SlideShare a Scribd company logo

В Instagram можно найти фотографии авиабилетов и присвоить себе бонусные мили

Anatol Alizar
Anatol Alizar

В Instagram можно найти фотографии авиабилетов и присвоить себе бонусные мили

Software
1 of 24
Download to read offline
SRLabs Template v12 Where in the World Is Carmen Sandiego? Karsten Nohl <nohl@srlabs.de> Nemanja Nikodijević <nemanja@srlabs.de>
as Logo Horizontal Pos / Neg Global booking systems store data from airlines and passengers 2 Booking systems / GDS Fares Availability Reservations Booking agents Booking web sites Travel agencies Create reservations Travel providers Airlines Hotels Car rental companies Update fares, Change availability rules
as Logo Horizontal Pos / Neg GDS store price and availability rules TAP (TP) OLDEUSTP HAM to SFO General notes BASIC SEASON ECONOMY ONE WAY SPECIAL EXCURSION FARES Between EUROPE and THE UNITED STATES APPLIES FOR ONE WAY FARES Category 3: Seasonal restrictions PERMITTED 01NOV THROUGH 15DEC OR 31DEC THROUGH 12MAY FOR EACH TRIP. Category 4: Flight restrictions IF THE FARE COMPONENT INCLUDES TRAVEL WITHIN EUROPE THEN THAT TRAVEL MUST BE ON ONE OR MORE OF THE FOLLOWING ANY TP FLIGHT OPERATED BY TP … Fare Availability 3
as Logo Horizontal Pos / Neg GDS also store reservations including personal information 4 Reservation / PNR
as Logo Horizontal Pos / Neg Three GDS dominate the market 5 Booking agents Expedia GDS Amadeus Sabre Galileo (now part of Travelport) Airlines (examples) AirBerlin Aeroflot Example: An American Airlines ticket booked through Expedia is kept in Amadeus and Sabre American Airlines Not really used by airlines Lufthansa
as Logo Horizontal Pos / Neg § Fine-grained access control § Strong authentication § Rate-limiting § Logging We were curious about the protection of passenger information 6 Which web service security basics are implemented in GDS? ? ? ? ? GDS may be insecure: § Booking systems (GDS) go back to the 70s and 80s § They were the first “cloud” before the term (or the Internet) existed § Can such systems have modern security? GDS may be secure: § Passenger data has been in dispute between governments for years § Especially the EU expressed strong political will to protect traveler data Our research motivation
as Logo Horizontal Pos / Neg GDS have very coarse access restrictions 7 PNR space Airline staff can access all PNRs that are in any way connected to that airline Booking agents can access any ticket connected to the agency One PNR (can include different airlines) GDS staff can access all PNRs Too much information – § The PNR includes all info from different providers (flight, hotel, car) for providers to see § Includes payment information address, credit card incl. expiry Too much access – plenty of people have access to private booking details: 1. Employees of the travel agency/website that created the booking 2. Employees of the travel providers included on the PNR 3. Employees of any of the GDS involved in any part of the PNR, including external support companies 4. Allegedly the US DHS Access control: Very little
as Logo Horizontal Pos / Neg § Fine-grained access control § Strong authentication § Rate-limiting § Logging ? ? ? ? Are booking systems protected with basic security controls? 8 Web service security basics
as Logo Horizontal Pos / Neg Authentication options range from weak to very weak 9 Agent <Agent id>User: WS<DDMMYY>pw: GDS <Last name> <Booking code> Traveler Travel/airline agent access § Traditionally over direct connections § Today as web service that connects over the open Internet § Passwords often terrible Traveler access § Forgot to assign user names or passwords, oops! § Let’s use last name as user name; and booking code / PNR locator as password § These “passwords” cannot be changed and are widely shared between operators Authentication: Fail Login:
as Logo Horizontal Pos / Neg PNRs can be gathered offline 10
as Logo Horizontal Pos / Neg PNRs can be gathered online 11 Instagram Travel details
as Logo Horizontal Pos / Neg § Fine-grained access control § Strong authentication § Rate-limiting § Logging ? ? ? ? Are booking systems protected with basic security controls? 12 Web service security basics
as Logo Horizontal Pos / Neg Flight theft Mile diversion Privacy intrusion Phishing Travelers’ private information is accessible 13 PNR abuse Anybody with access to the PNR locator (6-digit number) and last name can access: § Identity details; possibly including hotels and car rentals § Frequent flyer details § Contact information: Phone number, e-mail address, often postal address § Often date of birth and passport details Agents (or hackers) with direct GDS access also see: § Payment information: Credit card # and expiry § IP address (if booked online) Stalking Tracking Photo of luggage tag or boarding pass Last name PNR bruteforce search Privacy intrusion Abuse Scenarios Travel details, contact info
as Logo Horizontal Pos / Neg Flight theft Mile diversion Privacy intrusion Phishing Fraudsters can possibly steal flights 14 * Miscellaneous charges order § Airlines typically only authenticate passengers with the PNR locator, even for ticket changes § Different airlines allow different actions: – All allow date and flight changes (at least on some tickets) – Few allow name changes – Most allow some form of refund, often for a coupon Abuse Scenarios Bruteforce search tickets for common name Refund for credit in PNR Refund for MCO* Fly for free Book new flight with credit PNR abuse Change name, e-mail, and date Change e-mail and date and take the flight (on an airline that does not check ID) Select flexible ticket
as Logo Horizontal Pos / Neg Flight theft Privacy intrusion Phishing Mile diversion Mile diversion § Adding a miles number (with the right name) to a booking diverts a victim’s miles § Miles can be redeemed for free flights, hotel nights, or gift certificates Miles can be stolen, fully remotely 15 PNR abuse Abuse Scenario Bruteforce search for common name Selects expensive tickets Create miles account in passenger name Add or change miles account in booking Convert on redeem collected miles Example EU-Australia Round-trip First class 10,000 miles x 2 x 3 60,000 miles ~ 900 USD
