Changing Other People's Flight Bookings Is Too Easy

“The security of online travel booking systems are stuck in the 1990s, according to security researchers,” reports Computerworld. An anonymous reader quotes their article, which argues that the ancient systems are also “woefully insecure”:
This allows attackers to easily modify other people’s reservations, cancel their flights and even use the refunds to book tickets for themselves, according a team of researchers who analyzed this online ecosystem… They presented their findings Tuesday at the 33rd Chaos Communications Congress in Hamburg.

The three major Global Distribution Systems operators…store Passenger Name Records for hundreds of millions of travelers at any given time. Any data added or modification made to a booking is stored in their systems and all that’s required to access that information is typically a last name and a six-character booking code. There are multiple access points into these systems and this includes the websites operated by airlines and travel agencies, but also third-party websites like CheckMyTrip… The booking code itself is far from secret. It’s printed on luggage tags that most people throw away after each flight — even if their entire trip has not concluded yet — and is also embedded in the QR codes printed on tickets that an alarmingly large number of travellers photograph and post on social media websites, the researchers said.

Read more of this story at Slashdot.