back to article Travel booking systems ‘wide open’ to abuse – report

Legacy travel booking systems disclose travellers’ private information, security researchers warn. Travel bookings worldwide are maintained in a handful of Global Distributed Systems (GDS) built around mainframe computers linked to the web but without adequate security controls, say the researchers. “The systems have since …

  1. Anonymous Coward
    Anonymous Coward

    Optional

    Captchas may help, but it would be lovely if I could use the web without doing piecework for google.

  2. slightly-pedantic

    Scanning boarding cards

    So when wh smiths at the airport requires your boarding card to be scanned they're getting all that info too?

    1. Anonymous Coward
      Anonymous Coward

      Re: Scanning boarding cards

      One of my pet peeves when flying out of the UK - I'm buying a fucking newspaper and you need to scan my boarding pass? Am I getting it tax free?

      I used to argue with them about it and on a couple of occasions they literally refused to let me buy the paper. Now I just let it go to save my blood pressure and because the people who make the policy don't work the tills, but it's a stupid process and seems to be confined to the UK.

      1. DaLo

        Re: Scanning boarding cards

        The reason is that they can claim certain taxes back if you are travelling internationally. It is just to allow them to make some extra money and no other reason, not required by law unless they are selling you duty free goods at a discounted price.

        But, you are right the person on the till is usually just trained to require the boarding pass for every passenger - if more people refused then they would stop the policy.

      2. Anonymous Coward
        Anonymous Coward

        Re: Scanning boarding cards

        What happens if you give them an old BP for some flight that doesn't even leave from that airport?

      3. anothercynic Silver badge

        Re: Scanning boarding cards

        You do realise that you can simply refuse to show your boarding card, right?

        WH Smith has that option on their self-checkouts. It does require the staff member to release your shopping, but I've not once had an argument.

        And no, it's *not* confined to the UK... *any* duty-free shop at *any* airport will do this for anything that has not been taxed yet.

      4. Anonymous Coward
        Anonymous Coward

        Re: Scanning boarding cards

        "One of my pet peeves when flying out of the UK - I'm buying a fucking newspaper and you need to scan my boarding pass? Am I getting it tax free?"

        WH Smug is getting it tax free, and and long as they see your boarding pass, don't have to pay any VAT out of the proceeds.

        They used to do much the same in their domestic outlets by raising the price of cigarettes from 6pm on Budget Day. The new rate of tax only comes into force for orders/deliveries (not sure which) from the manufacturer after that 6pm deadline.

      5. Ian Tunnacliffe

        Re: Scanning boarding cards

        Try again. The message got through eventually. It can be a pain, especially when you use the self-service tills, standing around like a lemon until the assistant comes to swipe his/her card to let you pay for your stuff. But they do come and in the last year at least they have just done it, without asking any stupid questions. I am talking Heathrow and Gatwick here. YMMV at other airports.

    2. Ian Tunnacliffe

      Re: Scanning boarding cards

      Yes. That's why I have never allowed them to do it. You just have to be firm. eg

      "Do you have a boarding pass?"

      "Yes"

      "Can I scan it?"

      "No"

      This sometimes takes them aback slightly but they comply. WH Smith has no basis whatsoever for demanding to see your boarding pass and if you call them out in in they do back off.

  3. Frank Bitterlich
    Mushroom

    Just one more time.

    If I have to read any variation of "we take our customer's data security very seriously" just one more time, I think I'm going to puke.

    A friend once told me that the first line of any statement is always the biggest lie in it. I think he has a point.

    "Security is a high priority for us": .. and yet we're keeping your data on centuries-old systems and don't follow security best practices.

    "Thank you for contacting us": ... we're so glad that you called that your call will be taken by someone in India who barely speaks your language.

    "New and improved": *not really new, or improved, but with new and exciting packaging!

  4. Erik4872

    This happens elsewhere too

    Whenever you bolt on an Internet/web connection to an existing environment, someone will eventually figure out that any semi-secret information in the system is no longer secret. This kind of thing isn't new - my electric company allows anyone to add access to my account by knowing the account number, ZIP code and name, all of which can be read directly off a bill thrown in the trash. At 90% of large companies, plugging a machine into the LAN immediately means that machine is "trusted" by most access lists and other barriers. Almost no companies treat their LAN as hostile even in the era of phones, tablets and BYOD.

    A lot of these systems were designed back in the days when only trusted individuals were capable of accessing them. Way back in the day, travel agents were entrusted with paper ticket stock that would allow them to print tickets to any destination, and when ticketing. check-in and boarding were separate things there was a pretty good chance you could show up with a fake ticket at the airport and get on a plane. The record locator is the unique identifier in the database, and the only machines that used to have access to it were terminals at the airport, reservation and travel agent terminals and the GDS itself. None of this was designed in an era where it was even imagined that someone sitting at home could brute-force the record locators and pull everyone's flight data off websites. The airlines along with the banks were some of the first companies to be "networked" in the traditional sense, and this predates the Internet (consumer web, that is) by a long time.

