back to article Travel booking systems ‘wide open’ to abuse – report

Legacy travel booking systems disclose travellers’ private information, security researchers warn. Travel bookings worldwide are maintained in a handful of Global Distribution Systems (GDS) built around mainframe computers linked to the web but without adequate security controls, say the researchers. “The systems have since …

  1. Anonymous Coward
    Anonymous Coward


    Captchas may help, but it would be lovely if I could use the web without doing piecework for google.

  2. slightly-pedantic

    Scanning boarding cards

    So when wh smiths at the airport requires your boarding card to be scanned they're getting all that info too?

    1. Anonymous Coward
      Anonymous Coward

      Re: Scanning boarding cards

      One of my pet peeves when flying out of the UK - I'm buying a fucking newspaper and you need to scan my boarding pass? Am I getting it tax free?

      I used to argue with them about it and on a couple of occasions they literally refused to let me buy the paper. Now I just let it go to save my blood pressure and because the people who make the policy don't work the tills, but it's a stupid process and seems to be confined to the UK.

      1. DaLo

        Re: Scanning boarding cards

        The reason is that they can claim certain taxes back if you are travelling internationally. It is just to allow them to make some extra money and no other reason, not required by law unless they are selling you duty free goods at a discounted price.

        But, you are right the person on the till is usually just trained to require the boarding pass for every passenger - if more people refused then they would stop the policy.

      2. Anonymous Coward
        Anonymous Coward

        Re: Scanning boarding cards

        What happens if you give them an old BP for some flight that doesn't even leave from that airport?

      3. anothercynic Silver badge

        Re: Scanning boarding cards

        You do realise that you can simply refuse to show your boarding card, right?

        WH Smith has that option on their self-checkouts. It does require the staff member to release your shopping, but I've not once had an argument.

        And no, it's *not* confined to the UK... *any* duty-free shop at *any* airport will do this for anything that has not been taxed yet.

      4. Anonymous Coward
        Anonymous Coward

        Re: Scanning boarding cards

        "One of my pet peeves when flying out of the UK - I'm buying a fucking newspaper and you need to scan my boarding pass? Am I getting it tax free?"

        WH Smug is getting it tax free, and and long as they see your boarding pass, don't have to pay any VAT out of the proceeds.

        They used to do much the same in their domestic outlets by raising the price of cigarettes from 6pm on Budget Day. The new rate of tax only comes into force for orders/deliveries (not sure which) from the manufacturer after that 6pm deadline.

      5. Ian Tunnacliffe

        Re: Scanning boarding cards

        Try again. The message got through eventually. It can be a pain, especially when you use the self-service tills, standing around like a lemon until the assistant comes to swipe his/her card to let you pay for your stuff. But they do come and in the last year at least they have just done it, without asking any stupid questions. I am talking Heathrow and Gatwick here. YMMV at other airports.

    2. Ian Tunnacliffe

      Re: Scanning boarding cards

      Yes. That's why I have never allowed them to do it. You just have to be firm. eg

      "Do you have a boarding pass?"


      "Can I scan it?"


      This sometimes takes them aback slightly but they comply. WH Smith has no basis whatsoever for demanding to see your boarding pass and if you call them out in in they do back off.

  3. Frank Bitterlich

    Just one more time.

    If I have to read any variation of "we take our customer's data security very seriously" just one more time, I think I'm going to puke.

    A friend once told me that the first line of any statement is always the biggest lie in it. I think he has a point.

    "Security is a high priority for us": .. and yet we're keeping your data on centuries-old systems and don't follow security best practices.

    "Thank you for contacting us": ... we're so glad that you called that your call will be taken by someone in India who barely speaks your language.

    "New and improved": *not really new, or improved, but with new and exciting packaging!

  4. Erik4872

    This happens elsewhere too

    Whenever you bolt on an Internet/web connection to an existing environment, someone will eventually figure out that any semi-secret information in the system is no longer secret. This kind of thing isn't new - my electric company allows anyone to add access to my account by knowing the account number, ZIP code and name, all of which can be read directly off a bill thrown in the trash. At 90% of large companies, plugging a machine into the LAN immediately means that machine is "trusted" by most access lists and other barriers. Almost no companies treat their LAN as hostile even in the era of phones, tablets and BYOD.