as Logo Horizontal Pos / Neg All path to a booking need to be secured 16 American Airlines asks for first name ViewTrip + TripCase provide alternative path w/o first name 1. Brute-force PNR + last name on ViewTrip 2. Check details on TripCase
as Logo Horizontal Pos / Neg PNRs can be guessed 17 Guessability Sequential Amadeus ✓ Sabre ✗ Galileo Entropy 28.6 bits: § 1st digit: 2-8, X-Z § 2nd: Depends on 1st (38 of 340 combinations invalid) § 2nd-6th: 2-9, A-Z 28.2 bits: § 1st-6th: A-Z § (Namespace split by airline) 28.9 bits: § 1st: 1-9, A-Z (except F-I, O, U, Y) § 2nd -5th: 0-9, B-Z (except E, I, O,U,Y) § 6th: 0-9, A-Z, but last bit ignored! Brute-force susceptibility Airlines (examples) Lufthansa § Standard: § Mobile: Captcha max 30 rqs/IP Air Berlin max 1,000 rqs à Captcha American Airlines ✓ + First name Aeroflot ✓ Not really used by airlines, but instead by booking agents GDS-provided CheckMyTrip § Classic: § Current: killed ineffective Captcha, max 1,000 requests/IP Virtually There § Direct PNR access for some airlines (e.g. Etihad), for others: redirect to airline website (e.g. AA, Aeroflot) ✓ View Trip ✓ ✓ ✓ à ✓ à Helps against targeted privacy intrusion, but not fraud
as Logo Horizontal Pos / Neg § Fine-grained access control § Strong authentication § Rate-limiting § Logging ? ? ? ? Are booking systems protected with basic security controls? 18 Web service security basics
as Logo Horizontal Pos / Neg Flight theft Mile diversion Privacy intrusion Phishing Data disclosure exposes travelers to targeted attacks 19 § Due to their sequential nature, fraudsters can find recently created PNRs § And then send very targeted phishing e-mails Abuse Scenario Poll for common last name and recent PNRs (in a GDS where PNRs are sequential) Fetch e-mail address from booking Phish for frequent flyer login or credit card information PNR abuse Phishing From: LH.com online@booking-lufthansa.com Subject: Booking Details | Departure: 22 August 2016 | TXL-MUC | Reservation code: Z8JC8R Date: August 7, 2016 at 18:55 To: BSCHLABS@GMAIL.COM Lufthansa booking code: URGENT: Please update your payment information 33C3PO SANDIEGO / CARMEN MS Miles & More: XXXXXXXXXXX0054 Ticket no.: 220-2376788232 If you cannot view this e-mail properly, please open the attached PDF version. Do not reply to this e-mail. Additional support is available via the FAQs. URGENT NOTICE: Your payment has been rejected IMPORTANT: The following transaction has been rejected, so we are unable to process payment for you DE (HAM) on 31 December. Your reservation is currently ON HOLD FOR 24 HOURS. Please update information to confirm your reservation. Passenger Information Receipt and additional documents NOTE: Your receipt for this itinerary cannot currently be provided. PLEASE UPDATE YOUR PAYMENT INFORMATION. Option for download is valid up to 90 days after end of travel. From: LH.com online@booking-lufthansa.com Subject: Booking Details | Departure: 22 August 2016 | TXL-MUC | Reservation code: Z8JC8R Date: August 7, 2016 at 18:55 To: BSCHLABS@GMAIL.COM Lufthansa booking code: URGENT: Please update your payment information 33C3PO SANDIEGO / CARMEN MS Miles & More: XXXXXXXXXXX0054 Ticket no.: 220-2376788232 07:0​0​ h MUNICH DE MUNICH INTERNATIONAL (MUC) TERMINAL 2 08:1​5​ h HAMBURG DE (HAM) TERMINAL 2 Status: confirmed Seat: 03A* Class/fare: BUSINESS (Z) If you cannot view this e-mail properly, please open the attached PDF version. Do not reply to this e-mail. Additional support is available via the FAQs. URGENT NOTICE: Your payment has been rejected IMPORTANT: The following transaction has been rejected, so we are unable to process payment for your trip to HAMBURG DE (HAM) on 31 December. Your reservation is currently ON HOLD FOR 24 HOURS. Please update your payment information to confirm your reservation. Passenger Information Receipt and additional documents NOTE: Your receipt for this itinerary cannot currently be provided. PLEASE UPDATE YOUR PAYMENT INFORMATION. Option for download is valid up to 90 days after end of travel. Your itinerary Sat. 31 December 2016: MUNICH DE - HAMBURG DE LH2060 operated by: LUFTHANSA
as Logo Horizontal Pos / Neg Guessability issues are not limited to large GDS 20 SITA § Only 4 digits to guess, plus one digit for airline Oman Air (Sabre) Pakistan International Airlines (Sabre) § Won the race for easiest guessability § Guess one city in itinerary instead of last name (Muscat, duh!) Ryan Air (Navitaire, an Amadeus subsidiary) § Uneven distribution makes it easier to guess PNR § Guess 4 credit card digits instead of last name Other noteworthy systems we did not look at: § MACS (Emirates) § Troya (Turkish Airlines) § HP Shares (United, and others)
as Logo Horizontal Pos / Neg PNR access is not logged 21 Logging/accountability: Fail § For years, questions were raised over who is accessing PNRs § Until today, GDS providers refuse to log read access to this private data (write access has always been logged) § Can more research motivate finally adding logging and make transparent to travelers who accesses their information?
as Logo Horizontal Pos / Neg § Fine-grained access control § Strong authentication § Rate-limiting § Logging ? ? ? ? Booking systems lack basic security controls 22 Web service security basics
as Logo Horizontal Pos / Neg We need better protected booking systems 23 In summary What we need Coarse access control § A few global databases keep information on travelers, in systems that have grown for decades and now lack modern IT security § Limitations on which agents (and governments!) can access what information Weak authentication § Passengers authenticate only with their last name and a low-entropy (often sequential) booking code, which is also printed on passes and tags § Passwords for bookings Insufficient rate limiting § Numerous web interfaces permit brute- forcing of these booking codes, putting travelers’ privacy at risk § Minimum web service security for all exposed interfaces No logging § Travelers will never know who accessed their information, since PNR access is intentionally not logged § Strict logging of any access to personal information
as Logo Horizontal Pos / Neg Thank you! 24 Questions? Karsten Nohl <nohl@srlabs.de> Nemanja Nikodijević <nemanja@srlabs.de> Many thanks to Luca Melette, Sebastian Götte, and Patrick Lucey for making this research possible! Thank you Ed Hasbrouck, Hendrik Scholz, and Seth Miller for very valuable feedback!

