Ber2dca

They have verified. "May I have your name?" "<says name>". "May I have your booking code?" "<says booking code>".

The booking code i.e. PNR locator is only shown on an encrypted webpage when you book and sent to the password-protected email you used for the booking. It's confidential, it's protected info. Amazon and most other retailers don't ask you for more than an email and password either to log in and buy stuff.

JVPhoto

That's very strange, I would imagine that a hacker is in her email trying to get credit card, financial, SSN, PayPal, etc info.
Why go in and take the extra effort to cancel a flight? I wonder if it was someone who personally knew your friend and was taking it out on her.

djohannw

As long as the PNR-code is sent through normal, unencrypted eMail this just is nowhere near an secure transmission and prone to interception. Additionally you can just call the airline and actually ASK for the PNR when you have the approximate flight detail...done this more than once when I booked on a OTA that did not display the airline's confirmation code.

Greetings - Dirk

malmostoso

I have always thought that the PNR/last name combination as a username/password was extremely weak, considering that it is sent in cleartext.

For example, our corporate TA blocks time in our calendars with the flight information, including the PNR. Every employee can see each other's calendar. So it would be trivial, for a prankster or a disgruntled colleague, to make a mess out of it.

I guess a sensible solution would be to allow small changes (seat selection, FQTV, OLCI) just with PNR and last name, and more substantial ones (rebooking or cancellation) with more information (birthdate or passport number).

mmff

IMHO the extra couple of minutes on the phone (or on the website) would be well worth it both to the company and to the customer.

First, apart from educational purposes and security tests, most hacking is malicious. Second, there are plenty of cases where the aim is to cause havoc or distress, not to profit directly from it.


The PNR is far from being the password it should be. First, no airline or travel agency treats it as sensitive information, sending it out in non-encrypted emails and showing it in big letters when you log-in to manage your reservation online. Second, you can get on the phone with the airline and get the PNR with just a name and flight number. I did it several times for me and my SO, no further checks whatsoever. The burden of proof is on the airline and this would most certainly not stand in court if anyone decided to push it that far (they would surely settle).

My first thought, too. However, it is also possible that it was a random prankster who got his hands on her smartphone or laptop.

+1

+1

dj_jay_smith

But this doesn't mean anything these days. With large companies routing data via IT hubs and VPNs used so often then where you are physically does not have to be where the IT systems say you location is.

It can be annoying when you always get adverts in Swedish when you are sitting in SE Asia, but if an IT system blocked the changing of tickets/reservations based on this then it would never work.


But I don't understand what a hacker would have to gain by cancelling a flight ticket electronically? Sounds more like somebody they know trying to make life awkward for them.


You could try the tactic of saying that the cancellation was not authorised so LH are to blame. Or you could see if travel insurance might help.

hugolover

From my checks I can see all you need is the PNR and the surname to cancel the ticket on Lufthansa.com so the proof needed is far less than a telephone conversation where perhaps some more personal details would be needed. However, I'd imagine with access to email the only benefit would be a voice capture of who cancelled it, particularly if it was male and in this case the pax is female.

I have contacted the LH lurker here to see if they can help because I have got nowhere with the call centre who keep telling us to email CR but a response/resolution before Saturday is slim to zero. I have also reached out the social media lot.

The issue is, LH445 on Saturday 1 Nov is busy and is showing full Y only as of now and she was booked in Q.

This is a good lesson for all to ensure that you keep your PNR secret. A few weeks ago, the hacker could have cancelled around 5 tickets causing even more havoc and thousands of dollars in change fees and fare differences given LH's policy.

mmff

Not even that. If you have the PNR and the name they do not even blink. I was never asked any questions when I called to make changes to the tickets of my mother in law, who travels often (for someone her age) but hates call centers.

JVPhoto

Once a "frenemy" was tweeting to UA about missing a flight or something and instead of direct messaging them his confirmation # he posted it publicly. I wanted to change him to a middle seat. I also got a chuckle that he was in Y when he does all efforts to make it seem like he flies J/F on social media...but to the trained eye.

Ber2dca

I'm not saying it's the most secure verification but it's industry standard and not just for airlines. Booking code and surname will be enough to cancel most hotel bookings as well, just like order number and name will be enough to cancel many retail orders by phone.

Germanfflyer

Just because it is industie standard does not mean that the proof of burden for a canceled reservation lies with the passenger - LH would have to proof it verified the person canceling is eligable and if they can not....THEY have a problem!

hugolover

Because the re-booking costs are a further $1500 she is unwilling to pay this supplement in addition to her re-booked ticket where she paid $250 extra to travel on a day with Q class availability. As its important she doesn't miss Monday and this is a leisure trip I am thinking to book her a flight on BA with some miles.

Given the peculiarities of the small claims courts in England I feel it makes more sense to go down this route rather than pay another $1500 which one might not get back (Plus a throwaway return is a bit cheaper). The claim will only be half the amount and LH are less likely to defend. In the end, as she needs to fly back on the Saturday as originally booked there is nothing to lose by issuing a claim no matter of the chances of its success because these costs are going to be incurred regardless.

htb

If you book with BA miles it will be harder to claim any of it back in a small claims court.

HTB.

Germanfflyer

+1
If you can get a reasonable regular ticket I am sure it will be much easier to settle in court.
Please also make sure you get something in writing (mail) from LH that they refuse to reinstate the flights - as they might deny this when legal actions occur!

Flying Lawyer

The "worst" thing that can happen without a "something in writing" is that they accept the claim upon receipt of the service and the OP has the swollow their small statutory lawyers fees which might even not occur because LH sometimes represents itself without external counsel in the small claims court (Amtsgericht). This would however be better than any settlement in court you propose.