Flight booking systems lack basic anti-hacking safeguards, researchers warn

Major travel booking systems lack a proper way to authenticate air travellers, making it easy to hack the short code used on many boarding passes to alter flight details or steal sensitive personal data, security researchers warned on Tuesday.

Passenger Name Records (PNR) are used to store reservations with links to a traveller’s name, travel dates, itinerary, ticket details, phone and email contacts, travel agent, credit card numbers, seat number and baggage information.

The six-digit codes act as pincodes for locating travel records, albeit with vital differences that make them highly insecure compared with even the simple usernames and passwords that consumers use to access email or websites, the researchers said.

The world’s three major global distribution systems (GDS) - Amadeus, Sabre and Travelport - manage a majority of travel reservations but face growing competition from airlines and corporate travel and online booking sites.

“While the rest of the Internet is debating which second and third factors to use, GDSs do not offer a first authentication factor,” researchers at Berlin-based Security Research Labs said in a statement.