Recommended

Dawn Chastain official transcript Metropolitan State University of Denver
Dawn Chastain official transcript Metropolitan State University of DenverDawn Chastain official transcript Metropolitan State University of Denver
Dawn Chastain official transcript Metropolitan State University of DenverDawn Chastain
 
Рядовые сотрудники Uber использовали «режим Бога» для слежки за бывшими
Рядовые сотрудники Uber использовали «режим Бога» для слежки за бывшимиРядовые сотрудники Uber использовали «режим Бога» для слежки за бывшими
Рядовые сотрудники Uber использовали «режим Бога» для слежки за бывшимиAnatol Alizar
 
Linux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsLinux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsBrendan Gregg
 
Linux Systems Performance 2016
Linux Systems Performance 2016Linux Systems Performance 2016
Linux Systems Performance 2016Brendan Gregg
 
Broken Linux Performance Tools 2016
Broken Linux Performance Tools 2016Broken Linux Performance Tools 2016
Broken Linux Performance Tools 2016Brendan Gregg
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and moreBrendan Gregg
 
Velocity 2015 linux perf tools
Velocity 2015 linux perf toolsVelocity 2015 linux perf tools
Velocity 2015 linux perf toolsBrendan Gregg
 
Linux Profiling at Netflix
Linux Profiling at NetflixLinux Profiling at Netflix
Linux Profiling at NetflixBrendan Gregg
 

Recommended

Dawn Chastain official transcript Metropolitan State University of Denver
Dawn Chastain official transcript Metropolitan State University of DenverDawn Chastain official transcript Metropolitan State University of Denver
Dawn Chastain official transcript Metropolitan State University of DenverDawn Chastain
 
Рядовые сотрудники Uber использовали «режим Бога» для слежки за бывшими
Рядовые сотрудники Uber использовали «режим Бога» для слежки за бывшимиРядовые сотрудники Uber использовали «режим Бога» для слежки за бывшими
Рядовые сотрудники Uber использовали «режим Бога» для слежки за бывшимиAnatol Alizar
 
Linux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsLinux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsBrendan Gregg
 
Linux Systems Performance 2016
Linux Systems Performance 2016Linux Systems Performance 2016
Linux Systems Performance 2016Brendan Gregg
 
Broken Linux Performance Tools 2016
Broken Linux Performance Tools 2016Broken Linux Performance Tools 2016
Broken Linux Performance Tools 2016Brendan Gregg
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and moreBrendan Gregg
 
Velocity 2015 linux perf tools
Velocity 2015 linux perf toolsVelocity 2015 linux perf tools
Velocity 2015 linux perf toolsBrendan Gregg
 
Linux Profiling at Netflix
Linux Profiling at NetflixLinux Profiling at Netflix
Linux Profiling at NetflixBrendan Gregg
 
Basic Reservation and Ticketing AMADEUS selling platform connect bsp
Basic Reservation and Ticketing AMADEUS selling platform connect bspBasic Reservation and Ticketing AMADEUS selling platform connect bsp
Basic Reservation and Ticketing AMADEUS selling platform connect bspKORNKAWIN JIRACHAIYAKAN
 
Reservation form
Reservation formReservation form
Reservation formAmanpreet kaur
 
Entity Relationship Diagram for Fiat Voluntas Tua Travel Reservation Database
Entity Relationship Diagram for Fiat Voluntas Tua Travel Reservation DatabaseEntity Relationship Diagram for Fiat Voluntas Tua Travel Reservation Database
Entity Relationship Diagram for Fiat Voluntas Tua Travel Reservation DatabaseWilliam Turnley
 
Overview of airline booking process
Overview of airline booking processOverview of airline booking process
Overview of airline booking processJava and .NET Architect
 
Global Distribution Systems - Part 2 of 5: Past, present and yet to come: GDS...
Global Distribution Systems - Part 2 of 5: Past, present and yet to come: GDS...Global Distribution Systems - Part 2 of 5: Past, present and yet to come: GDS...
Global Distribution Systems - Part 2 of 5: Past, present and yet to come: GDS...Edutour
 
Amadeus Quick Reference Guide
Amadeus Quick Reference GuideAmadeus Quick Reference Guide
Amadeus Quick Reference GuideA. S. M. Raiahan
 
Lesson 7 Amadeus AIR
Lesson 7 Amadeus AIRLesson 7 Amadeus AIR
Lesson 7 Amadeus AIRAngelina Njegus
 
Lesson 8 Basic PNR
Lesson 8 Basic PNRLesson 8 Basic PNR
Lesson 8 Basic PNRAngelina Njegus
 
Cryptanalysis of the GPRS Encryption Algorithms GEA-1 and GEA-2
Cryptanalysis of the GPRS Encryption Algorithms GEA-1 and GEA-2Cryptanalysis of the GPRS Encryption Algorithms GEA-1 and GEA-2
Cryptanalysis of the GPRS Encryption Algorithms GEA-1 and GEA-2Anatol Alizar
 
