Travel without notes
Booking a hotel and buying tickets online threatens to leak confidential information
Three large companies - Global Distributed Systems (GDS) - Saber, Amadeus, and Travelport are now engaged in booking trips around the world, which control more than 90% of the reservation of air tickets, hotels and other tourist trips. But these three systems unite that in each of them there is no effective system of user authentication.
Today's GDS continues to operate on mainframes and leased lines built in the 70's and 80's. However, globalization is gaining momentum, systems are intertwined with web services, but there is still a shortage of truly effective security tools on the Internet.
Weak user identification
While a huge audience of users of the worldwide network is concerned about finding weaknesses in the security system, GDS considers its authentication to be perfect. In their opinion, the 6-digit alphanumeric booking code is convenient, justifies itself and is used to access and change the information of travelers.
However, the advocates of the service miss the fact that the authenticator is printed on boarding passes and baggage tags. And this means that any person who has the opportunity to accidentally find, or photograph a ticket, can access the information of the traveler, including the email address, phone number and even home address through the website of GDS or the airline.
Unreliable web services
According to experts, the six-digit armor code makes it even more unreliable than a five-digit password, which is considered unsafe in most applications. It is also dangerous that the systems assign reservation codes consistently, which allows an attacker to define them faster. Finally, many travel booking systems allow you to check thousands of codes from a single IP address. And, knowing the names of passengers, the codes of their armor can be found on the World Wide Web without much effort.
Opportunities for abuse
Knowing the code, the scammer can:
- Invade the privacy of travelers.
-
Redirect miles.
-
Conduct a phishing attack.
Solutions
In the future, all websites that allow access to traveler's records must have protection against rough intrusion in the form of Captchas and restrictions on the retries of data entry from the same IP address.
Well and in the near future the booking of passengers should be provided with a proper check on the identity of the passenger, at least with a variable password.