YetanotherHackerNewsdigest.com
HN Theater | HN Academy | HN Books

HN Theater @HNTheaterMonth

The best talks and videos of Hacker News.
Rankings: this week · month (mar/apr) · year (2024) · all time
digests · search

Hacker News Comments on
Where in the World Is Carmen Sandiego? Becoming a Secret Travel Agent

media.ccc.de · 173 HN points · 17 HN comments
HN Theater has aggregated all Hacker News stories and comments that mention media.ccc.de's video "Where in the World Is Carmen Sandiego? Becoming a Secret Travel Agent".
Watch on media.ccc.de [↗]
media.ccc.de Summary
Travel booking systems are among the oldest global IT infrastructures, and have changed surprisingly little since the 80s. The personal i...
HN Theater Rankings

Hacker News Stories and Comments

All the comments and stories posted to Hacker News that reference this video.
I remember a C3 talk showing how ridiculously insecure these booking systems (GDS) were. You should assume every intelligence agency has their hands on this data, as it is shared among so many parties.

https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carme...

Great read. If somebody is interest in another great talk about boarding pass data security, there is this one from 33c3: https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carme...
Great talk [0] given during the 2016 congress touching on the Amadeus flight booking system and the danger of posting your boarding pass on social media

[0]: https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carme...

aneutron
This was an amazing watch. Thank you very much for the link.
The underlying issues have been known for quite a while. There was a fantastic talk in CCC at 2016 about the airline booking systems and the various bits of information you can glean from them.[0]

0: https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carme...

bonzini
There was another great talk by a (former?) ITAsoftware engineer, unfortunately I can't find it. Among various things he shares is that there's provision for the passenger being a child at arrival but not on departure. Which obviously can happen if you cross the date line backwards.

It would be great if anyone can find it, I am certain I got it from HN.

namdnay
The underlying issue is that PNR+Last Name has always been the "secuirty" to access a booking, and no airline or travel agency wants to enforce stronger measures unilaterally, for fear of increasing friction for their customers
One huge issue with GDS/EDIFACT is that it has no security built in. It was designed in a time when every actor was considered trustworthy.

Banks also relied (rely) for years on "antiquated" systems but they took the "they just work" and built some security around them. Airlines did not. This [0] presentation from 33C3 was really interesting (more readable form [1]).

[0] https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carme...

[1] https://ourdataourselves.tacticaltech.org/posts/50-booking-f...

The security of these systems is also lacking, not to mention privacy.

see this talk "Where in the World Is Carmen Sandiego?" from 33C3 conference (2016). https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carme...

Hacking PNR https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carme... at time of the talk (2 years ago) used/discussed these sites:

https://matrix.itasoftware.com/ to get detailed fare rules & restrictions

https://www.expertflyer.com & https://itunes.apple.com/us/app/seat-alerts/id533533342

https://www.checkmytrip.com/ allows entering name & booking-reference and gives all detail

https://www.viewtrip.com/

https://tripcase.com will use name + booking-reference to get detailed PNR information including the first name

https://www.fly.kiev.ua can make a flight reservation without a payment, still gives an 6char booking-reference

zerowellies
What is the purpose of making a flight reservation without payment?
candasunal
I am a Turkish citizen, and we need a visa to visit EU member countries. You are not 100% sure if you will get the visa, so may want to make a flight and hotel reservation first, and then buy them if you get the visa. So reserving the tickets is preferred.
m00dy
I hope this imperative requirement will be revoked anytime soon.
latchkey
Maybe, but other countries still have it. Vietnamese have one of the worst passports on the planet. Their govt. won't let them leave without proof that they will come back, usually in the form of a job, cash in the bank, spouse and tour or reservation based trips.
yosito
Many airlines require you to have an onward flight out of a country before they will let you fly into it. This allows you to fulfill the technical requirement without having to pay for a plane ticket you aren't planning to use.
gowld
Why do airlines allow unpaid reservations? That seems ripe for Denial of Service attack on their booking plans.
namdnay
A reservation that is not paid is not ticketed. A reservation that is not ticketed is not 100% guaranteed

But I agree that this is till a problem for airline inventory management, and an online travel agency should definitely not be opening this feature to the general public!

There are several usecases that require unpaid reservations, the most common one nowadays is corporate travel, when you need to integrate approval flows - the approval step will be between the reservation and the ticketing.

