Back to news

Travel without notes

14.04.2017 | 16:14

Travel without notes

Booking a hotel and buying tickets online threatens to leak confidential information

Three large companies - Global Distributed Systems (GDS) - Saber, Amadeus, and Travelport are now engaged in booking trips around the world, which control more than 90% of the reservation of air tickets, hotels and other tourist trips. But these three systems unite that in each of them there is no effective system of user authentication.
Today's GDS continues to operate on mainframes and leased lines built in the 70's and 80's. However, globalization is gaining momentum, systems are intertwined with web services, but there is still a shortage of truly effective security tools on the Internet.

Weak user identification

While a huge audience of users of the worldwide network is concerned about finding weaknesses in the security system, GDS considers its authentication to be perfect. In their opinion, the 6-digit alphanumeric booking code is convenient, justifies itself and is used to access and change the information of travelers.
However, the advocates of the service miss the fact that the authenticator is printed on boarding passes and baggage tags. And this means that any person who has the opportunity to accidentally find, or photograph a ticket, can access the information of the traveler, including the email address, phone number and even home address through the website of GDS or the airline.

Unreliable web services

According to experts, the six-digit armor code makes it even more unreliable than a five-digit password, which is considered unsafe in most applications. It is also dangerous that the systems assign reservation codes consistently, which allows an attacker to define them faster. Finally, many travel booking systems allow you to check thousands of codes from a single IP address. And, knowing the names of passengers, the codes of their armor can be found on the World Wide Web without much effort.

Opportunities for abuse

Knowing the code, the scammer can:

  • Invade the privacy of travelers.
  • Redirect miles.
  • Conduct a phishing attack.


In the future, all websites that allow access to traveler's records must have protection against rough intrusion in the form of Captchas and restrictions on the retries of data entry from the same IP address.
Well and in the near future the booking of passengers should be provided with a proper check on the identity of the passenger, at least with a variable password.
Back to news

Call me