January travellers, beware: Your luggage tag could be an invite to hackers

3 Jan 2017

Luggage carousel. Image: Arina P Habich/Shutterstock

As skiers begin to make their way to the slopes this January, holidaymakers are being warned of the potential hacking risks of legacy travel booking systems.

The luggage tag placed on checked-in baggage is not exactly new, dating back as early as the 1970s, but it could potentially be a cybersecurity issue for those of us living in the 21st century.

According to the cybersecurity research organisation Security Research Labs (SRL) based in Germany, there are three major travel booking systems – referred to as global distributed systems (GDS) – maintained globally by many of the world’s airlines.

Not even one-step authentication

These three systems – Amadeus, Sabre and Travelport – account for 90pc of the market, and based on analysis of their security structures, their biggest downfall lies within their ability to authenticate travellers.

As SRL points out, despite many organisations toying with the idea of two- or three-step authentication for online orders, many of these GDSs do not even have one-step authentication.

Rather, these systems rely on six-digit alphanumeric strings, and if a hacker were to take a photo of a bag that was on a carousel or even removed after a journey, they could find out a wealth of personal information.

Once access has been successful on one of the websites of these GDS providers, hackers can find access to information like passport numbers, home addresses and phone numbers in many cases.

Myriad of possibilities with information

There are also other potential dangers, including the ability to go as far as to steal flights, by cancelling the victim’s original flight and using any voucher received towards the hacker’s own journey.

SRL also points to the other possibility that having such information could be everything they need to attempt phishing scams, by contacting the original victims to seek payments for other services.

“In the short term, all websites that allow access to traveller records should require proper brute-force protection in the form of CAPTCHAs and retry limits per IP address,” SRL said in a blog post.

“In the mid-term, traveller bookings need to be secured with proper authentication – at the very least with a changeable password.”

Luggage carousel. Image: Arina P Habich/Shutterstock

Colm Gorey was a senior journalist with Silicon Republic

editorial@siliconrepublic.com