Like just about every industry, there is a world of complexity hidden underneath the surface :)

namdnay
Slightly tangential, but in fact all flight reservations through a travel agency are initially made without payment. The entire process is quite complex, due to compatibility with processes and systems that were built in the 70s... The flow is to create the booking (and hence receive a record locator or PNR), and then to attach a form of payment. If the payment matches the cost, it is then possible to request ticketing, at which point a ticket number will be generated, which is the "real" confirmation
GFischer
If you're interested, these slides are a cool introduction to the complexity of air travel:

http://www.ai.mit.edu/courses/6.034f/psets/ps1/airtravel.pdf

Edit: I missed that someone had already linked to them - https://news.ycombinator.com/item?id=18531203

Yeah and these GDS systems are also strikingly insecure https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carme...
watch this: https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carme... its really bad apparently
I think you are referring to an attack similar to this: https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carme..., I just linked this video in the article and not the complete attack vector.
This[1] talk linked in the article mentions that it is happening, and that the name check is mostly useless because you can often just change the name attached to the frequent flyer number. Of course, things may have changed, but they probably haven't.

[1]: https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carme...

If you booked the flight together then it is very probable that it's seen in the booking system that you travel together. So it was probably a little bit mor that just his "word". (I'm, however, not judging if it was correct action on the counter stuffs behalf.)

A friend of mine was once travelling to Bali and she posted pictures of the boarding pass on Twitter. It was a few weeks after the CCC talk by Karsten Nohl and Nemanja Nikodijevic (https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carme...), so I warned her that it might be not the best idea to post these images. She was very self-assured and replied that she's almost in the plane so there's not much risk.

I've asked if it would be OK for me to test and she was fine with it. I could log in to her booking without problems (booking code and the name which I knew anyway were on the images). In the system I saw the other person she was travelling with., I could change seats and names of passengers. I think I could even change the date of the flight back (but I'm no longer sure about it).

But this is how I'm pretty sure that if you've booked together, this might habe been visible in the booking system.

csomar
See my other comment: https://news.ycombinator.com/item?id=15319656
Or in a lot of different formats and also for download on media.ccc.de:

https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carme...

The security picture is much much worse than what you suggest. There are only a few global distribution systems; mainly Amadeus and Sabre. These are used by airlines to share passenger name records which include all the personal data collected by the airline and booking agent. If Amadeus or Sabre have their security breached, everyone who travels by air is hosed.

Since these systems are anywhere from 30 to 50 years old, they have little concept of security. Your confirmation/reservation/booking number typically serves the function of your password for the booking. With that, plus say, your last name and maybe your date of travel, it is possible to get full access to the booking.

See this talk for more information: https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carme...

adamiscool8
And a division of Sabre was breached earlier this year too. [1]

[1] https://krebsonsecurity.com/2017/05/breach-at-sabre-corp-s-h...

tyingq
"The security picture is much much worse than what you suggest"

Er, okay. Where did I suggest it was rosy?

"mainly Amadeus and Sabre"

Travelport as well, their marketshare is similar to Sabre. Also, the GDS part is interesting, but there are lots of other peripheral systems for things like loyalty programs, gift cards, apis fronting the GDS, etc. All with legacy. It's not really the old TPF platforms themselves that are the problem. It's the sprawl of lots of legacy.

Edit: Also, that presentation. It does bring up a real industry problem, but it also exaggerates for effect. Most airlines, for example, ask not just for last-name/pnr-locator. They ask for first/last/pnr-locator. And, what you can do with that is generally somewhat limited (checkin/change/cancel)...you can't, for example, login as the passenger and see/use frequent flyer points, stored credit cards, and so on. And, the best source to get this info is discarded, already flown, boarding passes, which kills those three possibilities. They also use a genuinely bad example from Oman Air, but then act like all airlines use a similar pattern...they don't. Not discounting that there's a big issue, but the presenters do use a certain style to promote their work.

Slightly off topic, but this is hardly the biggest blunder of the airline industry. A company I worked for last year absolutely tore them apart in a talk at 33c3.

In short, information like your address or passport number is easily accessible, and while it wasn't in the talk (I think), we were able to recover plaintext credit card numbers during the research.

https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carme...