    The question becomes how to solve it. I work in this space (not for a GDS, but very close to the processes.) All of this travel technology at its core is decades old and has huge amounts of dependencies on the core never changing. The cool stuff we see (airline websites, airline mobile apps, kiosks, etc.) is just the top crust talking through layers and layers of abstraction down to a reservation host, mainly in the old-school terminal session based method. Changing any one of those layers is very difficult because it breaks everything riding on top of it. It would have to be something at the web layer, like a CAPTCHA, but it would have to be done in an IATA standard way to make all the airlines adhere to it. The problem is you have to have something universal that acts like a record locator, but isn't available in plain sight or able to be brute-forced. And, it has to be easy -- I can't imagine people wanting to use their passport numbers or other personal identifying information beyond their name, nor do I expect the airlines will jump over an IATA initiative to issue digital certificates to all travelers for use on websites or maintain a central registry of usernames and passwords.

  5. Anonymous Coward
    Anonymous Coward

    And that ..

    .. is why I refuse to leave such juicy details as a pre-registered credit card on such a service.

    They can have my email address - I create an alias for every provider anyway so I can immediately see who has been selling my details, but I avoid creating an account to make it "easy", because their version of "easy" is more focused on marketeers and, as it turns out, any bored hacker who takes a punt so f*ck that. It's not like the benefits add up to much anyway, especially now the really greedy ones offer you the CHANCE to win a lottery ticket, so it's a chance to have a chance, a real hardcore incentive for people who are good at math and probability...

    Does anyone know how far along Elon Musk is with the B Ark? I have some proposals for who to put on it, but this time we keep the telephone sanitisers :).

  6. JaitcH
    Unhappy

    GDS - Major Data Source for ALL Intelligence and National Police Services

    The data retained by GDS is accessible, without warrant or other impediments, by all major intelligence agencies and the larger, or national, police entities.

    Many Third Party Res systems run by some notorious on-line travel agents' also have unlimited access. too. This includes several in the USA and a couple in the UK.

    Unbelievably, when the GDS (read > https://en.wikipedia.org/wiki/Global_Distribution_System <) were developed by the airlines, there were few checks - everything was based upon 'trust'. After all, these systems were subsets of airlines.

    Then they started interconnecting and do bookings for Third Parties and ticketing commission was viewed as potential compensation for the costs of running these systems. To avoid claims of conflict-of-interest the systems were hived off from the carriers but still based on 'gentleman's agreements'.

    Gentlemen's agreements are defined in Wikipedia as: "A gentlemen's agreement or gentleman's agreement is an informal and legally non-binding agreement between two or more parties. It is typically oral, though it may be written, or simply understood as part of an unspoken agreement by convention or through mutually beneficial etiquette. The essence of a gentlemen's agreement is that it relies upon the honor of the parties for its fulfillment, rather than being in any way enforceable. It is, therefore, distinct from a legal agreement or contract, which can be enforced if necessary.'

    In fact, the airlines/carriers relied upon these former carrier entities to do their ticket accounting!

    The GDS/CRS systems used to deduct their 'cut', aka commission, from the money they paid to the airlines. From this 'cut' they would pay commissions to user travel agents.

    When the airline business was stressed, the airlines started to use software to ensure that the GDS/CRS commissions were credited when tickets and - surprise, surprise - the airlines discovered they were being bilked for hundreds of millions of US Dollars (the currency upon which the back-end of the travel industry is based).

    The carriers, after wrestling multi-million refunds from the GDS/CRS, then implemented stricter ticket accounting systems.

    Meanwhile down at the Travel Agent level, many discovered they could earn 'points', 'credits', 'awards' by ticketing through GDS/GRS. As the Agency accounting was still done by the GDS/CRS, the TA's (Travel Agents) were able to scam the Res systems because of their weak accounting software by booking travel for fictitious PAX (passengers).

    These 'ghost bookings' were cancelled and the TA's still earned their benefits! Scammers scamming the other scammers.

    Around this time, about 15 years ago, I was involved in developing/installing Agency automation so that the Agents became as technologically advanced as the rest of the ticketing system.

    Our software revealed that Agencies were getting ripped off by the GDS/CRS by way of omitted ticketing credits.

    I believe in transparency and a trade paper was alerted to this fraud. A court case filed by a GDS/CRS based in Chicago, and founded by United Airlines, sued a Toronto Travel Agency and, as a sidebar, obtained an Order from the court that prohibited me from revealing what I knew about GDS/CRS scams - effective only to the 12-mile limit surrounding Canada. I no longer live in Canada.

    The case was settled on agreed terms and SEALED. As a Petty to the proceedings I was entitled to documents which can be found on the InterNet.

    As for 'main frame', perhaps someone could explain how a hundred or so PCs in Denver, Colorado, on which a GDS/CRS was using as a central system meets the definition.

    For security and most privacy, out of Amadeus, Galileo, Sabre or Worldspan (they use many other names, too) I ONLY use AMADEUS which is based in Madrid and therefore the EU data rules. They have central sites in Madrid (Corporate Headquarters & Marketing), Nice (Development) and Erding (Operations).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019