All travel managers should be aware of a news story which may easily have been lost because it appeared between the Christmas goose and the New Year fireworks.
Karsten Nohl and Nemanja Nikodijevic from SR Labs presented some research results at the Chaos Communications Congress, an annual conference for hackers which takes place between Christmas and New Year. The research revealed security flaws in PNRs as used by the GDSs.
The problem they outline sounds quite simple. A PNR contains valuable personal data such as credit card and passport information. This can be accessed from a flight booking with only a last name and the six-digit booking reference code generated by the GDS which was used to make the booking.
The GDS systems are old and can be hacked more easily than we think for a couple of reasons. First, they do not generate codes in as random a manner as one might expect. Some GDS systems will use the same two letters on all bookings on a given day; others tie some of the booking reference code to specific carriers. As hackers can routinely try thousands of combinations in minutes, one might consequently deduce that the process is vulnerable.
Second, the vulnerability doesn't start and end with the booking reference being discovered. Most website processes that involve personal or financial data ask supplementary questions after an email address and password have been accepted to ensure that the person who is accessing the data is entitled to do so. This usually means providing answers to questions that only the individual in question would know such as a memorable date or favourite pet's name. However, nothing else is required other than the six-digit code and the last name to access a flight booking.
Governments, TMCs and corporate travel departments pay a lot of attention to duty of care to maximise travellers' safety but there are other issues at stake if GDS bookings are indeed, as SR Labs' research suggests, easy to hack. Flights can be appropriated and used or sold as, indeed, could points from individual travellers' loyalty programme accounts. Bookings could be cancelled and changed.
Moreover, the financial damage could be indirect as well as direct. Phishing emails could be generated with grave consequences given all the personal contact and itinerary information contained in the GDS.
The GDS has served the travel industry well for more than half a century.
But, as delegates to the conference discovered, it may just be due for an overhaul to face the challenges of the 21st century.