Flight booking and itinerary systems are prime targets for hackers due to their continued use of legacy systems, according to research from SR Labs. A presentation at Chaos Communication Congress from two SR Labs researchers explained how all three of the major global distribution systems (GDS) aren't adequately protected.
Those systems manage travel reservations and share data between agencies, airlines, and passengers. The three companies in question are Sabre, Amadeus, and Travelport. Hackers could exploit their current vulnerabilities to change passenger info and cancel bookings.
According to the researchers, the only things required to exploit the system are a passenger's last name and their six-digit Passenger Name Record (PNR), a number that's often shared in emails and may even be placed on luggage tags.
While the rest of the Internet is debating which second and third factors to use, GDSs do not offer a first authentication factor. Instead, the booking code (aka PNR Locator, a six-digit alphanumeric string such as 8EI29V) is used to access and change travelers' information. - SR Labs