Vaguely related: the security of airline passenger data is atrocious. https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carme...
kevin488
Insanity. This is so ripe for fraud it's unreal. I don't know of a single person who would not fall for the targeted phishing attack that was highlighted in the video.

If I got an email from someone who looks like the airline I just booked with with all my info (email, name, date, departure, arrival airports, etc) that said I need to update my credit card, I would.

This recent CCC talk demonstrates that airline reservation data is wide open:

https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carme...

will_pseudonym
This was an amazing talk. Thank you for sharing.
TazeTSchnitzel
Somehow, that not only the NSA has it, but basically anyone, is reassuring.
cinquemb
I think that one of the interesting aspects of this talk was explaining that the airline companies really have no incentive to fight abuse beyond recognizable fraud.

I mean, someone could build some really interesting services on top of these holes, one I was thinking of is that for customers who do not check into their flights before a certain period of time, somehow one could get those flight codes and change the information, and then people nearby the airport can hitch the ride while everything looking good from the perspective of the airline company or even a Frequent flier miles as a service, where someone just creates accounts by automatic means, and scans for trips that don't have ff codes applied and uses "their" code for it and passes those miles to someone else for a price.

As we amass more and more data, and devices get cheaper to leak stuff, i wouldn't be surprised to see some interesting power shifts from traditional incumbents (the NSA's of the world, to more lean operations who are increasingly in a position to mine/exploit similar large amounts of information at scale).

Dec 31, 2016 · 163 points, 31 comments · submitted by based2
jdmath
I used to work for an airline that used Amadeus and was fairly familiar with it. Every booking agent had access to a terminal connection to the mainframe (similar to ssh or telnet). Everyone had unique login credentials and every action can be tracked through the booking history.

Here are a few notes:

- Credit card numbers are obfuscated right after they are first used. Only certain back offices have unrestricted access.

- Viewing all the travel information in the PNR is important. For example, if a flight is arriving late, it can be useful to know that the passenger has a connecting flight with another airline on the same ticket to arrange for another connecting flight.

- Reservations are archived after a certain amount of days after the last flight. They can be retrieved in view only mode but you have to specify a date range.

- Most tickets and vouchers are non-transferable (at least for the airline I worked for) . Even changing a name on a reservation is a pain. You either have to make a new booking and re-issue the ticket or get a support desk to change the name on the current reservation and re-issue the ticket. A regular agent changing more than 3 letters of a name will result in a cancelled itinerary.

- It is possible to enter restricted comments on a PNR. You can even set who can view them. Agency only, Airline only even a specific office.

I get that he was saying that the system is unsafe but a lot of it is only in relation to the web interfaces. You can't get direct GDS access unless you're working directly for an airline or travel agency. Those people definitely need to see most of the information on the record.

Anyways, just thought I would provide some info.

atomwaffel
> I get that he was saying that the system is unsafe but a lot of it is only in relation to the web interfaces.

I think that was the point though: when these systems were being built in the 70s (i.e. pre-internet), the security measures they had – many of them based on trust – were perfectly reasonable. You'd need to have physical access to a machine connected to this closed network to even do so much as look at a reservation. And then the internet comes along and these companies (with no experience in web security) hook up their closed, tightly controlled network to an open, not-at-all controlled network with virtually no additional security. I guess it's fair to say that trust alone doesn't work too well on the internet.

> You can't get direct GDS access unless you're working directly for an airline or travel agency. Those people definitely need to see most of the information on the record.

Yes, but the researchers addressed this in their talk about 14 minutes in. The authentication isn't hard to crack: it consists of an agent ID and a password, often in a format like WS<DDMMYY> (where <DDMMYY> is the date of first access to the system). These credentials are shared by the same office at the very least, and I have a sneaky feeling that I might find a conspicuous post-it note on a computer screen if I visit a few of my local travel agents.

germanier
If I recall correctly, he said that travel agencies often have their own system (with individual passwords) hooked up to the GDS using a shared login which was set up once long time ago and then forgot.
nyolfen
description for those puzzled by the title:

> Travel booking systems are among the oldest global IT infrastructures, and have changed surprisingly little since the 80s. The personal information contained in these systems is hence not well secured by today's standards. This talk shows real-world hacking risks from tracking travelers to stealing flights.

jugbee
What's interesting is that back in May, EU parliament has approved the directive to use pnr data for intelligence purposes, meaning that every air carrier has to trnsfer this data to law enforcement agencies (http://www.consilium.europa.eu/en/press/press-releases/2016/...). Have i read too much Orvell or...?
nly
Coupled with IP addresses from web bookings being on the PNR, and the likes of the new Investigatory Powers Bill in the UK, it won't be long before border control agents will be looking at your recent Internet history.

