A Hacker Exposed the Ancient Flaw That Makes Airlines So Hackable – Popular Mechanics
I missed this when it first happened, but apparently there was some glitch through El Al that allowed this guy to hack into passenger reservations on Amadeus. I went back and forth with the author in detail about why I didn’t think this was likely as big of a deal as they’re making it sound. I’ve been trying to do more research on my own, but Amadeus won’t talk to me outside of giving me a bland statement that starts with…
At Amadeus, we give security the highest priority and are constantly monitoring and updating all of our products and systems. We became alerted to an issue in one of our products and our technical teams took immediate action and as of January 16 the issue was fixed. We can confirm that Amadeus has not detected any data breach and that no data from travelers was disclosed. We regret any disruption this situation may have caused.
I still don’t think this is as big of a deal as it’s being made out to be, but without Amadeus being willing to talk, it’s going to be hard to get into the full details.
Why issues that delayed flights at BWI are an industry-wide problem – WUSA9 Washington, DC
There was a computer glitch that caused Southwest flights at BWI to be delayed earlier this week, and WUSA reached out to me to talk about why these things keep happening. I certainly didn’t know the specifics of this incident, but I talked about it broadly. The end result is what happens when you don’t have time to run home and get a nice shirt before the Skype interview. (At least I wasn’t wearing a t-shirt…)
5 comments on “Cranky on the Web: Hacking Your Reservations, Southwest Computer Problems in Baltimore”
At least you made your bed before the skype interview!
In general I think facial hair suits no man except Jake Gyllenhaal. However I think this beard suits you and is camera ready.
Ha, thanks. Every year or two I get bored and grow the beard out. We’ll see how long it lasts this time.
I think the pertinent part is this :
“Though the security breach requires knowledge of the PNR code, ELAL sends these codes via unencrypted email, and many people even share them on Facebook or Instagram. But that’s just the tip of the iceberg.” [from the original linked blog entry]
If the record locator and passenger name are sent around the internet in clear text and not encrypted I understand the potential risk.
Being able to retrieve a booking with last name (sometimes first name too, Swiss, for example) and record locator (also referred to as booking code) is extremely convenient in this day and age. The downside being that anybody with this information can cause all kinds of mayhem with a booking (or even all open bookings with an airline). Such information should *never* be sent around the internet in clear text. So if the claim is true this is indeed a security risk.
If somebody is dumb enough to publish images of his bording pass or flight reservation for all and sundry to see, however, then I really don’t feel too sorry for them. You can brag about your holiday, if you must, without publishing such sensitive information.
Note this also applies for publishing the QR -, or bar-code from your booking or bording pass, it’s relatively easy to decifer and apps are widely available to do just that.
Alain – Yes, I remember back when US Airways used to require the record locator and departure date, not name. They figured it was easy to figure out a name if you had the locator, but it wouldn’t be as quick to know the departure date. But for something like this, while it does give people the ability to manipulate or cancel a reservation, it wouldn’t allow them to do it without charging their own card. The airlines may store credit cards in a personal login, but if you just pull up a trip without logging in, you would have to enter in a new card. Further, if you make a change or cancel, then it should send directly to the original email address on file. If something wasn’t supposed to happen, then I would assume that person could call the airline and have it reinstated assuming it happens quickly. I don’t know how El Al works specifically, but that’s how US-based airlines work, at least. And then of course, this wouldn’t be an Amadeus issue but rather a website issue. Interesting to ponder this.