Reply to post: This happens elsewhere too

Travel booking systems ‘wide open’ to abuse – report


This happens elsewhere too

Whenever you bolt on an Internet/web connection to an existing environment, someone will eventually figure out that any semi-secret information in the system is no longer secret. This kind of thing isn't new - my electric company allows anyone to add access to my account by knowing the account number, ZIP code and name, all of which can be read directly off a bill thrown in the trash. At 90% of large companies, plugging a machine into the LAN immediately means that machine is "trusted" by most access lists and other barriers. Almost no companies treat their LAN as hostile even in the era of phones, tablets and BYOD.

A lot of these systems were designed back in the days when only trusted individuals were capable of accessing them. Way back in the day, travel agents were entrusted with paper ticket stock that would allow them to print tickets to any destination, and when ticketing. check-in and boarding were separate things there was a pretty good chance you could show up with a fake ticket at the airport and get on a plane. The record locator is the unique identifier in the database, and the only machines that used to have access to it were terminals at the airport, reservation and travel agent terminals and the GDS itself. None of this was designed in an era where it was even imagined that someone sitting at home could brute-force the record locators and pull everyone's flight data off websites. The airlines along with the banks were some of the first companies to be "networked" in the traditional sense, and this predates the Internet (consumer web, that is) by a long time.

The question becomes how to solve it. I work in this space (not for a GDS, but very close to the processes.) All of this travel technology at its core is decades old and has huge amounts of dependencies on the core never changing. The cool stuff we see (airline websites, airline mobile apps, kiosks, etc.) is just the top crust talking through layers and layers of abstraction down to a reservation host, mainly in the old-school terminal session based method. Changing any one of those layers is very difficult because it breaks everything riding on top of it. It would have to be something at the web layer, like a CAPTCHA, but it would have to be done in an IATA standard way to make all the airlines adhere to it. The problem is you have to have something universal that acts like a record locator, but isn't available in plain sight or able to be brute-forced. And, it has to be easy -- I can't imagine people wanting to use their passport numbers or other personal identifying information beyond their name, nor do I expect the airlines will jump over an IATA initiative to issue digital certificates to all travelers for use on websites or maintain a central registry of usernames and passwords.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019