Cathay Pacific Asia Miles - Lack of Security for OLCI

Just found out from my friend.. if you know someone's full name and flight details, you can mess around with their OLCI... such as moving them to much worse seats. Another :td: for CX as other airlines require Ticket number or PNR code as a validation.

sounds like people with too much time on their hands here or is it the CX bashing thread

sounds like people with too much time on their hands here or is it the CX bashing thread

Seems like you dont know too much with the importance of advanced seat selection and privacy which is very evident from your post count.

Just found out from my friend.. if you know someone's full name and flight details, you can mess around with their OLCI... such as moving them to much worse seats. Another :td: for CX as other airlines require Ticket number or PNR code as a validation.

For OLCI you need exact flight number and Name, which for me is just good enough for security as it is only selecting the seat. You always have an option to change it at check-in counter after-all.

Though adding PNR / Ticket Number for validation may be good ... I think it is quite a balance of adoption rate vs security. Let's not forget tour groups people will not be able to do OLCI if PNR / Ticket number is needed as they normally don't have that.

You just found out? I thought I have been offering to put you in a middle seat at the back of the plane a few times already?

So...where would you like to sit on your flight tonight?

Usually, CX also requires you to enter passport details such as passport number, expiry date, issue date etc which, to me, are rather personal and should be kept to those close to you anyway.

Of course, there is a possibility that someone (close to us as they need all those details) may try to change us to a much worse seat in which case I reckon we should fix those people mentality first before looking into fixing CX OLCI systems :p

Usually, CX also requires you to enter passport details such as passport number, expiry date, issue date etc which, to me, are rather personal and should be kept to those close to you anyway.

Of course, there is a possibility that someone (close to us as they need all those details) may try to change us to a much worse seat in which case I reckon we should fix those people mentality first before looking into fixing CX OLCI systems :p

Next time when you do OLCI, after completion, log out completely of CX website and try getting into the OLCI "Non-Member" route. All CX asks is your Full name, flight number and date. I have heard fans of Cantopop stars searching the system for their idols, simply knowing that they will fly to destination "X" on CX on a particular day, and meddling with the seats on OLCI, so that the idol will sit next to him/her!.. a bit of wishful thinking for these fans but it's still a loophole.

I think CX should design the system so that it would prevent people who has malicious intent in creating havoc to the best extent possible, yes that may include your business partners and or friends who want to pull a prank.

The "lack of security" is only for MPO members. I was booked on HKG-XMN back in March using Finnair Plus as S-class earns 50%. I was prompted with a notice to enter my ticket number (and the information mentioned in the above post) before altering or seeing any personal information. Don't know about seat selection though.

And, your MPO number and password should be kept personal as well.
So,what's the issue?:confused::)

Usually, CX also requires you to enter passport details such as passport number, expiry date, issue date etc which, to me, are rather personal and should be kept to those close to you anyway.


System doesn't care what you put in those fields, you don't need to know the person's actual info for you to mess around with their seat assignment, or checking them in just for fun.

I usually put in my MPO number in the "passport number" field, and nobody has ever raised a peep about it. It gets updated at check-in anyway when I pick up my BP.

BA's OLCI doesn't require anything more than the PNR and name also and as such has the same issue.

One nasty surprise for me recently with a CX ticketed RTW (which has an amadeus record associated) was that if you enter your passport, DOB and telephone details in the MMB section of CX that information will show up on checkmytrip.com :eek: