
Where in the World Is Carmen Sandiego? Becoming a Secret Travel Agent [video] - based2
https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carmen_sandiego
======
jc4p
This was a fantastic talk. Both the content and the quality of the talk itself
exceeded my expectations. I knew that bar codes on boarding passes are PDF-417
and have lots of info embedded, but the attack vectors they discuss are NUTS.

I tried posting this earlier in the week and it didn't get any traction, but
user sleavey posted a great summary of the talk in that thread in case you
don't have an hour, which is worth reading:
[https://news.ycombinator.com/item?id=13273314](https://news.ycombinator.com/item?id=13273314)

I'm pretty sure the attack vector they discuss about finding boarding passes
and changing the frequent flyer number attached to the itinerary is what the
people who sell flights for 20-30% the cost[0] do. I've been wondering who
that scam hurts for a while, the common thought is that they're using stolen
credit cards but from what I understand the "services" are way too reliable to
be based off stolen cards.

[0] [http://krebsonsecurity.com/2012/01/flying-the-fraudster-
skie...](http://krebsonsecurity.com/2012/01/flying-the-fraudster-skies/)

~~~
dublinben
It's hard to get a clear picture of what's going on from the heavily biased
coverage on Krebs's site, but based on the services being offered (flights,
hotels, car rentals) they would appear to be purchased with stolen rewards
points. If they weren't limited to spending these points, it seems obvious
that they'd sell a greater range of services/products.

~~~
cryptarch
I'm not seeing the "heavy bias" in Kreb's coverage, could you elaborate on
that?

I've always had a good impression of his work, and I don't get what you're
implying. A bias for what?

~~~
ryanlol
IMO the quality of his reporting occasionally suffers because of his strong
personal feelings on the people he's reporting on.

That particular article doesn't seem like a good example of such, though.

------
jdmath
I used to work for an airline that used Amadeus and was fairly familiar with
it. Every booking agent had access to a terminal connection to the mainframe
(similar to ssh or telnet). Everyone had unique login credentials and every
action can be tracked through the booking history.

Here are a few notes:

\- Credit card numbers are obfuscated right after they are first used. Only
certain back offices have unrestricted access.

\- Viewing all the travel information in the PNR is important. For example, if
a flight is arriving late, it can be useful to know that the passenger has a
connecting flight with another airline on the same ticket to arrange for
another connecting flight.

\- Reservations are archived after a certain amount of days after the last
flight. They can be retrieved in view only mode but you have to specify a date
range.

\- Most tickets and vouchers are non-transferable (at least for the airline I
worked for) . Even changing a name on a reservation is a pain. You either have
to make a new booking and re-issue the ticket or get a support desk to change
the name on the current reservation and re-issue the ticket. A regular agent
changing more than 3 letters of a name will result in a cancelled itinerary.

\- It is possible to enter restricted comments on a PNR. You can even set who
can view them. Agency only, Airline only even a specific office.

I get that he was saying that the system is unsafe but a lot of it is only in
relation to the web interfaces. You can't get direct GDS access unless you're
working directly for an airline or travel agency. Those people definitely need
to see most of the information on the record.

Anyways, just thought I would provide some info.

~~~
atomwaffel
> I get that he was saying that the system is unsafe but a lot of it is only
> in relation to the web interfaces.

I think that was the point though: when these systems were being built in the
70s (i.e. pre-internet), the security measures they had – many of them based
on trust – were perfectly reasonable. You'd need to have physical access to a
machine connected to this closed network to even do so much as look at a
reservation. And then the internet comes along and these companies (with no
experience in web security) hook up their closed, tightly controlled network
to an open, not-at-all controlled network with virtually no additional
security. I guess it's fair to say that trust alone doesn't work too well on
the internet.

> You can't get direct GDS access unless you're working directly for an
> airline or travel agency. Those people definitely need to see most of the
> information on the record.

Yes, but the researchers addressed this in their talk about 14 minutes in. The
authentication isn't hard to crack: it consists of an agent ID and a password,
often in a format like WS<DDMMYY> (where <DDMMYY> is the date of first access
to the system). These credentials are shared by the same office at the very
least, and I have a sneaky feeling that I might find a conspicuous post-it
note on a computer screen if I visit a few of my local travel agents.

~~~
germanier
If I recall correctly, he said that travel agencies often have their own
system (with individual passwords) hooked up to the GDS using a shared login
which was set up once long time ago and then forgot.

------
nyolfen
description for those puzzled by the title:

> _Travel booking systems are among the oldest global IT infrastructures, and
> have changed surprisingly little since the 80s. The personal information
> contained in these systems is hence not well secured by today 's standards.
> This talk shows real-world hacking risks from tracking travelers to stealing
> flights. _

------
jugbee
What's interesting is that back in May, EU parliament has approved the
directive to use pnr data for intelligence purposes, meaning that every air
carrier has to trnsfer this data to law enforcement agencies
([http://www.consilium.europa.eu/en/press/press-
releases/2016/...](http://www.consilium.europa.eu/en/press/press-
releases/2016/04/21-council-adopts-eu-pnr-directive/)). Have i read too much
Orvell or...?

~~~
nly
Coupled with IP addresses from web bookings being on the PNR, and the likes of
the new Investigatory Powers Bill in the UK, it won't be long before border
control agents will be looking at your recent Internet history.

It's truly frightening.

------
michaelmior
Tempting to make a system that captures publicly posted photos of boarding
passes. Then email the poster a warning along with proof of the personal
information that they made available. However, I suspect this could get one in
trouble.

~~~
nhf
90% of what's present in the boarding pass barcode (PDF417) is visible in
plaintext on the actual document. The other 10% is relatively meaningless
without access to the airline's systems (perhaps with the exception of FF
numbers which are sometimes redacted).

~~~
michaelmior
My understanding (without trying this myself) is that it's potentially
possible to recover a traveler's email and home address.

------
based2
[https://en.wikipedia.org/wiki/Global_Distribution_System](https://en.wikipedia.org/wiki/Global_Distribution_System)

~~~
contingencies
Also [https://en.wikipedia.org/wiki/PNR](https://en.wikipedia.org/wiki/PNR)
for the personal information it stores.

------
based2
[https://www.youtube.com/watch?v=qnq0UfOUTlM](https://www.youtube.com/watch?v=qnq0UfOUTlM)

------
ryanlol
Seemed like a bit of an odd talk for a crowd that largely flies to cons. This
is mostly stuff your average FTer already knows.

And for gods sake don't try adding your frequent flier # on other peoples
tickets. The airline _will_ catch you, and unless the tickets have your name
on them you aren't gonna get any miles anyway.

