Reservations hacking?
Dec 27, 2016 | 1:03 pm
#1
Original Poster
Suspended
Join Date: Oct 2004
Location: Bay Area
Programs: DL SM, UA MP.
Posts: 12,724
Reservations hacking?
Just read a blog post about hackers guessing or brute-force hacking the record locator code of Global Distribution Systems to cancel, modify, your flights.
Guess it's too much to expect airlines to support 2-factor authentication in order to access these reservations?
I know you can access some of them without having an account on the airlines' websites, just knowing the last name and the locator code.
Guess it's too much to expect airlines to support 2-factor authentication in order to access these reservations?
I know you can access some of them without having an account on the airlines' websites, just knowing the last name and the locator code.
Dec 27, 2016 | 1:29 pm
#2
A FlyerTalk Posting Legend
Join Date: Jul 2002
Location: MCI
Programs: AA Gold 1MM, AS MVP, UA Silver, WN A-List, Marriott LT Titanium, HH Diamond
Posts: 53,010
Can you access/modify a reservation with *just* the 6 characters? Or do you also need last name?
Seems like the easier path in would be airlines that have short/predictable FF#'s and minimal password requirements. For years, my United FF# was a number (no letters) protected only by a 4-digit PIN.
Seems like the easier path in would be airlines that have short/predictable FF#'s and minimal password requirements. For years, my United FF# was a number (no letters) protected only by a 4-digit PIN.
Dec 27, 2016 | 2:08 pm
#4
Original Poster
Suspended
Join Date: Oct 2004
Location: Bay Area
Programs: DL SM, UA MP.
Posts: 12,724
Yeah I don't know if they can change the passenger or have a refund sent to themselves?
I've heard of some claims of people having their FF accounts robbed of their miles though.
I wish both airlines and credit card rewards programs had better security but even financial institutions aren't using 2FA widely. Well some are but not most banks and credit unions or credit card issuers.
I've heard of some claims of people having their FF accounts robbed of their miles though.
I wish both airlines and credit card rewards programs had better security but even financial institutions aren't using 2FA widely. Well some are but not most banks and credit unions or credit card issuers.
Dec 29, 2016 | 5:34 am
#6
Suspended
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 102,077
Yeah I don't know if they can change the passenger or have a refund sent to themselves?
I've heard of some claims of people having their FF accounts robbed of their miles though.
I wish both airlines and credit card rewards programs had better security but even financial institutions aren't using 2FA widely. Well some are but not most banks and credit unions or credit card issuers.
I've heard of some claims of people having their FF accounts robbed of their miles though.
I wish both airlines and credit card rewards programs had better security but even financial institutions aren't using 2FA widely. Well some are but not most banks and credit unions or credit card issuers.
Jan 4, 2017 | 1:57 pm
#7
Suspended
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 102,077
One thing that has been done is to create new loyalty program accounts for PNRs accessed by passenger name and record locators (which can be swiped or even guessed by brute force attacks) and then manage to enter in the program account number of the account controlled by the "hacker" in order to collect the miles/points and then somehow get a liquidity event out of them.
Cancelling flights and using the eticket and its residual value may also be possible in some cases.
Cancelling flights and using the eticket and its residual value may also be possible in some cases.
Jan 4, 2017 | 2:09 pm
#8
FlyerTalk Evangelist
Join Date: Jun 2006
Location: IAD/DCA
Posts: 31,871
re hacking and airlines, when gmail asks for frequent flyer number, shows that identity related theft will increase because hackers will be able to do one stop shopping (by hitting google, in this example)
Jan 4, 2017 | 7:08 pm
#10
Suspended
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 102,077
The expanded governmental requirements for more passenger data to be captured and transmitted has become a real goldmine for a variety of questionable actors. The more info required to engage in business, and the more centralization there is of that info in a system, the greater the consequences of any vulnerability exploited.
Jan 4, 2017 | 9:24 pm
#11
Original Poster
Suspended
Join Date: Oct 2004
Location: Bay Area
Programs: DL SM, UA MP.
Posts: 12,724
Google asks for FF number so they can auto-populate their TripIt clone. Or have Google Now tell you about where you're going or other AI nonsense.
Then mine your data and sell ads to you, sell your data to their advertisers.
Then mine your data and sell ads to you, sell your data to their advertisers.
Jan 5, 2017 | 8:19 am
#12
Suspended
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 102,077
The expanded governmental requirements for more passenger data to be captured and transmitted has become a real goldmine for a variety of questionable actors. The more info required to engage in business, and the more centralization there is of that info in a system, the greater the consequences of any vulnerability exploited.