detest Ryanair.
and for the flight plan
Would Ryan air be happy to have the same sort of security on the system where they submit their flight plan?
Lost your res info? No problem, just contact ...
U.S. Homeland Security as they get everything about you and your flight including e-mail address(es), credit card numbers, passport number and DOB, meal preferences, seat assignment info, frequent flyer card numbers, home address and telephone number, cell number (if used anywhere in flight process), etc.
They draw down credit bureau info, too. Hotel reservations, other transportation details booked through any res system is also fully accessible to them.
Denial = FAIL
How long until Ryanair is hacked by some script kiddy?
The title is required, and must contain letters and/or digits.
Why is anything to do with Ryanair even news any more? Surely anybody stupid enough to use this company should know by now exactly what to expect?
"RYANAIR STOP TREATING CUSTOMERS WITH UTTER CONTEMPT!"
Now THAT would be news.
What the flup is with all the ryanair hostility? Before they came along, Aer Lingus and BA had no qualms what so ever, charging a 700 GBP to fly all the way from Dublin to London. Now you can fly between the 2 cities on a range of airlines for less than the price of a good night out. Thank you Ryanair for doing that.
I flew home last week with Aer Lingus and spent the week before worrying if they would be on strike the day I flew out and spent half my holiday worrying whether they would still be on strike when it was time to fly back.
Ryanair bashing has become the new 'cool by keyboard warriors, but at the end of the day, it just makes the poster come off like a wanker.
As has been pointed out, any changes to the booking require the person to enter the credit card details, which means all the attacker actually gains is the time and flight number the person is flying on, hardly the hack of the century.
- Product round-up Ten excellent FREE PC apps to brighten your Windows
- Chromecast video on UK, Euro TVs hertz so badly it makes us judder – but Google 'won't fix'
- Analysis Pity the poor Windows developer: The tools for desktop development are in disarray
- Analysis BlackBerry's turnaround relies on a secret weapon: Its own network
- Hire and hold IT staff in 2015: The Reg's how-to guide