January travellers beware, your luggage tag could be an invite to hackers

As skiers begin to make their way to the slopes this January, holidaymakers are being warned of the potential hacking risks of legacy travel booking systems.

The luggage tag placed on checked-in baggage is not exactly new, dating back as early as the 1970s, and this could potentially be a cybersecurity issue for those of us living in the 21st century.

According to the cybersecurity research organisation Security Research Labs (SRL) based in Germany, there are three major travel booking systems – referred to as global distributed systems (GDS) – maintained globally by many of the world’s airlines.

Not even one-step authentication
These three systems – Amadeus, Sabre and Travelport – account for 90pc of the market, and based on analysis of their security structures, their biggest downfall is within their ability to authenticate travellers.

As SRL point out, despite many organisations toying with the idea of two or three-step authentication for online orders, many of these GDSs do not even have one-step authentication.

Rather, these systems rely on six-digit alphanumeric strings that if a hacker were to take a photo of when a bag is on a carousel or even removed after a journey, could find a wealth of personal information.

Once access has been successful on one of the websites of these GDS providers, hackers can find access to information like their passport number, home address and phone number in many cases.

Myriad of possibilities with information
There are also other potential dangers including the ability to go as far as to steal flights by cancelling the victim’s flight and using any voucher received towards the hacker’s own journey.

SRL also points to the other possibility that having such information could be everything they need to attempt phishing scams by contacting the original victims to seek payments for other services.

“In the short term, all websites that allow access to traveller records should require proper brute-force protection in the form of Captchas and retry limits per IP address,” SRL said in a blog post.

“In the mid-term, traveller bookings need to be secured with proper authentication, at the very least with a changeable password.”


. . . . . . . .

Leave a Reply