    A lot of these systems were designed back in the days when only trusted individuals were capable of accessing them. Way back in the day, travel agents were entrusted with paper ticket stock that would allow them to print tickets to any destination, and when ticketing. check-in and boarding were separate things there was a pretty good chance you could show up with a fake ticket at the airport and get on a plane. The record locator is the unique identifier in the database, and the only machines that used to have access to it were terminals at the airport, reservation and travel agent terminals and the GDS itself. None of this was designed in an era where it was even imagined that someone sitting at home could brute-force the record locators and pull everyone's flight data off websites. The airlines along with the banks were some of the first companies to be "networked" in the traditional sense, and this predates the Internet (consumer web, that is) by a long time.

    The question becomes how to solve it. I work in this space (not for a GDS, but very close to the processes.) All of this travel technology at its core is decades old and has huge amounts of dependencies on the core never changing. The cool stuff we see (airline websites, airline mobile apps, kiosks, etc.) is just the top crust talking through layers and layers of abstraction down to a reservation host, mainly in the old-school terminal session based method. Changing any one of those layers is very difficult because it breaks everything riding on top of it. It would have to be something at the web layer, like a CAPTCHA, but it would have to be done in an IATA standard way to make all the airlines adhere to it. The problem is you have to have something universal that acts like a record locator, but isn't available in plain sight or able to be brute-forced. And, it has to be easy -- I can't imagine people wanting to use their passport numbers or other personal identifying information beyond their name, nor do I expect the airlines will jump over an IATA initiative to issue digital certificates to all travelers for use on websites or maintain a central registry of usernames and passwords.

  5. Anonymous Coward
    Anonymous Coward

    And that ..

    .. is why I refuse to leave such juicy details as a pre-registered credit card on such a service.

    They can have my email address - I create an alias for every provider anyway so I can immediately see who has been selling my details, but I avoid creating an account to make it "easy", because their version of "easy" is more focused on marketeers and, as it turns out, any bored hacker who takes a punt so f*ck that. It's not like the benefits add up to much anyway, especially now the really greedy ones offer you the CHANCE to win a lottery ticket, so it's a chance to have a chance, a real hardcore incentive for people who are good at math and probability...

    Does anyone know how far along Elon Musk is with the B Ark? I have some proposals for who to put on it, but this time we keep the telephone sanitisers :).

  6. JaitcH

    GDS - Major Data Source for ALL Intelligence and National Police Services

    The data retained by GDS is accessible, without warrant or other impediments, by all major intelligence agencies and the larger, or national, police entities.

    Many Third Party Res systems run by some notorious on-line travel agents' also have unlimited access. too. This includes several in the USA and a couple in the UK.

    Unbelievably, when the GDS (read > <) were developed by the airlines, there were few checks - everything was based upon 'trust'. After all, these systems were subsets of airlines.

    Then they started interconnecting and do bookings for Third Parties and ticketing commission was viewed as potential compensation for the costs of running these systems. To avoid claims of conflict-of-interest the systems were hived off from the carriers but still based on 'gentleman's agreements'.

    Gentlemen's agreements are defined in Wikipedia as: "A gentlemen's agreement or gentleman's agreement is an informal and legally non-binding agreement between two or more parties. It is typically oral, though it may be written, or simply understood as part of an unspoken agreement by convention or through mutually beneficial etiquette. The essence of a gentlemen's agreement is that it relies upon the honor of the parties for its fulfillment, rather than being in any way enforceable. It is, therefore, distinct from a legal agreement or contract, which can be enforced if necessary.'

    In fact, the airlines/carriers relied upon these former carrier entities to do their ticket accounting!

    The GDS/CRS systems used to deduct their 'cut', aka commission, from the money they paid to the airlines. From this 'cut' they would pay commissions to user travel agents.

    When the airline business was stressed, the airlines started to use software to ensure that the GDS/CRS commissions were credited when tickets and - surprise, surprise - the airlines discovered they were being bilked for hundreds of millions of US Dollars (the currency upon which the back-end of the travel industry is based).

