Skip to main content

Tampering a flight reservation

In this post, I would like to tackle a day to day problem of airplane travelers – booking security.

The story began a few days ago when my friend airplane reservation was canceled by the agency that bought the airplane tickets. The request was made to the agency because my friend was too lazy to access the airplane website and cancel the ticket.
I question that pop-up in my mind was related to who are the entities and groups that have the right to cancel or to do changes on airplane reservations. I started to research this topic to find out what are the tools and mechanisms that can ensure us that we can secure our reservation from 3rd parties that could do changes on our ticket without our approval.

I started from the ground using an existing reservation that I had for a business trip in the US. Each airplane reservation has 3 piece of information that enables you to manage your booking
(1) Name – The traveler name
(2) Booking reference– An alpha-numeric code used to identify a booking
(3) Ticket number - No of the ticket that contains 13 digits

This information is called in the industry PNR (Passenger Name Record) and can contain more than the above data. If you book a car or a hotel, this information also can be found inside it. This data is available starting from the moment when you do a reservation and is available for a certain period after you do the trip.
Once you have the booking reference you can visit the airline website and see details about your trip. As long as the data are only for display, this would not be such a big concern. Even if it is private information, you could live with it; it is not the end of the world.

From the airline website, you can do more than just taking a look at the booking information. You can do any changes to the booking,  even canceling the reservation.

STOP! Wait a minute! 

Does it means that if I can put my hand on the booking reference and the traveler name I can cancel his reservation?

Ohhh YES, big time.

The biggest problem is that on many airline websites, once you cancel a trip, you cannot undo the cancellation. You need to call the airline, wait for a few hours on the phone until you can talk with somebody from the support that it is not a robot and look for help. If you are too late, you can end up buying a new ticket.
There were cases when people booking was modified and only during the check-in, they found out that the final destination was different from what it was in the initial phase.
I was surprised not to find any additional step before a trip is canceled or modified. Yes, in general airlines are sending an email that notifies the passager that the trip was canceled. Because of the high no of spam email, there are pretty big chances that you will miss it. Let's say that you are on holidays and you don't check the email.
More funny is that using the booking reference and the person name you can even call the airline and do changes on the ticket. Except for the name, the date of birth is known by the airline company.

More digging  
I started to discuss with a few airlines carries over the phone and Twitter to find out what are my options and what can I do to secure the booking a little more. I was surprised to find out that in general, you don’t have any additional security steps that you can enable.
Some airlines are allowing you to set a secret pass that is asked if you call them to change the reservation, but online you can do changes on any booking (in most of the cases). There are some exceptions from this rule, but there are some isolated cases.
The current system is allowing us very easily to tamper a flight reservation. Their current system is not only outdated but expose sensitive data to any person that knows the booking reference and your name.

How did this happen?
All airlines and travel agency needs to be able to communicate with each other related to booking information. It is required in the context of agencies that book our flights or when we have a long flight with multiple connections with different carriers.
The backend system is based on GDS (Global Distribution System) that enables transactions between airlines and the rest of ecosystem (travel agency, car rental companies and so on). On top of this, many services enable us to track our flight and bookings that are build on top of GDS.
The system is powerful, but it was not designed around security. It enables different parties to exchange data, and it is used by all the industry. Doing any changes to the system takes a year, requiring all 3rd parties to update their system, integrate new security protocol and so on.
History: GDS was initially designed in 1960 and updated in 1970 to support B2B communication.

There are many other solutions that you can think and imagine, but now we have GDS that is a legacy system used at a global scale. Changing the API or behavior is expensive and slow. Even if there are only 3 big vendors (Amadeus, Sabre, and Travelport), the complexity of any change is high and updating all the system involved is a time-consuming process. Backward compatibility is important.

 Could we have a hotfix? 
It is possible to image one, but without understanding the business domain and the complexity, it’s just an opinion and nothing more.
A ‘simple’ hotfix that was already implemented by some airlines is to send a confirmation email or SMS that required the owner to confirm the change or the cancellation. The main idea is good, but what happens when the booking is done by an agency, that does not have the passager email or phone? They will use their email; it means that only the agency can do changes on the ticket.
Another case is when the agency has the traveler email and provide both emails (passager and agency). Does the confirmation is required from both parties or only one? What will be the master email? There are so many narrows cases that need to be covered, that is pretty hard to find a hotfix that will work on the most scenarios.