Lectures on Analytic Geometry
Lectures on Analytic GeometryLectures on Analytic Geometry
Lectures on Analytic GeometryAnatol Alizar
 
Military Cryptanalytics II
Military Cryptanalytics IIMilitary Cryptanalytics II
Military Cryptanalytics IIAnatol Alizar
 
Британская разведка не может нанять шпионов
Британская разведка не может нанять шпионовБританская разведка не может нанять шпионов
Британская разведка не может нанять шпионовAnatol Alizar
 
Libratus
LibratusLibratus
LibratusAnatol Alizar
 
Исковое заявление Waymo
Исковое заявление WaymoИсковое заявление Waymo
Исковое заявление WaymoAnatol Alizar
 
Решение окружного суда Северной Калифорнии
Решение окружного суда Северной КалифорнииРешение окружного суда Северной Калифорнии
Решение окружного суда Северной КалифорнииAnatol Alizar
 
Facebook обвиняют в плагиате проекта дата-центра в Швеции
Facebook обвиняют в плагиате проекта дата-центра в ШвецииFacebook обвиняют в плагиате проекта дата-центра в Швеции
Facebook обвиняют в плагиате проекта дата-центра в ШвецииAnatol Alizar
 
Cloud Spanner
Cloud SpannerCloud Spanner
Cloud SpannerAnatol Alizar
 
Песочница Chrome нарушает три патента
Песочница Chrome нарушает три патентаПесочница Chrome нарушает три патента
Песочница Chrome нарушает три патентаAnatol Alizar
 
Российский интернет на военном положении
Российский интернет на военном положенииРоссийский интернет на военном положении
Российский интернет на военном положенииAnatol Alizar
 
Судья приказал Google выдать почту пользователя с зарубежных серверов
Судья приказал Google выдать почту пользователя с зарубежных серверовСудья приказал Google выдать почту пользователя с зарубежных серверов
Судья приказал Google выдать почту пользователя с зарубежных серверовAnatol Alizar
 
Zenimax-v-oculus-amended-complaint
Zenimax-v-oculus-amended-complaintZenimax-v-oculus-amended-complaint
Zenimax-v-oculus-amended-complaintAnatol Alizar
 
Oculus jury response
Oculus jury responseOculus jury response
Oculus jury responseAnatol Alizar
 

More Related Content

Similar to В Instagram можно найти фотографии авиабилетов и присвоить себе бонусные мили

Basic Reservation and Ticketing AMADEUS selling platform connect bsp
Basic Reservation and Ticketing AMADEUS selling platform connect bspBasic Reservation and Ticketing AMADEUS selling platform connect bsp
Basic Reservation and Ticketing AMADEUS selling platform connect bspKORNKAWIN JIRACHAIYAKAN
 
Entity Relationship Diagram for Fiat Voluntas Tua Travel Reservation Database
Entity Relationship Diagram for Fiat Voluntas Tua Travel Reservation DatabaseEntity Relationship Diagram for Fiat Voluntas Tua Travel Reservation Database
Entity Relationship Diagram for Fiat Voluntas Tua Travel Reservation DatabaseWilliam Turnley
 
Global Distribution Systems - Part 2 of 5: Past, present and yet to come: GDS...
Global Distribution Systems - Part 2 of 5: Past, present and yet to come: GDS...Global Distribution Systems - Part 2 of 5: Past, present and yet to come: GDS...
Global Distribution Systems - Part 2 of 5: Past, present and yet to come: GDS...Edutour
 
Amadeus Quick Reference Guide
Amadeus Quick Reference GuideAmadeus Quick Reference Guide
Amadeus Quick Reference GuideA. S. M. Raiahan
 

Similar to В Instagram можно найти фотографии авиабилетов и присвоить себе бонусные мили (8)

Basic Reservation and Ticketing AMADEUS selling platform connect bsp
Basic Reservation and Ticketing AMADEUS selling platform connect bspBasic Reservation and Ticketing AMADEUS selling platform connect bsp
Basic Reservation and Ticketing AMADEUS selling platform connect bsp
 
Reservation form
Reservation formReservation form
Reservation form
 
Entity Relationship Diagram for Fiat Voluntas Tua Travel Reservation Database
Entity Relationship Diagram for Fiat Voluntas Tua Travel Reservation DatabaseEntity Relationship Diagram for Fiat Voluntas Tua Travel Reservation Database
Entity Relationship Diagram for Fiat Voluntas Tua Travel Reservation Database
 
Overview of airline booking process
Overview of airline booking processOverview of airline booking process
Overview of airline booking process
 
Global Distribution Systems - Part 2 of 5: Past, present and yet to come: GDS...
Global Distribution Systems - Part 2 of 5: Past, present and yet to come: GDS...Global Distribution Systems - Part 2 of 5: Past, present and yet to come: GDS...
Global Distribution Systems - Part 2 of 5: Past, present and yet to come: GDS...
 
Amadeus Quick Reference Guide
Amadeus Quick Reference GuideAmadeus Quick Reference Guide
Amadeus Quick Reference Guide
 
Lesson 7 Amadeus AIR
Lesson 7 Amadeus AIRLesson 7 Amadeus AIR
Lesson 7 Amadeus AIR
 
Lesson 8 Basic PNR
Lesson 8 Basic PNRLesson 8 Basic PNR
Lesson 8 Basic PNR
 

More from Anatol Alizar

Cryptanalysis of the GPRS Encryption Algorithms GEA-1 and GEA-2
Cryptanalysis of the GPRS Encryption Algorithms GEA-1 and GEA-2Cryptanalysis of the GPRS Encryption Algorithms GEA-1 and GEA-2
Cryptanalysis of the GPRS Encryption Algorithms GEA-1 and GEA-2Anatol Alizar
 
Lectures on Analytic Geometry
Lectures on Analytic GeometryLectures on Analytic Geometry
Lectures on Analytic GeometryAnatol Alizar
 
