Skip to main content

Tampering a flight reservation

In this post, I would like to tackle a day to day problem of airplane travelers – booking security.

Epilogue
The story began a few days ago when my friend airplane reservation was canceled by the agency that bought the airplane tickets. The request was made to the agency because my friend was too lazy to access the airplane website and cancel the ticket.
I question that pop-up in my mind was related to who are the entities and groups that have the right to cancel or to do changes on airplane reservations. I started to research this topic to find out what are the tools and mechanisms that can ensure us that we can secure our reservation from 3rd parties that could do changes on our ticket without our approval.

Research 
I started from the ground using an existing reservation that I had for a business trip in the US. Each airplane reservation has 3 piece of information that enables you to manage your booking
(1) Name – The traveler name
(2) Booking reference– An alpha-numeric code used to identify a booking
(3) Ticket number - No of the ticket that contains 13 digits

This information is called in the industry PNR (Passenger Name Record) and can contain more than the above data. If you book a car or a hotel, this information also can be found inside it. This data is available starting from the moment when you do a reservation and is available for a certain period after you do the trip.
Once you have the booking reference you can visit the airline website and see details about your trip. As long as the data are only for display, this would not be such a big concern. Even if it is private information, you could live with it; it is not the end of the world.

From the airline website, you can do more than just taking a look at the booking information. You can do any changes to the booking,  even canceling the reservation.

STOP! Wait a minute! 

Does it means that if I can put my hand on the booking reference and the traveler name I can cancel his reservation?

Ohhh YES, big time.

The biggest problem is that on many airline websites, once you cancel a trip, you cannot undo the cancellation. You need to call the airline, wait for a few hours on the phone until you can talk with somebody from the support that it is not a robot and look for help. If you are too late, you can end up buying a new ticket.
There were cases when people booking was modified and only during the check-in, they found out that the final destination was different from what it was in the initial phase.
I was surprised not to find any additional step before a trip is canceled or modified. Yes, in general airlines are sending an email that notifies the passager that the trip was canceled. Because of the high no of spam email, there are pretty big chances that you will miss it. Let's say that you are on holidays and you don't check the email.
More funny is that using the booking reference and the person name you can even call the airline and do changes on the ticket. Except for the name, the date of birth is known by the airline company.

More digging  
I started to discuss with a few airlines carries over the phone and Twitter to find out what are my options and what can I do to secure the booking a little more. I was surprised to find out that in general, you don’t have any additional security steps that you can enable.
Some airlines are allowing you to set a secret pass that is asked if you call them to change the reservation, but online you can do changes on any booking (in most of the cases). There are some exceptions from this rule, but there are some isolated cases.
The current system is allowing us very easily to tamper a flight reservation. Their current system is not only outdated but expose sensitive data to any person that knows the booking reference and your name.

How did this happen?
All airlines and travel agency needs to be able to communicate with each other related to booking information. It is required in the context of agencies that book our flights or when we have a long flight with multiple connections with different carriers.
The backend system is based on GDS (Global Distribution System) that enables transactions between airlines and the rest of ecosystem (travel agency, car rental companies and so on). On top of this, many services enable us to track our flight and bookings that are build on top of GDS.
The system is powerful, but it was not designed around security. It enables different parties to exchange data, and it is used by all the industry. Doing any changes to the system takes a year, requiring all 3rd parties to update their system, integrate new security protocol and so on.
History: GDS was initially designed in 1960 and updated in 1970 to support B2B communication.

There are many other solutions that you can think and imagine, but now we have GDS that is a legacy system used at a global scale. Changing the API or behavior is expensive and slow. Even if there are only 3 big vendors (Amadeus, Sabre, and Travelport), the complexity of any change is high and updating all the system involved is a time-consuming process. Backward compatibility is important.

 Could we have a hotfix? 
It is possible to image one, but without understanding the business domain and the complexity, it’s just an opinion and nothing more.
A ‘simple’ hotfix that was already implemented by some airlines is to send a confirmation email or SMS that required the owner to confirm the change or the cancellation. The main idea is good, but what happens when the booking is done by an agency, that does not have the passager email or phone? They will use their email; it means that only the agency can do changes on the ticket.
Another case is when the agency has the traveler email and provide both emails (passager and agency). Does the confirmation is required from both parties or only one? What will be the master email? There are so many narrows cases that need to be covered, that is pretty hard to find a hotfix that will work on the most scenarios.