It's truly frightening.

michaelmior
Tempting to make a system that captures publicly posted photos of boarding passes. Then email the poster a warning along with proof of the personal information that they made available. However, I suspect this could get one in trouble.
nhf
90% of what's present in the boarding pass barcode (PDF417) is visible in plaintext on the actual document. The other 10% is relatively meaningless without access to the airline's systems (perhaps with the exception of FF numbers which are sometimes redacted).
michaelmior
My understanding (without trying this myself) is that it's potentially possible to recover a traveler's email and home address.
based2
https://en.wikipedia.org/wiki/Global_Distribution_System
contingencies
Also https://en.wikipedia.org/wiki/PNR for the personal information it stores.
None
None
based2
https://www.youtube.com/watch?v=qnq0UfOUTlM
ryanlol
Seemed like a bit of an odd talk for a crowd that largely flies to cons. This is mostly stuff your average FTer already knows.

And for gods sake don't try adding your frequent flier # on other peoples tickets. The airline will catch you, and unless the tickets have your name on them you aren't gonna get any miles anyway.

premium-concern
I recommend watching the talk.
ryanlol
I recommend not making comments like this on HN.

I watched the entire talk days ago as it was happening and didn't see anything new or interesting in it. Record locators are short and you can scan bar codes on boarding passes was basically all of it.

They also made some pretty ridiculous suggestions that simply wont work, like the proposed scheme with adding your FF# to other peoples tickets. The name on the ticket has to match yours for you to get the miles, this is the worst imaginable way of stealing them.

The talk isn't terrible, it's entertaining and relatively well presented, but it certainly only provides a very basic look at these systems through the eyes of someone who clearly isn't all that familiar with them yet. It's good for a beginner but seems like it might be a bit out of place in an international conference where you'll have lots of frequent fliers who already know all of these things.

atomwaffel
> They also made some pretty ridiculous suggestions that simply wont work, like the proposed scheme with adding your FF# to other peoples tickets. The name on the ticket has to match yours for you to get the miles, this is the worst imaginable way of stealing them.

You must have missed the bit in the Q&A session when they addressed this very issue. They suggested creating a new frequent flyer account in the name of the person travelling and transferring the stolen miles to your own account – or simply changing the name attached to your own account if the system permits. They also claimed to know of people who were doing this as they spoke, and their talk gives little reason to doubt them.

> I watched the entire talk days ago as it was happening and didn't see anything new or interesting in it. Record locators are short and you can scan bar codes on boarding passes was basically all of it.

I disagree. The (in)security of travel agency systems was something I suspected but had no evidence of, and they presented some novel, fairly clever and disturbingly feasible ways of exploiting the bruteforceability of sequential PNRs, like sending highly targetted credit card phishing emails to people with recent bookings.

ryanlol
>You must have missed the bit in the Q&A session when they addressed this very issue.

>They suggested creating a new frequent flyer account in the name of the person travelling

So then they end up with an account with 1 trips worth of miles on it, that'll rarely be worth anything at all.

>transferring the stolen miles to your own account –

Seriously? Do you have any idea how many miles you'd have to steal for that to be worthwhile. You have to pay $ to transfer miles.

>or simply changing the name attached to your own account if the system permits.

I can't think of anyone who permits this without a painful process, can you?

>They also claimed to know of people who were doing this as they spoke, and their talk gives little reason to doubt them.

Yeah, people also collect empty bottles off the streets.

If you want easy cheap miles this isn't the way to do it.

How about you go try it, just to be sure :)

thesumofall
>So then they end up with an account with 1 trips worth of miles on it, that'll rarely be worth anything at all.

Well, a return flight FRA-SIN in First is worth 40,000 miles which is about 100 USD on most partner shops

ryanlol
That's basically the functional equivalent of tying a string around a bottle and then returning it to the machine multiple times.