    The carriers, after wrestling multi-million refunds from the GDS/CRS, then implemented stricter ticket accounting systems.

    Meanwhile down at the Travel Agent level, many discovered they could earn 'points', 'credits', 'awards' by ticketing through GDS/GRS. As the Agency accounting was still done by the GDS/CRS, the TA's (Travel Agents) were able to scam the Res systems because of their weak accounting software by booking travel for fictitious PAX (passengers).

    These 'ghost bookings' were cancelled and the TA's still earned their benefits! Scammers scamming the other scammers.

    Around this time, about 15 years ago, I was involved in developing/installing Agency automation so that the Agents became as technologically advanced as the rest of the ticketing system.

    Our software revealed that Agencies were getting ripped off by the GDS/CRS by way of omitted ticketing credits.

    I believe in transparency and a trade paper was alerted to this fraud. A court case filed by a GDS/CRS based in Chicago, and founded by United Airlines, sued a Toronto Travel Agency and, as a sidebar, obtained an Order from the court that prohibited me from revealing what I knew about GDS/CRS scams - effective only to the 12-mile limit surrounding Canada. I no longer live in Canada.

    The case was settled on agreed terms and SEALED. As a Petty to the proceedings I was entitled to documents which can be found on the InterNet.

    As for 'main frame', perhaps someone could explain how a hundred or so PCs in Denver, Colorado, on which a GDS/CRS was using as a central system meets the definition.

    For security and most privacy, out of Amadeus, Galileo, Sabre or Worldspan (they use many other names, too) I ONLY use AMADEUS which is based in Madrid and therefore the EU data rules. They have central sites in Madrid (Corporate Headquarters & Marketing), Nice (Development) and Erding (Operations).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

  • Voicemail phishing emails steal Microsoft credentials
    As always, check that O365 login page is actually O365

    Someone is trying to steal people's Microsoft 365 and Outlook credentials by sending them phishing emails disguised as voicemail notifications.

    This email campaign was detected in May and is ongoing, according to researchers at Zscaler's ThreatLabz, and is similar to phishing messages sent a couple of years ago.

    This latest wave is aimed at US entities in a broad array of sectors, including software security, security solution providers, the military, healthcare and pharmaceuticals, and the manufacturing and shipping supply chain, the researchers wrote this month.

    Continue reading
  • Carnival Cruises torpedoed by US states, agrees to pay $6m after wave of cyberattacks
    Now those are some phishing boats

    Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive, personal information on customers and employees was accessed in a string of cyberattacks.

    A couple of years ago, as the coronavirus pandemic was taking hold, the Miami-based biz revealed intruders had not only encrypted some of its data but also downloaded a collection of names and addresses; Social Security info, driver's license, and passport numbers; and health and payment information of thousands of people in almost every American state.

    It all started to go wrong more than a year prior, as the cruise line became aware of suspicious activity in May 2019. This apparently wasn't disclosed until 10 months later, in March 2020.

    Continue reading
  • Europol arrests nine suspected of stealing 'several million' euros via phishing
    Victims lured into handing over online banking logins, police say

    Europol cops have arrested nine suspected members of a cybercrime ring involved in phishing, internet scams, and money laundering.

    The alleged crooks are believed to have stolen "several million euros" from at least "dozens of Belgian victims," according to that nation's police, which, along with the Dutch, supported the cross-border operation.

    On Tuesday, after searching 24 houses in the Netherlands, officers cuffed eight men between the ages of 25 and 36 from Amsterdam, Almere, Rotterdam, and Spijkenisse, and a 25-year-old woman from Deventer. We're told the cops seized, among other things, a firearm, designer clothing, expensive watches, and tens of thousands of euros.

    Continue reading
  • Zscaler bulks up AI, cloud, IoT in its zero-trust systems
    Focus emerges on workload security during its Zenith 2022 shindig

    Zscaler is growing the machine-learning capabilities of its zero-trust platform and expanding it into the public cloud and network edge, CEO Jay Chaudhry told devotees at a conference in Las Vegas today.