I would prefer to be able to set a passcode that would force that any changes on the ticket to be done from the carrier website only where passcode would be required. The problem is related to the booking information. The booking information does not contain any personal information except name, nationality, and date of birth. Meaning that if I would call the support to set a passcode, how they would identify me? Based on what information? The solution might work only for situations when you book the ticket directly from the carrier website, and you set the passcode when you book the ticket. Another questions pop-up – How you could reset the passcode if you would forget it?

You see, even if the initial problem was simple and funny, the solutions are not so simple. Of course, we could find a solution, but the problem is more complicated than we think.

Story - Round-trip cancellation 
Note: At the end of the post you can find a list of tips that could help you to avoid such situations, but before it, I would like to share with you a case where almost all of us are exposed.

Imagine that you go on holiday in the UK for 2 weeks. When you arrive at the airport, you drop your baggage and go to the security control. You leave your ticket inside the security box, and the person behind you will do a photo of your ticket.
The ticket already contains the booking reference number of the ticket number together with your name. It is more than enough for any person to access your booking and modify it. Let’s say that he cancel your ticket for return. Are you on holiday right? So you don’t check your emails… until the last day when you want to check-in when… surprise… your trip was canceled. Enjoy the time that you will spend on the phone with the support line. In the worst case, you will have to pay for a new ticket. Moreover, remember, it is not the airline fault.
In my last trip, at the security queue I was able to see at least 2 tickets that I could ‘hack.’

This is not an imaginary story. Try to bing it on Google, and you’ll find many situations like this. The internet is full of this kind of stories.

Tips 
Below you can find some tips that could help us to avoid situations like this:

  1. Don’t share the booking information with anybody else 
  2. Register your email to your booking; it enables you to get notifications when changes are done on your ticket 
  3. Try to keep the ticket hidden from other people (don’t leave your ticket on the table when you are at the business lounge) 
  4. Never share the photo of your ticket on social media 

The main general rule is to keep your booking information as safe as possible and when you see any changes on your reservation call the airline as soon as possible. They will give their best to help you.

Comments

Popular posts from this blog

Windows Docker Containers can make WIN32 API calls, use COM and ASP.NET WebForms

After the last post , I received two interesting questions related to Docker and Windows. People were interested if we do Win32 API calls from a Docker container and if there is support for COM. WIN32 Support To test calls to WIN32 API, let’s try to populate SYSTEM_INFO class. [StructLayout(LayoutKind.Sequential)] public struct SYSTEM_INFO { public uint dwOemId; public uint dwPageSize; public uint lpMinimumApplicationAddress; public uint lpMaximumApplicationAddress; public uint dwActiveProcessorMask; public uint dwNumberOfProcessors; public uint dwProcessorType; public uint dwAllocationGranularity; public uint dwProcessorLevel; public uint dwProcessorRevision; } ... [DllImport("kernel32")] static extern void GetSystemInfo(ref SYSTEM_INFO pSI); ... SYSTEM_INFO pSI = new SYSTEM_INFO(...

ADO.NET provider with invariant name 'System.Data.SqlClient' could not be loaded

Today blog post will be started with the following error when running DB tests on the CI machine: threw exception: System.InvalidOperationException: The Entity Framework provider type 'System.Data.Entity.SqlServer.SqlProviderServices, EntityFramework.SqlServer' registered in the application config file for the ADO.NET provider with invariant name 'System.Data.SqlClient' could not be loaded. Make sure that the assembly-qualified name is used and that the assembly is available to the running application. See http://go.microsoft.com/fwlink/?LinkId=260882 for more information. at System.Data.Entity.Infrastructure.DependencyResolution.ProviderServicesFactory.GetInstance(String providerTypeName, String providerInvariantName) This error happened only on the Continuous Integration machine. On the devs machines, everything has fine. The classic problem – on my machine it’s working. The CI has the following configuration: TeamCity .NET 4.51 EF 6.0.2 VS2013 It see...

Navigating Cloud Strategy after Azure Central US Region Outage

 Looking back, July 19, 2024, was challenging for customers using Microsoft Azure or Windows machines. Two major outages affected customers using CrowdStrike Falcon or Microsoft Azure computation resources in the Central US. These two outages affected many people and put many businesses on pause for a few hours or even days. The overlap of these two issues was a nightmare for travellers. In addition to blue screens in the airport terminals, they could not get additional information from the airport website, airline personnel, or the support line because they were affected by the outage in the Central US region or the CrowdStrike outage.   But what happened in reality? A faulty CrowdStrike update affected Windows computers globally, from airports and healthcare to small businesses, affecting over 8.5m computers. Even if the Falson Sensor software defect was identified and a fix deployed shortly after, the recovery took longer. In parallel with CrowdStrike, Microsoft provi...