Researchers: PNR Exposure Puts Flyers at Risk
Joe Cortez December 29, 2016
German cybersecurity firm warns printing PNRs can result in major problems for flyer’s personal information.
Does the six-character confirmation number assigned to flyers’ itineraries put them at risk? A presentation by German cybersecurity firm Security Research Labs suggests that it may be the only thing between a passenger and identity theft. In a white paper published on their website, the security agency warns that the current way of booking and identifying travel puts flyers’ personal information at risk.
Through their research of the three major global distribution systems (Amadeus, Sabre and Travelport), the security firm discovered there was no method for airlines or travel agents to verify the identity of a flyer through multiple layers of security online. With the six-character passenger name record (PNR) and flyer’s last name, a would-be identity thief can go online and access vital information about the flyer – including their e-mail address and phone number.
“While the rest of the Internet is debating which second and third factors to use, GDSs do not offer a first authentication factor,” the company writes. “Instead, the booking code (aka PNR Locator, a 6-digit alphanumeric string such as 8EI29V) is used to access and change travelers’ information.”
To make things worse, the firm also suggests that the six-character code is insecure in its own right, as the correct combination of PNR and last name can be guessed in a brute force attack. Because there are high limits to the amount of tries available to access records through a PNR through an airline or GDS website, a hacker has plenty of opportunities to guess the right combination?
So what can happen when data falls into the wrong hands? Security Research Labs warns flyers who have their PNR stole can have their flights stolen, frequent flyer miles diverted or passport information stolen. To fight back, the security firm recommends stakeholders allow passengers to password protect their itineraries and offer protection against brute force attacks.
Flyers can also join the fight in protecting their personal information. Those who are traveling are warned to protect their PNR from prying eyes and never post a picture of their boarding pass online.
[Photo: Shutterstock]
Here's some feedback from a consultant who makes his income from security and cryptography. Yes, the number of PNR permutations is large. However, the second security factor is simply the pax's surname. Anyone who manages to obtain the PNR for a known person has full control of their flight data. They can obtain the ticket details. Using those, they can not only change or cancel the flight, they can obtain sensitive personal information. All it takes is one intercepted email, or one good glance at a boarding pass. There are no "hidden factors". It is not rocket science to have booking systems that require a password before access can be granted to non-employees to make changes or view sensitive data. "What about phone or travel agent bookings?", you ask. That's not a problem either. The phone agent or TA asks for two selected characters from the password, just as bank phone agents do. What's stopping all this from happening are inertia, complacency and cost aversion, plus a disinclination for the responsible bodies to collaborate.
Just a tiny round-up: The office of the member of the German parliament I had contacted sent me a small reply with some details why he is concerned. Sorry that I am not able to comprehend the argument I appreciate him thinking about a potential risk. Well done although I am not fan of the political colour "green".
Dear Joe, I am convinced that the original source of the news, a tiny IT “advisor” is playing games with the broad public. The system is very, very secure: 1.) It consists of a code consisting of six characters and not only numbers are used: It uses the 26 “letters” as well as 10 “numbers”. Therefore there are 36 possibilities for every “diigit”. 2.) If you have a view on [airline designator]/NNNNNN there are – within an airline – 36 * 36 * 36 * 36 * 36 * 36 combinations. A “hacker” has to try out more than 2,1 billion (!) (exactly 2,176,782,336 ) combinations.to get the filekey. 3.) A simple count of the numbers of requests from one iP address is enough to block this IP temporarily. Therefore this systems is very, very secure. For more it is a classic example of clickbaiting/news baiting by an interested party. It is a hoax news/fake news which was started during the public holidays through a report of a newspaper. BTW: I have sent an E-Mail to the one member of parliament who was mentioned in the original article and never got a response. In view of the lack of content we can just use this fake news not to change the system or get afraid. It is simply a great example for getting PR free of charge for an IT “consultant” who under normal circumstances never would get such a large audience. So the 2nd factor authentification would make the world for everyone more complicated, Just think of rebooking when contacting the airline by phone. EDIT: Some typos corrected.