Military Cryptanalytics II
Military Cryptanalytics IIMilitary Cryptanalytics II
Military Cryptanalytics IIAnatol Alizar
 
Британская разведка не может нанять шпионов
Британская разведка не может нанять шпионовБританская разведка не может нанять шпионов
Британская разведка не может нанять шпионовAnatol Alizar
 
Исковое заявление Waymo
Исковое заявление WaymoИсковое заявление Waymo
Исковое заявление WaymoAnatol Alizar
 
Решение окружного суда Северной Калифорнии
Решение окружного суда Северной КалифорнииРешение окружного суда Северной Калифорнии
Решение окружного суда Северной КалифорнииAnatol Alizar
 
Facebook обвиняют в плагиате проекта дата-центра в Швеции
Facebook обвиняют в плагиате проекта дата-центра в ШвецииFacebook обвиняют в плагиате проекта дата-центра в Швеции
Facebook обвиняют в плагиате проекта дата-центра в ШвецииAnatol Alizar
 
Песочница Chrome нарушает три патента
Песочница Chrome нарушает три патентаПесочница Chrome нарушает три патента
Песочница Chrome нарушает три патентаAnatol Alizar
 
Российский интернет на военном положении
Российский интернет на военном положенииРоссийский интернет на военном положении
Российский интернет на военном положенииAnatol Alizar
 
Судья приказал Google выдать почту пользователя с зарубежных серверов
Судья приказал Google выдать почту пользователя с зарубежных серверовСудья приказал Google выдать почту пользователя с зарубежных серверов
Судья приказал Google выдать почту пользователя с зарубежных серверовAnatol Alizar
 
Zenimax-v-oculus-amended-complaint
Zenimax-v-oculus-amended-complaintZenimax-v-oculus-amended-complaint
Zenimax-v-oculus-amended-complaintAnatol Alizar
 
Oculus jury response
Oculus jury responseOculus jury response
Oculus jury responseAnatol Alizar
 
13 млн документов ЦРУ рассекречено и опубликовано в онлайне
13 млн документов ЦРУ рассекречено и опубликовано в онлайне13 млн документов ЦРУ рассекречено и опубликовано в онлайне
13 млн документов ЦРУ рассекречено и опубликовано в онлайнеAnatol Alizar
 
Тот день, когда аноны с 4chan затроллили разведывательные агентства и мировые...
Тот день, когда аноны с 4chan затроллили разведывательные агентства и мировые...Тот день, когда аноны с 4chan затроллили разведывательные агентства и мировые...
Тот день, когда аноны с 4chan затроллили разведывательные агентства и мировые...Anatol Alizar
 
Ещё шесть радиосигналов неизвестной природы получены из-за пределов нашей гал...
Ещё шесть радиосигналов неизвестной природы получены из-за пределов нашей гал...Ещё шесть радиосигналов неизвестной природы получены из-за пределов нашей гал...
Ещё шесть радиосигналов неизвестной природы получены из-за пределов нашей гал...Anatol Alizar
 
Немецкий суд объяснил, почему блокировщики рекламы не нарушают закон
Немецкий суд объяснил, почему блокировщики рекламы не нарушают законНемецкий суд объяснил, почему блокировщики рекламы не нарушают закон
Немецкий суд объяснил, почему блокировщики рекламы не нарушают законAnatol Alizar
 
ДНК составляет лишь половину объёма хромосом
ДНК составляет лишь половину объёма хромосомДНК составляет лишь половину объёма хромосом
ДНК составляет лишь половину объёма хромосомAnatol Alizar
 
Слияние Tesla и SolarCity
Слияние Tesla и SolarCityСлияние Tesla и SolarCity
Слияние Tesla и SolarCityAnatol Alizar
 

More from Anatol Alizar (20)

Cryptanalysis of the GPRS Encryption Algorithms GEA-1 and GEA-2
Cryptanalysis of the GPRS Encryption Algorithms GEA-1 and GEA-2Cryptanalysis of the GPRS Encryption Algorithms GEA-1 and GEA-2
Cryptanalysis of the GPRS Encryption Algorithms GEA-1 and GEA-2
 
Lectures on Analytic Geometry
Lectures on Analytic GeometryLectures on Analytic Geometry
Lectures on Analytic Geometry
 
Military Cryptanalytics II
Military Cryptanalytics IIMilitary Cryptanalytics II
Military Cryptanalytics II
 
Британская разведка не может нанять шпионов
Британская разведка не может нанять шпионовБританская разведка не может нанять шпионов
Британская разведка не может нанять шпионов
 
Libratus
LibratusLibratus
Libratus
 
Исковое заявление Waymo
Исковое заявление WaymoИсковое заявление Waymo
Исковое заявление Waymo
 
Решение окружного суда Северной Калифорнии
Решение окружного суда Северной КалифорнииРешение окружного суда Северной Калифорнии
Решение окружного суда Северной Калифорнии
 
Facebook обвиняют в плагиате проекта дата-центра в Швеции
Facebook обвиняют в плагиате проекта дата-центра в ШвецииFacebook обвиняют в плагиате проекта дата-центра в Швеции
Facebook обвиняют в плагиате проекта дата-центра в Швеции
 
Cloud Spanner
Cloud SpannerCloud Spanner
Cloud Spanner
 
Песочница Chrome нарушает три патента
Песочница Chrome нарушает три патентаПесочница Chrome нарушает три патента
Песочница Chrome нарушает три патента
 
Российский интернет на военном положении
Российский интернет на военном положенииРоссийский интернет на военном положении
Российский интернет на военном положении
 
Судья приказал Google выдать почту пользователя с зарубежных серверов
Судья приказал Google выдать почту пользователя с зарубежных серверовСудья приказал Google выдать почту пользователя с зарубежных серверов
Судья приказал Google выдать почту пользователя с зарубежных серверов
 
