More about the dangers of providing too much info in social networks:
http://iparrorratztic.blogspot.com.es/2017/01/providing-information-in-social-networks.html
https://en.wikipedia.org/wiki/Passenger_name_record
In the airline and travel industries, a passenger name record (PNR) is a record in the database of a computer reservation system (CRS) that contains the itinerary for a passenger, or a group of passengers travelling together.https://en.wikipedia.org/wiki/Passenger_name_record#Privacy_concerns
Privacy concernshttps://fahrplan.events.ccc.de/congress/2016/Fahrplan/events/7964.html
Some privacy organizations are concerned at the amount of personal data that a PNR might contain. While the minimum data for completing a booking is quite small, a PNR will typically contain much more information of a sensitive nature. This will include the passenger’s full name, date of birth, home and work address, telephone number, e-mail address, credit card details, IP address if booked online, as well as the names and personal information of emergency contacts.
Designed to “facilitate easy global sharing of PNR data,” the CRS-GDS companies “function both as data warehouses and data aggregators, and have a relationship to travel data analogous to that of credit bureaus to financial data.”. A canceled or completed trip does not erase the record since “copies of the PNRs are ‘purged’ from live to archival storage systems, and can be retained indefinitely by CRSs, airlines, and travel agencies.” Further, CRS-GDS companies maintain web sites that allow almost unrestricted access to PNR data – often, the information is accessible by just the reservation number printed on the ticket.
Additionally, “[t]hrough billing, meeting, and discount eligibility codes, PNRs contain detailed information on patterns of association between travelers. PNRs can contain religious meal preferences and special service requests that describe details of physical and medical conditions (e.g., “Uses wheelchair, can control bowels and bladder”) – categories of information that have special protected status in the European Union and some other countries as “sensitive” personal data.” Despite the sensitive character of the information they contain, PNRs are generally not recognized as deserving the same privacy protection afforded to medical and financial records. Instead, they are treated as a form of commercial transaction data.
Travel booking systems are among the oldest global IT infrastructures, and have changed surprisingly little since the 80s. The personal information contained in these systems is hence not well secured by today's standards. This talk shows real-world hacking risks from tracking travelers to stealing flights.https://fahrplan.events.ccc.de/congress/2016/Fahrplan/system/event_attachments/attachments/000/003/146/original/33C3-SRLabs-Travel_Hacking.v2.pdf
Airline reservation systems grew from mainframes with green-screen terminals to modern-looking XML/SOAP APIs to access those same mainframes.
The systems lack central concepts of IT security, in particular good authentication and proper access control.
We show how these weaknesses translate into disclosure of traveler's personal information and would allow several forms of fraud and theft, if left unfixed.
Phishing, once again:
http://iparrorratztic.blogspot.com.es/2017/01/phishing-email.html
Summary:
https://fahrplan.events.ccc.de/congress/2016/Fahrplan/system/event_attachments/attachments/000/003/146/original/33C3-SRLabs-Travel_Hacking.v2.pdf
https://srlabs.de/bites/travel-hacking/
Legacy booking systems disclose travelers’ private information
Travel bookings worldwide are maintained in a handful of systems. The three largest Global Distributed Systems (GDS) Amadeus, Sabre, and Travelport administer more than 90% of flight reservations as well as numerous hotel, car, and other travel bookings.Once more, take care with giving too much info in social networks!
Today’s GDSs go back to the 70s and 80s, built around mainframe computers and leased lines. The systems have since been interwoven with web services, but still lack several web security best practices.
Weak authentication
The most important security feature lacking from all three GDSs is a proper way to authenticate travelers. While the rest of the Internet is debating which second and third factors to use, GDSs do not offer a first authentication factor. Instead, the booking code (aka PNR Locator, a 6-digit alphanumeric string such as 8EI29V) is used to access and change travelers’ information.
The authenticator is printed on boarding passes and luggage tags. Any person able to find or take a photo of the pass or tag can access the traveler’s information – including e-mail address and phone number – through the GDS’s or airline’s web site.
Weak web services
Traveler information is also at risk to online hacking because authenticators are brute-forceable. The way 6-digit booking codes are chosen makes them weaker than a 5-digit password (<28.5 bits), which would be considered insecure for most applications. Two of the three main GDSs assign booking codes sequentially, further shrinking the search space. Finally, many GDS and airline web sites allow trying many thousand booking codes from a single IP address. Given only passengers’ last names, their bookings codes can be found over the Internet with little effort.
Abuse potential
Given a passenger’s booking code, an intruder can:
-Invade travelers’ privacy. The booking overview typically contains contact information such as phone number, e-mail, and postal address, travel dates and preferences, and often passport information.
-Steal flights. Most airlines allow flight changes, some even cancellations for a voucher, allowing a fraudster to travel for free.
-Divert miles. By changing the frequent flyer information in the booking, a fraudster can steal miles without taking any flights.
-Conduct phishing/vishing. By knowing details of a booking that has just been made – which is possible in GDSs that use sequential booking codes – an intruder can target travelers for social engineering, asking for their payment info or frequent traveler credentials.
The way ahead
Global booking systems have pioneered many technologies including Cloud computing. Now is the time to add security best practices that other Cloud users have long taken for granted.
In the short-term, all web sites that allow access to traveler records should require proper brute-force protection in the form of Captchas and retry limits per IP address.
In the mid-term, traveler bookings need to be secured with proper authentication, at the very least with a changeable password.
References
-Conference presentation. Details were presented at 33C3 on Dec 27 2016: Outline and Slides, Video (https://fahrplan.events.ccc.de/congress/2016/Fahrplan/events/7964.html)
-Further reading. Much more information from many years of research are available on Edward Hasbrouck’s blog (https://hasbrouck.org/blog/archives/002279.html)
-Picture credit. Movie poster “Catch me if you can”
http://iparrorratztic.blogspot.com.es/2017/01/providing-information-in-social-networks.html
P.S: Acknowledgment:
-Security Research Labs (https://srlabs.de/): Karsten Nohl (nohl@srlabs.de) y Nemanja Nikodijević (nemanja@srlabs.de):
Many thanks to Luca Melette, Sebastian Götte and Patrick Lucey for making this research possible!
Thank you Ed Hasbrouck, Hendrik Scholz and Seth Miller for very valuable feedback!
-Hirusec_ (https://hirusec.es/).
No hay comentarios:
Publicar un comentario