This was a fantastic talk. Both the content and the quality of the talk itself exceeded my expectations. I knew that bar codes on boarding passes are PDF-417 and have lots of info embedded, but the attack vectors they discuss are NUTS.
I tried posting this earlier in the week and it didn't get any traction, but user sleavey posted a great summary of the talk in that thread in case you don't have an hour, which is worth reading: https://news.ycombinator.com/item?id=13273314
I'm pretty sure the attack vector they discuss about finding boarding passes and changing the frequent flyer number attached to the itinerary is what the people who sell flights for 20-30% the cost[0] do. I've been wondering who that scam hurts for a while, the common thought is that they're using stolen credit cards but from what I understand the "services" are way too reliable to be based off stolen cards.
It's hard to get a clear picture of what's going on from the heavily biased coverage on Krebs's site, but based on the services being offered (flights, hotels, car rentals) they would appear to be purchased with stolen rewards points. If they weren't limited to spending these points, it seems obvious that they'd sell a greater range of services/products.
>I'm pretty sure the attack vector they discuss about finding boarding passes and changing the frequent flyer number attached to the itinerary is what the people who sell flights for 20-30% the cost[0] do
That scheme wouldn't work, name on tickets needs to match your ff# for you to get the points on basically every single airline.
Those services are mostly based on stolen points from bruteforced accounts. VBV cards make credit card fraud a very reliable option too, but it'd have significantly lower profit margins.
So? You aren't gonna get the miles. Otherwise, why aren't you already calling through all of your friends and adding your FF# on all of their old flights? Because the airlines aren't completely stupid and you aren't the first person to want free flights.
The scammers you cite are generally using stolen points, or more precisely, points from compromised accounts. Generally, with regard to flights, points can only be accrued in the name of the person travelling and can't easily be transferred or aggregated between accounts, so changing the FF# on an active reservation doesn't really help you. You couldn't accrue all your stolen points to one account - you'd end up with a few points in hundreds of different accounts which doesn't have any value.
On the other hand, phishing credentials for accounts with hundreds of thousands of points already in them could be quite lucrative.
At the end of the talk he said that the point thing is already beeing exploited and that those people change the account name on every transaction to the owner of the flight ticket. And that they are able to collect a massive amount of points without beeing detected.
I used to work for an airline that used Amadeus and was fairly familiar with it. Every booking agent had access to a terminal connection to the mainframe (similar to ssh or telnet). Everyone had unique login credentials and every action can be tracked through the booking history.
Here are a few notes:
- Credit card numbers are obfuscated right after they are first used. Only certain back offices have unrestricted access.
- Viewing all the travel information in the PNR is important. For example, if a flight is arriving late, it can be useful to know that the passenger has a connecting flight with another airline on the same ticket to arrange for another connecting flight.
- Reservations are archived after a certain amount of days after the last flight. They can be retrieved in view only mode but you have to specify a date range.
- Most tickets and vouchers are non-transferable (at least for the airline I worked for) . Even changing a name on a reservation is a pain. You either have to make a new booking and re-issue the ticket or get a support desk to change the name on the current reservation and re-issue the ticket. A regular agent changing more than 3 letters of a name will result in a cancelled itinerary.
- It is possible to enter restricted comments on a PNR. You can even set who can view them. Agency only, Airline only even a specific office.
I get that he was saying that the system is unsafe but a lot of it is only in relation to the web interfaces. You can't get direct GDS access unless you're working directly for an airline or travel agency. Those people definitely need to see most of the information on the record.
> I get that he was saying that the system is unsafe but a lot of it is only in relation to the web interfaces.
I think that was the point though: when these systems were being built in the 70s (i.e. pre-internet), the security measures they had – many of them based on trust – were perfectly reasonable. You'd need to have physical access to a machine connected to this closed network to even do so much as look at a reservation. And then the internet comes along and these companies (with no experience in web security) hook up their closed, tightly controlled network to an open, not-at-all controlled network with virtually no additional security. I guess it's fair to say that trust alone doesn't work too well on the internet.
> You can't get direct GDS access unless you're working directly for an airline or travel agency. Those people definitely need to see most of the information on the record.