Zenimax-v-oculus-amended-complaint
Zenimax-v-oculus-amended-complaintZenimax-v-oculus-amended-complaint
Zenimax-v-oculus-amended-complaint
 
Oculus jury response
Oculus jury responseOculus jury response
Oculus jury response
 
13 млн документов ЦРУ рассекречено и опубликовано в онлайне
13 млн документов ЦРУ рассекречено и опубликовано в онлайне13 млн документов ЦРУ рассекречено и опубликовано в онлайне
13 млн документов ЦРУ рассекречено и опубликовано в онлайне
 
Тот день, когда аноны с 4chan затроллили разведывательные агентства и мировые...
Тот день, когда аноны с 4chan затроллили разведывательные агентства и мировые...Тот день, когда аноны с 4chan затроллили разведывательные агентства и мировые...
Тот день, когда аноны с 4chan затроллили разведывательные агентства и мировые...
 
Ещё шесть радиосигналов неизвестной природы получены из-за пределов нашей гал...
Ещё шесть радиосигналов неизвестной природы получены из-за пределов нашей гал...Ещё шесть радиосигналов неизвестной природы получены из-за пределов нашей гал...
Ещё шесть радиосигналов неизвестной природы получены из-за пределов нашей гал...
 
Немецкий суд объяснил, почему блокировщики рекламы не нарушают закон
Немецкий суд объяснил, почему блокировщики рекламы не нарушают законНемецкий суд объяснил, почему блокировщики рекламы не нарушают закон
Немецкий суд объяснил, почему блокировщики рекламы не нарушают закон
 
ДНК составляет лишь половину объёма хромосом
ДНК составляет лишь половину объёма хромосомДНК составляет лишь половину объёма хромосом
ДНК составляет лишь половину объёма хромосом
 
Слияние Tesla и SolarCity
Слияние Tesla и SolarCityСлияние Tesla и SolarCity
Слияние Tesla и SolarCity
 

Recently uploaded

Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringHironori Washizaki
 
eSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolseSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolsosttopstonverter
 
SoftTeco - Software Development Company Profile
SoftTeco - Software Development Company ProfileSoftTeco - Software Development Company Profile
SoftTeco - Software Development Company Profileakrivarotava
 
Patterns for automating API delivery. API conference
Patterns for automating API delivery. API conferencePatterns for automating API delivery. API conference
Patterns for automating API delivery. API conferencessuser9e7c64
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsChristian Birchler
 
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News UpdateVictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News UpdateVictoriaMetrics
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfDrew Moseley
 
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...Bert Jan Schrijver
 
Effectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryErrorEffectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryErrorTier1 app
 
Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM ArchitectureUnderstanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecturerahul_net
 
Keeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldKeeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldRoberto Pérez Alcolea
 
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonLeveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonApplitools
 
Osi security architecture in network.pptx
Osi security architecture in network.pptxOsi security architecture in network.pptx
Osi security architecture in network.pptxVinzoCenzo
 
VictoriaMetrics Anomaly Detection Updates: Q1 2024
VictoriaMetrics Anomaly Detection Updates: Q1 2024VictoriaMetrics Anomaly Detection Updates: Q1 2024
VictoriaMetrics Anomaly Detection Updates: Q1 2024VictoriaMetrics
 
Ronisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited CatalogueRonisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited Catalogueitservices996
 
Introduction to Firebase Workshop Slides
Introduction to Firebase Workshop SlidesIntroduction to Firebase Workshop Slides
Introduction to Firebase Workshop Slidesvaideheekore1
 
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesAmazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesKrzysztofKkol1
 
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxThe Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxRTS corp
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?Alexandre Beguel
 

Recently uploaded (20)

Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
 
eSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolseSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration tools
 
SoftTeco - Software Development Company Profile
SoftTeco - Software Development Company ProfileSoftTeco - Software Development Company Profile
SoftTeco - Software Development Company Profile
 
Patterns for automating API delivery. API conference
Patterns for automating API delivery. API conferencePatterns for automating API delivery. API conference
Patterns for automating API delivery. API conference
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
 
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News UpdateVictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
 
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
 
Effectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryErrorEffectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryError
 
Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM ArchitectureUnderstanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecture
 
Keeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldKeeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository world
 
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonLeveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
 
Osi security architecture in network.pptx
Osi security architecture in network.pptxOsi security architecture in network.pptx
Osi security architecture in network.pptx
 
VictoriaMetrics Anomaly Detection Updates: Q1 2024
VictoriaMetrics Anomaly Detection Updates: Q1 2024VictoriaMetrics Anomaly Detection Updates: Q1 2024
VictoriaMetrics Anomaly Detection Updates: Q1 2024
 
Ronisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited CatalogueRonisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited Catalogue
 
Introduction to Firebase Workshop Slides
Introduction to Firebase Workshop SlidesIntroduction to Firebase Workshop Slides
Introduction to Firebase Workshop Slides
 
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesAmazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
 
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxThe Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?
 

