Travel bookings worldwide are maintained in a handful of systems. The three largest Global Distributed Systems (GDS) Amadeus, Sabre, and Travelport administer more than 90% of flight reservations as well as numerous hotel, car, and other travel bookings.
Today’s GDSs go back to the 70s and 80s, built around mainframe computers and leased lines. The systems have since been interwoven with web services, but still lack several web security best practices.
The most important security feature lacking from all three GDSs is a proper way to authenticate travelers. While the rest of the Internet is debating which second and third factors to use, GDSs do not offer a first authentication factor. Instead, the booking code (aka PNR Locator, a 6-digit alphanumeric string such as 8EI29V) is used to access and change travelers’ information.
The authenticator is printed on boarding passes and luggage tags. Any person able to find or take a photo of the pass or tag can access the traveler’s information – including e-mail address and phone number – through the GDS’s or airline’s web site.
Traveler information is also at risk to online hacking because authenticators are brute-forceable. The way 6-digit booking codes are chosen makes them weaker than a 5-digit password (<28.5 bits), which would be considered insecure for most applications. Two of the three main GDSs assign booking codes sequentially, further shrinking the search space. Finally, many GDS and airline web sites allow trying many thousand booking codes from a single IP address. Given only passengers’ last names, their booking codes can be found over the Internet with little effort.
Given a passenger’s booking code, an intruder can:
Global booking systems have pioneered many technologies including Cloud computing. Now is the time to add security best practices that other Cloud users have long taken for granted.
In the short-term, all web sites that allow access to traveler records should require proper brute-force protection in the form of Captchas and retry limits per IP address.
In the mid-term, traveler bookings need to be secured with proper authentication, at the very least with a changeable password.