    Along with the AI advancements, Zscaler at its Zenith 2022 show in Sin City also announced greater integration of its technologies with Amazon Web Services, and a security management offering designed to enable infosec teams and developers to better detect risks in cloud-native applications.

    In addition, the biz also is putting a focus on the Internet of Things (IoT) and operational technology (OT) control systems as it addresses the security side of the network edge. Zscaler, for those not aware, makes products that securely connect devices, networks, and backend systems together, and provides the monitoring, controls, and cloud services an organization might need to manage all that.

    Continue reading
  • Beijing probes security at academic journal database
    It's easy to see why – the question is, why now?

    China's internet regulator has launched an investigation into the security regime protecting academic journal database China National Knowledge Infrastructure (CNKI), citing national security concerns.

    In its announcement of the investigation, the China Cyberspace Administration (CAC) said:

    Continue reading
  • Israeli air raid sirens triggered in possible cyberattack
    Source remains unclear, plenty suspect Iran

    Air raid sirens sounded for over an hour in parts of Jerusalem and southern Israel on Sunday evening – but bombs never fell, leading some to blame Iran for compromising the alarms. 

    While the perpetrator remains unclear, Israel's National Cyber Directorate did say in a tweet that it suspected a cyberattack because the air raid sirens activated were municipality-owned public address systems, not Israel Defense Force alarms as originally believed. Sirens also sounded in the Red Sea port town of Eilat. 

    Netizens on social media and Israeli news sites pointed the finger at Iran, though a diplomatic source interviewed by the Jerusalem Post said there was no certainty Tehran was behind the attack. The source also said Israel faces cyberattacks regularly, and downplayed the significance of the incident. 

    Continue reading
  • Interpol anti-fraud operation busts call centers behind business email scams
    1,770 premises raided, 2,000 arrested, $50m seized

    Law enforcement agencies around the world have arrested about 2,000 people and seized $50 million in a sweeping operation crackdown of social engineering and other scam operations around the globe.

    In the latest action in the ongoing "First Light", an operation Interpol has coordinated annually since 2014, law enforcement officials from 76 countries raided 1,770 call centers suspected of running fraudulent operations such as telephone and romance scams, email deception scams, and financial crimes.

    Among the 2,000 people arrested in Operation First Light 2022 were call center operators and fraudsters, and money launderers. Interpol stated that the operation also saw 4,000 bank accounts frozen and 3,000 suspects identified.

    Continue reading
  • Heineken says there’s no free beer, warns of phishing scam
    WhatsApp messages possibly the worst Father's Day present in the world

    There's no such thing as free beer for Father's Day — at least not from Heineken. The brewing giant confirmed that a contest circulating on WhatsApp, which promises a chance to win one of 5,000 coolers full of green-bottled lager, is a frothy fraud.

    "This is a scam. Thank you for highlighting it to us. Please don't click on links or forward any messages. Many thanks," the beermaker said in a tweet.

    The phony WhatsApp giveaway includes an image of a cooler of 18 Heinekens and a link to a website purporting to run the giveaway. That page asks visitors vying to bag free booze for their personal information, such as names, email addresses, and phone numbers, which is all collected by miscreants.

    Continue reading
  • Facebook phishing campaign nets millions in IDs and cash
    Hundreds of millions of stolen credentials and a cool $59 million

    An ongoing phishing campaign targeting Facebook users may have already netted hundreds of millions of credentials and a claimed $59 million, and it's only getting bigger.

    Identified by security researchers at phishing prevention company Pixm in late 2021, the campaign has only been running since the final quarter of last year, but has already proven incredibly successful. Just one landing page - out of around 400 Pixm found - got 2.7 million visitors in 2021, and has already tricked 8.5 million viewers into visiting it in 2022. 

    The flow of this phishing campaign isn't unique: Like many others targeting users on social media, the attack comes as a link sent via DM from a compromised account. That link performs a series of redirects, often through malvertising pages to rack up views and clicks, ultimately landing on a fake Facebook login page. That page, in turn, takes the victim to advert landing pages that generate additional revenue for the campaign's organizers. 

    Continue reading
  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading

Biting the hand that feeds IT © 1998–2022