В Instagram можно найти фотографии авиабилетов и присвоить себе бонусные мили

  • 2. as Logo Horizontal Pos / Neg Global booking systems store data from airlines and passengers 2 Booking systems / GDS Fares Availability Reservations Booking agents Booking web sites Travel agencies Create reservations Travel providers Airlines Hotels Car rental companies Update fares, Change availability rules
  • 3. as Logo Horizontal Pos / Neg GDS store price and availability rules TAP (TP) OLDEUSTP HAM to SFO General notes BASIC SEASON ECONOMY ONE WAY SPECIAL EXCURSION FARES Between EUROPE and THE UNITED STATES APPLIES FOR ONE WAY FARES Category 3: Seasonal restrictions PERMITTED 01NOV THROUGH 15DEC OR 31DEC THROUGH 12MAY FOR EACH TRIP. Category 4: Flight restrictions IF THE FARE COMPONENT INCLUDES TRAVEL WITHIN EUROPE THEN THAT TRAVEL MUST BE ON ONE OR MORE OF THE FOLLOWING ANY TP FLIGHT OPERATED BY TP … Fare Availability 3
  • 4. as Logo Horizontal Pos / Neg GDS also store reservations including personal information 4 Reservation / PNR
  • 5. as Logo Horizontal Pos / Neg Three GDS dominate the market 5 Booking agents Expedia GDS Amadeus Sabre Galileo (now part of Travelport) Airlines (examples) AirBerlin Aeroflot Example: An American Airlines ticket booked through Expedia is kept in Amadeus and Sabre American Airlines Not really used by airlines Lufthansa
  • 6. as Logo Horizontal Pos / Neg § Fine-grained access control § Strong authentication § Rate-limiting § Logging We were curious about the protection of passenger information 6 Which web service security basics are implemented in GDS? ? ? ? ? GDS may be insecure: § Booking systems (GDS) go back to the 70s and 80s § They were the first “cloud” before the term (or the Internet) existed § Can such systems have modern security? GDS may be secure: § Passenger data has been in dispute between governments for years § Especially the EU expressed strong political will to protect traveler data Our research motivation
  • 7. as Logo Horizontal Pos / Neg GDS have very coarse access restrictions 7 PNR space Airline staff can access all PNRs that are in any way connected to that airline Booking agents can access any ticket connected to the agency One PNR (can include different airlines) GDS staff can access all PNRs Too much information – § The PNR includes all info from different providers (flight, hotel, car) for providers to see § Includes payment information address, credit card incl. expiry Too much access – plenty of people have access to private booking details: 1. Employees of the travel agency/website that created the booking 2. Employees of the travel providers included on the PNR 3. Employees of any of the GDS involved in any part of the PNR, including external support companies 4. Allegedly the US DHS Access control: Very little
  • 8. as Logo Horizontal Pos / Neg § Fine-grained access control § Strong authentication § Rate-limiting § Logging ? ? ? ? Are booking systems protected with basic security controls? 8 Web service security basics
  • 9. as Logo Horizontal Pos / Neg Authentication options range from weak to very weak 9 Agent <Agent id>User: WS<DDMMYY>pw: GDS <Last name> <Booking code> Traveler Travel/airline agent access § Traditionally over direct connections § Today as web service that connects over the open Internet § Passwords often terrible Traveler access § Forgot to assign user names or passwords, oops! § Let’s use last name as user name; and booking code / PNR locator as password § These “passwords” cannot be changed and are widely shared between operators Authentication: Fail Login:
  • 10. as Logo Horizontal Pos / Neg PNRs can be gathered offline 10
  • 11. as Logo Horizontal Pos / Neg PNRs can be gathered online 11 Instagram Travel details
  • 12. as Logo Horizontal Pos / Neg § Fine-grained access control § Strong authentication § Rate-limiting § Logging ? ? ? ? Are booking systems protected with basic security controls? 12 Web service security basics
  • 13. as Logo Horizontal Pos / Neg Flight theft Mile diversion Privacy intrusion Phishing Travelers’ private information is accessible 13 PNR abuse Anybody with access to the PNR locator (6-digit number) and last name can access: § Identity details; possibly including hotels and car rentals § Frequent flyer details § Contact information: Phone number, e-mail address, often postal address § Often date of birth and passport details Agents (or hackers) with direct GDS access also see: § Payment information: Credit card # and expiry § IP address (if booked online) Stalking Tracking Photo of luggage tag or boarding pass Last name PNR bruteforce search Privacy intrusion Abuse Scenarios Travel details, contact info
  • 14. as Logo Horizontal Pos / Neg Flight theft Mile diversion Privacy intrusion Phishing Fraudsters can possibly steal flights 14 * Miscellaneous charges order § Airlines typically only authenticate passengers with the PNR locator, even for ticket changes § Different airlines allow different actions: – All allow date and flight changes (at least on some tickets) – Few allow name changes – Most allow some form of refund, often for a coupon Abuse Scenarios Bruteforce search tickets for common name Refund for credit in PNR Refund for MCO* Fly for free Book new flight with credit PNR abuse Change name, e-mail, and date Change e-mail and date and take the flight (on an airline that does not check ID) Select flexible ticket
  • 15. as Logo Horizontal Pos / Neg Flight theft Privacy intrusion Phishing Mile diversion Mile diversion § Adding a miles number (with the right name) to a booking diverts a victim’s miles § Miles can be redeemed for free flights, hotel nights, or gift certificates Miles can be stolen, fully remotely 15 PNR abuse Abuse Scenario Bruteforce search for common name Selects expensive tickets Create miles account in passenger name Add or change miles account in booking Convert on redeem collected miles Example EU-Australia Round-trip First class 10,000 miles x 2 x 3 60,000 miles ~ 900 USD
  • 16. as Logo Horizontal Pos / Neg All path to a booking need to be secured 16 American Airlines asks for first name ViewTrip + TripCase provide alternative path w/o first name 1. Brute-force PNR + last name on ViewTrip 2. Check details on TripCase
