Originally Posted by
Often1
Second-tier verification sounds great until you are pressed for time and have to enter multiple pieces of information or spend an extra couple of minutes on the phone.
IMHO the extra couple of minutes on the phone (or on the website) would be well worth it both to the company and to the customer.
Originally Posted by
Often1
This is an interesting one because it's rare for hackers to do malicious things. This cancellation doesn't help them.
First, apart from educational purposes and security tests, most hacking is malicious. Second, there are plenty of cases where the aim is to cause havoc or distress, not to profit directly from it.
Originally Posted by
Ber2dca
They have verified. "May I have your name?" "<says name>". "May I have your booking code?" "<says booking code>".
The booking code i.e. PNR locator is only shown on an encrypted webpage when you book and sent to the password-protected email you used for the booking. It's confidential, it's protected info. Amazon and most other retailers don't ask you for more than an email and password either to log in and buy stuff.
The PNR is far from being the password it should be. First, no airline or travel agency treats it as sensitive information, sending it out in non-encrypted emails and showing it in big letters when you log-in to manage your reservation online. Second, you can get on the phone with the airline and get the PNR with just a name and flight number. I did it several times for me and my SO, no further checks whatsoever. The burden of proof is on the airline and this would most certainly not stand in court if anyone decided to push it that far (they would surely settle).
Originally Posted by
JVPhoto
I wonder if it was someone who personally knew your friend and was taking it out on her.
My first thought, too. However, it is also possible that it was a random prankster who got his hands on her smartphone or laptop.
Originally Posted by
djohannw
As long as the PNR-code is sent through normal, unencrypted eMail this just is nowhere near an secure transmission and prone to interception. Additionally you can just call the airline and actually ASK for the PNR when you have the approximate flight detail...done this more than once when I booked on a OTA that did not display the airline's confirmation code.
+1
Originally Posted by
malmostoso
I have always thought that the PNR/last name combination as a username/password was extremely weak, considering that it is sent in cleartext.
+1