I would prefer to be able to set a passcode that would force that any changes on the ticket to be done from the carrier website only where passcode would be required. The problem is related to the booking information. The booking information does not contain any personal information except name, nationality, and date of birth. Meaning that if I would call the support to set a passcode, how they would identify me? Based on what information? The solution might work only for situations when you book the ticket directly from the carrier website, and you set the passcode when you book the ticket. Another questions pop-up – How you could reset the passcode if you would forget it?

You see, even if the initial problem was simple and funny, the solutions are not so simple. Of course, we could find a solution, but the problem is more complicated than we think.

Story - Round-trip cancellation 
Note: At the end of the post you can find a list of tips that could help you to avoid such situations, but before it, I would like to share with you a case where almost all of us are exposed.

Imagine that you go on holiday in the UK for 2 weeks. When you arrive at the airport, you drop your baggage and go to the security control. You leave your ticket inside the security box, and the person behind you will do a photo of your ticket.
The ticket already contains the booking reference number of the ticket number together with your name. It is more than enough for any person to access your booking and modify it. Let’s say that he cancel your ticket for return. Are you on holiday right? So you don’t check your emails… until the last day when you want to check-in when… surprise… your trip was canceled. Enjoy the time that you will spend on the phone with the support line. In the worst case, you will have to pay for a new ticket. Moreover, remember, it is not the airline fault.
In my last trip, at the security queue I was able to see at least 2 tickets that I could ‘hack.’

This is not an imaginary story. Try to bing it on Google, and you’ll find many situations like this. The internet is full of this kind of stories.

Below you can find some tips that could help us to avoid situations like this:

  1. Don’t share the booking information with anybody else 
  2. Register your email to your booking; it enables you to get notifications when changes are done on your ticket 
  3. Try to keep the ticket hidden from other people (don’t leave your ticket on the table when you are at the business lounge) 
  4. Never share the photo of your ticket on social media 

The main general rule is to keep your booking information as safe as possible and when you see any changes on your reservation call the airline as soon as possible. They will give their best to help you.


Popular posts from this blog

ADO.NET provider with invariant name 'System.Data.SqlClient' could not be loaded

Today blog post will be started with the following error when running DB tests on the CI machine:
threw exception: System.InvalidOperationException: The Entity Framework provider type 'System.Data.Entity.SqlServer.SqlProviderServices, EntityFramework.SqlServer' registered in the application config file for the ADO.NET provider with invariant name 'System.Data.SqlClient' could not be loaded. Make sure that the assembly-qualified name is used and that the assembly is available to the running application. See for more information. at System.Data.Entity.Infrastructure.DependencyResolution.ProviderServicesFactory.GetInstance(String providerTypeName, String providerInvariantName) This error happened only on the Continuous Integration machine. On the devs machines, everything has fine. The classic problem – on my machine it’s working. The CI has the following configuration:

TeamCity.NET 4.51EF 6.0.2VS2013
It seems that there …

Entity Framework (EF) TransactionScope vs Database.BeginTransaction

In today blog post we will talk a little about a new feature that is available on EF6+ related to Transactions.
Until now, when we had to use transaction we used ‘TransactionScope’. It works great and I would say that is something that is now in our blood.
using (var scope = new TransactionScope(TransactionScopeOption.Required)) { using (SqlConnection conn = new SqlConnection("...")) { conn.Open(); SqlCommand sqlCommand = new SqlCommand(); sqlCommand.Connection = conn; sqlCommand.CommandText = ... sqlCommand.ExecuteNonQuery(); ... } scope.Complete(); } Starting with EF6.0 we have a new way to work with transactions. The new approach is based on Database.BeginTransaction(), Database.Rollback(), Database.Commit(). Yes, no more TransactionScope.
In the followi…

GET call of REST API that contains '/'-slash character in the value of a parameter

Let’s assume that we have the following scenario: I have a public HTTP endpoint and I need to post some content using GET command. One of the parameters contains special characters like “\” and “/”. If the endpoint is an ApiController than you may have problems if you encode the parameter using the http encoder.
using (var httpClient = new HttpClient()) { httpClient.BaseAddress = baseUrl; Task<HttpResponseMessage> response = httpClient.GetAsync(string.Format("api/foo/{0}", "qwert/qwerqwer"))); response.Wait(); response.Result.EnsureSuccessStatusCode(); } One possible solution would be to encode the query parameter using UrlTokenEncode method of HttpServerUtility class and GetBytes method ofUTF8. In this way you would get the array of bytes of the parameter and encode them as a url token.
The following code show to you how you could write the encode and decode methods.