  • 17. as Logo Horizontal Pos / Neg PNRs can be guessed 17 Guessability Sequential Amadeus ✓ Sabre ✗ Galileo Entropy 28.6 bits: § 1st digit: 2-8, X-Z § 2nd: Depends on 1st (38 of 340 combinations invalid) § 2nd-6th: 2-9, A-Z 28.2 bits: § 1st-6th: A-Z § (Namespace split by airline) 28.9 bits: § 1st: 1-9, A-Z (except F-I, O, U, Y) § 2nd -5th: 0-9, B-Z (except E, I, O,U,Y) § 6th: 0-9, A-Z, but last bit ignored! Brute-force susceptibility Airlines (examples) Lufthansa § Standard: § Mobile: Captcha max 30 rqs/IP Air Berlin max 1,000 rqs à Captcha American Airlines ✓ + First name Aeroflot ✓ Not really used by airlines, but instead by booking agents GDS-provided CheckMyTrip § Classic: § Current: killed ineffective Captcha, max 1,000 requests/IP Virtually There § Direct PNR access for some airlines (e.g. Etihad), for others: redirect to airline website (e.g. AA, Aeroflot) ✓ View Trip ✓ ✓ ✓ à ✓ à Helps against targeted privacy intrusion, but not fraud
  • 18. as Logo Horizontal Pos / Neg § Fine-grained access control § Strong authentication § Rate-limiting § Logging ? ? ? ? Are booking systems protected with basic security controls? 18 Web service security basics
  • 19. as Logo Horizontal Pos / Neg Flight theft Mile diversion Privacy intrusion Phishing Data disclosure exposes travelers to targeted attacks 19 § Due to their sequential nature, fraudsters can find recently created PNRs § And then send very targeted phishing e-mails Abuse Scenario Poll for common last name and recent PNRs (in a GDS where PNRs are sequential) Fetch e-mail address from booking Phish for frequent flyer login or credit card information PNR abuse Phishing From: LH.com online@booking-lufthansa.com Subject: Booking Details | Departure: 22 August 2016 | TXL-MUC | Reservation code: Z8JC8R Date: August 7, 2016 at 18:55 To: BSCHLABS@GMAIL.COM Lufthansa booking code: URGENT: Please update your payment information 33C3PO SANDIEGO / CARMEN MS Miles & More: XXXXXXXXXXX0054 Ticket no.: 220-2376788232 If you cannot view this e-mail properly, please open the attached PDF version. Do not reply to this e-mail. Additional support is available via the FAQs. URGENT NOTICE: Your payment has been rejected IMPORTANT: The following transaction has been rejected, so we are unable to process payment for you DE (HAM) on 31 December. Your reservation is currently ON HOLD FOR 24 HOURS. Please update information to confirm your reservation. Passenger Information Receipt and additional documents NOTE: Your receipt for this itinerary cannot currently be provided. PLEASE UPDATE YOUR PAYMENT INFORMATION. Option for download is valid up to 90 days after end of travel. From: LH.com online@booking-lufthansa.com Subject: Booking Details | Departure: 22 August 2016 | TXL-MUC | Reservation code: Z8JC8R Date: August 7, 2016 at 18:55 To: BSCHLABS@GMAIL.COM Lufthansa booking code: URGENT: Please update your payment information 33C3PO SANDIEGO / CARMEN MS Miles & More: XXXXXXXXXXX0054 Ticket no.: 220-2376788232 07:0​0​ h MUNICH DE MUNICH INTERNATIONAL (MUC) TERMINAL 2 08:1​5​ h HAMBURG DE (HAM) TERMINAL 2 Status: confirmed Seat: 03A* Class/fare: BUSINESS (Z) If you cannot view this e-mail properly, please open the attached PDF version. Do not reply to this e-mail. Additional support is available via the FAQs. URGENT NOTICE: Your payment has been rejected IMPORTANT: The following transaction has been rejected, so we are unable to process payment for your trip to HAMBURG DE (HAM) on 31 December. Your reservation is currently ON HOLD FOR 24 HOURS. Please update your payment information to confirm your reservation. Passenger Information Receipt and additional documents NOTE: Your receipt for this itinerary cannot currently be provided. PLEASE UPDATE YOUR PAYMENT INFORMATION. Option for download is valid up to 90 days after end of travel. Your itinerary Sat. 31 December 2016: MUNICH DE - HAMBURG DE LH2060 operated by: LUFTHANSA
  • 20. as Logo Horizontal Pos / Neg Guessability issues are not limited to large GDS 20 SITA § Only 4 digits to guess, plus one digit for airline Oman Air (Sabre) Pakistan International Airlines (Sabre) § Won the race for easiest guessability § Guess one city in itinerary instead of last name (Muscat, duh!) Ryan Air (Navitaire, an Amadeus subsidiary) § Uneven distribution makes it easier to guess PNR § Guess 4 credit card digits instead of last name Other noteworthy systems we did not look at: § MACS (Emirates) § Troya (Turkish Airlines) § HP Shares (United, and others)
  • 21. as Logo Horizontal Pos / Neg PNR access is not logged 21 Logging/accountability: Fail § For years, questions were raised over who is accessing PNRs § Until today, GDS providers refuse to log read access to this private data (write access has always been logged) § Can more research motivate finally adding logging and make transparent to travelers who accesses their information?
  • 22. as Logo Horizontal Pos / Neg § Fine-grained access control § Strong authentication § Rate-limiting § Logging ? ? ? ? Booking systems lack basic security controls 22 Web service security basics
  • 23. as Logo Horizontal Pos / Neg We need better protected booking systems 23 In summary What we need Coarse access control § A few global databases keep information on travelers, in systems that have grown for decades and now lack modern IT security § Limitations on which agents (and governments!) can access what information Weak authentication § Passengers authenticate only with their last name and a low-entropy (often sequential) booking code, which is also printed on passes and tags § Passwords for bookings Insufficient rate limiting § Numerous web interfaces permit brute- forcing of these booking codes, putting travelers’ privacy at risk § Minimum web service security for all exposed interfaces No logging § Travelers will never know who accessed their information, since PNR access is intentionally not logged § Strict logging of any access to personal information
  • 24. as Logo Horizontal Pos / Neg Thank you! 24 Questions? Karsten Nohl <nohl@srlabs.de> Nemanja Nikodijević <nemanja@srlabs.de> Many thanks to Luca Melette, Sebastian Götte, and Patrick Lucey for making this research possible! Thank you Ed Hasbrouck, Hendrik Scholz, and Seth Miller for very valuable feedback!