The Global Distribution System (GDS) is a unique tool used by travel agents worldwide to book air travel – yet it has very few security features. Unless the system’s IT infrastructure is overhauled, cybercriminals will continue to be able to access passengers’ personal data and hack their plane tickets.
When booking tickets, passengers provide the GDS with their last name, first name, telephone number, passport number and other confidential information. This data is collected in “Passenger Name Records” or PNRs which, for the past 60 years, have been used by customs and police authorities to monitor international flows of people and combat terrorism and organised crime. Data was originally entered manually, but has been collected automatically using computers since the 1970s.
Major GDS weaknesses
Two cybersecurity researchers, Karsten Nohl and Nemanja Nikodijevic, recently studied the GDS. Worryingly, they concluded that the system’s infrastructure had only minimal security features, which dated back to the 1970s.
The system’s main weakness is that no password is required to access PNR files – just the passenger’s last name and PNR code. This code only contains six characters, meaning hackers can repeatedly attack airline websites until they find the correct combination. This kind of attack is called a brute force attack.
Another major weakness is the fact that the passenger’s name and PNR code appear on all flight tickets and baggage labels. They are either printed directly or using a barcode, which can easily be read using barcode apps. Passengers who share photos of plane tickets on social media are therefore extremely vulnerable to having their accounts hacked. In the space of just a few weeks at the end of 2016, the two researchers observed that 75,000 such photos had been posted.
After obtaining the passenger’s last name and PNR code, hackers are able to access passenger and PNR files. From there, they can:
- Steal the passenger’s frequent flyer miles, or cancel the original flight and use the airline credit to book another trip.
- Modify the passenger name on the ticket and use it themselves, depending on the airline.
- Use the passenger’s ticket without changing the name, in regions where identity checks are not always performed (for example, in the Schengen area). This form of identity theft represents a clear terrorism risk.
- Steal the passenger’s personal data (PNRs in passenger files and data entered on the plane ticket such as geolocation).
Essential security measures
To improve system security, several simple measures could be implemented:
- Record connection data in the GDS in order to trace fraudulent activity.
- Add a user password, in addition to the six-character PNR code.
- Limit the number of connection requests from a single IP address to prevent brute force attacks.
In reaction to this study, one of the three GDS systems (Amadeus, Galileo and Sabre) appears to have implemented the last security measure. However, it may only have been installed on a temporary or one-off basis.
PNRs were originally created to tackle terrorism and organised crime. The surprising vulnerability of the GDS system is regrettable, because it leads to two major risks: financial fraud and identity theft.