I tried posting this earlier in the week and it didn't get any traction, but user sleavey posted a great summary of the talk in that thread in case you don't have an hour, which is worth reading: https://news.ycombinator.com/item?id=13273314
I'm pretty sure the attack vector they discuss about finding boarding passes and changing the frequent flyer number attached to the itinerary is what the people who sell flights for 20-30% the cost do. I've been wondering who that scam hurts for a while, the common thought is that they're using stolen credit cards but from what I understand the "services" are way too reliable to be based off stolen cards.
I've always had a good impression of his work, and I don't get what you're implying. A bias for what?
That particular article doesn't seem like a good example of such, though.
That scheme wouldn't work, name on tickets needs to match your ff# for you to get the points on basically every single airline.
Those services are mostly based on stolen points from bruteforced accounts. VBV cards make credit card fraud a very reliable option too, but it'd have significantly lower profit margins.
Take a moment of your time and search this on flyertalk or something.
At my previous work we constantly did the swap to reach the needed miles to maintain status or to get a free upgrade / lounge access.
I still add my brother on BA since he has an insane status with them and I only fly with them once or twice a year for the upgrade and lounge...
On the other hand, phishing credentials for accounts with hundreds of thousands of points already in them could be quite lucrative.
Here are a few notes:
- Credit card numbers are obfuscated right after they are first used. Only certain back offices have unrestricted access.
- Viewing all the travel information in the PNR is important. For example, if a flight is arriving late, it can be useful to know that the passenger has a connecting flight with another airline on the same ticket to arrange for another connecting flight.
- Reservations are archived after a certain amount of days after the last flight. They can be retrieved in view only mode but you have to specify a date range.
- Most tickets and vouchers are non-transferable (at least for the airline I worked for) . Even changing a name on a reservation is a pain. You either have to make a new booking and re-issue the ticket or get a support desk to change the name on the current reservation and re-issue the ticket. A regular agent changing more than 3 letters of a name will result in a cancelled itinerary.
- It is possible to enter restricted comments on a PNR. You can even set who can view them. Agency only, Airline only even a specific office.
I get that he was saying that the system is unsafe but a lot of it is only in relation to the web interfaces. You can't get direct GDS access unless you're working directly for an airline or travel agency. Those people definitely need to see most of the information on the record.
Anyways, just thought I would provide some info.
I think that was the point though: when these systems were being built in the 70s (i.e. pre-internet), the security measures they had – many of them based on trust – were perfectly reasonable. You'd need to have physical access to a machine connected to this closed network to even do so much as look at a reservation. And then the internet comes along and these companies (with no experience in web security) hook up their closed, tightly controlled network to an open, not-at-all controlled network with virtually no additional security. I guess it's fair to say that trust alone doesn't work too well on the internet.
> You can't get direct GDS access unless you're working directly for an airline or travel agency. Those people definitely need to see most of the information on the record.
Yes, but the researchers addressed this in their talk about 14 minutes in. The authentication isn't hard to crack: it consists of an agent ID and a password, often in a format like WS<DDMMYY> (where <DDMMYY> is the date of first access to the system). These credentials are shared by the same office at the very least, and I have a sneaky feeling that I might find a conspicuous post-it note on a computer screen if I visit a few of my local travel agents.
> Travel booking systems are among the oldest global IT infrastructures, and have changed surprisingly little since the 80s. The personal information contained in these systems is hence not well secured by today's standards. This talk shows real-world hacking risks from tracking travelers to stealing flights.
It's truly frightening.
And for gods sake don't try adding your frequent flier # on other peoples tickets. The airline will catch you, and unless the tickets have your name on them you aren't gonna get any miles anyway.
I watched the entire talk days ago as it was happening and didn't see anything new or interesting in it. Record locators are short and you can scan bar codes on boarding passes was basically all of it.
They also made some pretty ridiculous suggestions that simply wont work, like the proposed scheme with adding your FF# to other peoples tickets. The name on the ticket has to match yours for you to get the miles, this is the worst imaginable way of stealing them.
The talk isn't terrible, it's entertaining and relatively well presented, but it certainly only provides a very basic look at these systems through the eyes of someone who clearly isn't all that familiar with them yet. It's good for a beginner but seems like it might be a bit out of place in an international conference where you'll have lots of frequent fliers who already know all of these things.
You must have missed the bit in the Q&A session when they addressed this very issue. They suggested creating a new frequent flyer account in the name of the person travelling and transferring the stolen miles to your own account – or simply changing the name attached to your own account if the system permits. They also claimed to know of people who were doing this as they spoke, and their talk gives little reason to doubt them.
> I watched the entire talk days ago as it was happening and didn't see anything new or interesting in it. Record locators are short and you can scan bar codes on boarding passes was basically all of it.
I disagree. The (in)security of travel agency systems was something I suspected but had no evidence of, and they presented some novel, fairly clever and disturbingly feasible ways of exploiting the bruteforceability of sequential PNRs, like sending highly targetted credit card phishing emails to people with recent bookings.
>They suggested creating a new frequent flyer account in the name of the person travelling
So then they end up with an account with 1 trips worth of miles on it, that'll rarely be worth anything at all.
>transferring the stolen miles to your own account –
Seriously? Do you have any idea how many miles you'd have to steal for that to be worthwhile. You have to pay $ to transfer miles.
>or simply changing the name attached to your own account if the system permits.
I can't think of anyone who permits this without a painful process, can you?
>They also claimed to know of people who were doing this as they spoke, and their talk gives little reason to doubt them.
Yeah, people also collect empty bottles off the streets.
If you want easy cheap miles this isn't the way to do it.
How about you go try it, just to be sure :)
Well, a return flight FRA-SIN in First is worth 40,000 miles which is about 100 USD on most partner shops
Sure, you can successfully commit fraud and earn a few $, is it worth your time? nah.