Yes, but the researchers addressed this in their talk about 14 minutes in. The authentication isn't hard to crack: it consists of an agent ID and a password, often in a format like WS<DDMMYY> (where <DDMMYY> is the date of first access to the system). These credentials are shared by the same office at the very least, and I have a sneaky feeling that I might find a conspicuous post-it note on a computer screen if I visit a few of my local travel agents.
If I recall correctly, he said that travel agencies often have their own system (with individual passwords) hooked up to the GDS using a shared login which was set up once long time ago and then forgot.
> Travel booking systems are among the oldest global IT infrastructures, and have changed surprisingly little since the 80s. The personal information contained in these systems is hence not well secured by today's standards. This talk shows real-world hacking risks from tracking travelers to stealing flights.
What's interesting is that back in May, EU parliament has approved the directive to use pnr data for intelligence purposes, meaning that every air carrier has to trnsfer this data to law enforcement agencies (http://www.consilium.europa.eu/en/press/press-releases/2016/...). Have i read too much Orvell or...?
Coupled with IP addresses from web bookings being on the PNR, and the likes of the new Investigatory Powers Bill in the UK, it won't be long before border control agents will be looking at your recent Internet history.
Tempting to make a system that captures publicly posted photos of boarding passes. Then email the poster a warning along with proof of the personal information that they made available. However, I suspect this could get one in trouble.
90% of what's present in the boarding pass barcode (PDF417) is visible in plaintext on the actual document. The other 10% is relatively meaningless without access to the airline's systems (perhaps with the exception of FF numbers which are sometimes redacted).
Seemed like a bit of an odd talk for a crowd that largely flies to cons. This is mostly stuff your average FTer already knows.
And for gods sake don't try adding your frequent flier # on other peoples tickets. The airline will catch you, and unless the tickets have your name on them you aren't gonna get any miles anyway.
I watched the entire talk days ago as it was happening and didn't see anything new or interesting in it. Record locators are short and you can scan bar codes on boarding passes was basically all of it.
They also made some pretty ridiculous suggestions that simply wont work, like the proposed scheme with adding your FF# to other peoples tickets. The name on the ticket has to match yours for you to get the miles, this is the worst imaginable way of stealing them.
The talk isn't terrible, it's entertaining and relatively well presented, but it certainly only provides a very basic look at these systems through the eyes of someone who clearly isn't all that familiar with them yet. It's good for a beginner but seems like it might be a bit out of place in an international conference where you'll have lots of frequent fliers who already know all of these things.
> They also made some pretty ridiculous suggestions that simply wont work, like the proposed scheme with adding your FF# to other peoples tickets. The name on the ticket has to match yours for you to get the miles, this is the worst imaginable way of stealing them.
You must have missed the bit in the Q&A session when they addressed this very issue. They suggested creating a new frequent flyer account in the name of the person travelling and transferring the stolen miles to your own account – or simply changing the name attached to your own account if the system permits. They also claimed to know of people who were doing this as they spoke, and their talk gives little reason to doubt them.
> I watched the entire talk days ago as it was happening and didn't see anything new or interesting in it. Record locators are short and you can scan bar codes on boarding passes was basically all of it.
I disagree. The (in)security of travel agency systems was something I suspected but had no evidence of, and they presented some novel, fairly clever and disturbingly feasible ways of exploiting the bruteforceability of sequential PNRs, like sending highly targetted credit card phishing emails to people with recent bookings.
With a system you can automate? Where you could likely use a single account for everyone who shares a name? (How many John Smiths, how many Mike Davies, how many Ahmed Muhammads?) Something that could likely be coded in an afternoon and left to run on some Amazon instances that never actually get the bill paid on? I think you may be overestimating the setup cost and vastly underestimating the potential haul.
I tried posting this earlier in the week and it didn't get any traction, but user sleavey posted a great summary of the talk in that thread in case you don't have an hour, which is worth reading: https://news.ycombinator.com/item?id=13273314
I'm pretty sure the attack vector they discuss about finding boarding passes and changing the frequent flyer number attached to the itinerary is what the people who sell flights for 20-30% the cost[0] do. I've been wondering who that scam hurts for a while, the common thought is that they're using stolen credit cards but from what I understand the "services" are way too reliable to be based off stolen cards.
[0] http://krebsonsecurity.com/2012/01/flying-the-fraudster-skie...