Airlines, travel agents, price comparison websites, and many other services work together to provide easy booking opportunities to passengers. The industry uses\u00a0Global Distribution Systems<\/a>\u00a0(GDS) to check flight availability, ensure that seats are not double-booked, and so forth. GDSs are tightly interwoven with Web services \u2014 but not with best Web protection practices. As the result, today\u2019s GDS technology remains outdated in terms of protection and provides criminals with a huge attack surface.<\/p>\n Although about 20 GDS vendors exist at the moment, the security duo Nohl and Nikodijevic focused on the three main systems: Sabre (founded in 1960), Amadeus (founded in 1987), and Galileo (now a unit of Travelport). These systems\u00a0administer<\/a>\u00a0more than 90% of flight reservations, as well as hotel, car, and other travel bookings.<\/p>\n For example, Lufthansa and AirBerlin work with Amadeus, and with the tour operator Expedia. American Airlines and Russian airline \u0410eroflot stick to Sabre. Anyway, it\u2019s hard to say for sure which GDS stores the private data of a particular passenger: For instance, if you book a ticket for American Airlines flight on Expedia, both Amadeus and Sabre record the transaction.<\/p>\n Depends on the booking system\u2019s rules, GDS records usually contain a passenger\u2019s name, phone number, date of birth, and passport data, as well as their ticket number, departure and destination ports, and flight date and time. It also includes payment information (such as a credit card number). Quite sensitive information, in other words.<\/p>\n Nohl and Nikodijevic pointed out that a lot of people have access to this data, including airlines workers, tour operators, hotels representatives, and other agents. Researchers suppose that governmental agencies can read this data as well. But it\u2019s only the tip of the iceberg.<\/p>\n To access and change this information, GDSs use a traveler\u2019s name as login and a 6-digit booking code (most travelers know it as a\u00a0PNR<\/a>) as\u00a0password<\/b>. Yes, that\u2019s the PNR that is openly printed on boarding passes and luggage tags. As a password.<\/p>\n \u201cIf the PNR is supposed to be a secure password, then it should be treated like one,\u201d Nohl said at the conference. \u201cBut they don\u2019t keep it a secret: It is printed on every piece of luggage. It used to be printed on boarding passes, until it disappeared and they replaced it with a bar code.\u201d That bar code, by the way, still contains the PNR.<\/p>\n The majority of travelers don\u2019t understand the inner workings of the flight industry, so they eagerly publish their tickets online together with PNR, encrypted into a bar code. However, a\u00a0bar code is not a mystery<\/a>; special software can read it. So\u00a0anybody<\/i>\u00a0who takes a photo of your luggage tag at an airport or found your ticket online can access your private data. You don\u2019t need to be a hacker to exploit PNR vulnerabilities \u2014 you just have to know where to look. In the video below you can see how Nohl and Nikodijevic decoded the bar code from an Instagram photo of an airline ticket.<\/p>\n![\"\"](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2017\/01\/05112903\/airplanetickets-on-instagram.jpg\")
<\/p>\n