Day won’t go by when someone wouldn’t post their airline boarding passes on Facebook (been there – done that as well) without thinking twice what someone could do with the information embedded.
You can often easily see the eticket number, last name, the record locator, flight number(s) and frequent flier info as well. Using this information alone, it wouldn’t be that difficult to pull up the ticket information on the airlines’ website or call the airline and play around (cancel, change, refund etc.).
Here’s an excerpt from the Reuters:
Major travel booking systems lack a proper way to authenticate air travelers, making it easy to hack the short code used on many boarding passes to alter flight details or steal sensitive personal data, security researchers warned on Tuesday.
Passenger Name Records (PNR) are used to store reservations with links to a traveler’s name, travel dates, itinerary, ticket details, phone and email contacts, travel agent, credit card numbers, seat number and baggage information.
With just a passenger’s last name, the researchers were able to use computer guess work to find associated booking codes within hours and thereby gain access to travel records.
Travelers will never know who accessed their information, because PNR data is not logged, the researchers said. Users have no option to secure these codes themselves because the credentials are arbitrarily assigned by airlines using the booking systems.
And here from Kaspersky:
Depends on the booking system’s rules, GDS records usually contain a passenger’s name, phone number, date of birth, and passport data, as well as their ticket number, departure and destination ports, and flight date and time. It also includes payment information (such as a credit card number). Quite sensitive information, in other words.
Nohl and Nikodijevic pointed out that a lot of people have access to this data, including airlines workers, tour operators, hotels representatives, and other agents. Researchers suppose that governmental agencies can read this data as well. But it’s only the tip of the iceberg.
One more extremely disappointing fact: Despite experts and media raising this question numerous times in recent years, GDS companies still refuse to log PNR accesses. That’s why nobody can trace the vast majority of abuse cases. Few incidents even become known — for example, when criminals outright stole tickets from travelers and victims complained. As for the more intelligent fraud and data theft, specialists are unable to evaluate the scope of the problem.
I didn’t know that the GDS don’t log the PNR access info (meaning who accessed the record). If there are changes made to the itinerary, the GDS has the agent name etc. on file who initiated the change.
It wouldn’t be that difficult to call an airline pretending to be the traveler and make changes (as some have found out when relationships have soured) by merely having the record locator and the passenger name. .
There should be right balance between able to access the information easily while at the same time securing that unintended third parties wouldn’t have access.