Sure, you can successfully commit fraud and earn a few $, is it worth your time? nah.

Nexxxeh
With a system you can automate? Where you could likely use a single account for everyone who shares a name? (How many John Smiths, how many Mike Davies, how many Ahmed Muhammads?) Something that could likely be coded in an afternoon and left to run on some Amazon instances that never actually get the bill paid on? I think you may be overestimating the setup cost and vastly underestimating the potential haul.
jc4p
This was a fantastic talk. Both the content and the quality of the talk itself exceeded my expectations. I knew that bar codes on boarding passes are PDF-417 and have lots of info embedded, but the attack vectors they discuss are NUTS.

I tried posting this earlier in the week and it didn't get any traction, but user sleavey posted a great summary of the talk in that thread in case you don't have an hour, which is worth reading: https://news.ycombinator.com/item?id=13273314

I'm pretty sure the attack vector they discuss about finding boarding passes and changing the frequent flyer number attached to the itinerary is what the people who sell flights for 20-30% the cost[0] do. I've been wondering who that scam hurts for a while, the common thought is that they're using stolen credit cards but from what I understand the "services" are way too reliable to be based off stolen cards.

[0] http://krebsonsecurity.com/2012/01/flying-the-fraudster-skie...

ryanlol
>I'm pretty sure the attack vector they discuss about finding boarding passes and changing the frequent flyer number attached to the itinerary is what the people who sell flights for 20-30% the cost[0] do

That scheme wouldn't work, name on tickets needs to match your ff# for you to get the points on basically every single airline.

Those services are mostly based on stolen points from bruteforced accounts. VBV cards make credit card fraud a very reliable option too, but it'd have significantly lower profit margins.

dogma1138
You can add any ff number to a ticket purchase, you can also change it during checkout and even after taking the flight.
None
None
None
None
ryanlol
So? You aren't gonna get the miles. Otherwise, why aren't you already calling through all of your friends and adding your FF# on all of their old flights? Because the airlines aren't completely stupid and you aren't the first person to want free flights.
dogma1138
Yes you will get miles for those flights.
ryanlol
You must live in an alternate universe with different airline loyalty programs, because that's simply not how they work in the real world.

Take a moment of your time and search this on flyertalk or something.

dogma1138
Works with BA, Miles and More and a few others for me.

At my previous work we constantly did the swap to reach the needed miles to maintain status or to get a free upgrade / lounge access.

I still add my brother on BA since he has an insane status with them and I only fly with them once or twice a year for the upgrade and lounge...

eigenvector
The scammers you cite are generally using stolen points, or more precisely, points from compromised accounts. Generally, with regard to flights, points can only be accrued in the name of the person travelling and can't easily be transferred or aggregated between accounts, so changing the FF# on an active reservation doesn't really help you. You couldn't accrue all your stolen points to one account - you'd end up with a few points in hundreds of different accounts which doesn't have any value.

On the other hand, phishing credentials for accounts with hundreds of thousands of points already in them could be quite lucrative.

foxylion
At the end of the talk he said that the point thing is already beeing exploited and that those people change the account name on every transaction to the owner of the flight ticket. And that they are able to collect a massive amount of points without beeing detected.
None
None
None
None
dublinben
It's hard to get a clear picture of what's going on from the heavily biased coverage on Krebs's site, but based on the services being offered (flights, hotels, car rentals) they would appear to be purchased with stolen rewards points. If they weren't limited to spending these points, it seems obvious that they'd sell a greater range of services/products.
cryptarch
I'm not seeing the "heavy bias" in Kreb's coverage, could you elaborate on that?

I've always had a good impression of his work, and I don't get what you're implying. A bias for what?

ryanlol
IMO the quality of his reporting occasionally suffers because of his strong personal feelings on the people he's reporting on.

That particular article doesn't seem like a good example of such, though.

Dec 29, 2016 · 2 points, 0 comments · submitted by oevi
Dec 28, 2016 · 8 points, 1 comments · submitted by jc4p
sleavey
This is just incredible. It turns out that the booking references (usually 6 digits) used for all flights around the world can be used to access much more private information for travellers. These codes can be read from for example boarding cards, of which there are plenty posted on sites like Instagram. With a code and surname, the email address, mail address, phone number, frequent flyer number and other information can be accessed using weakly secured websites. It doesn't even need to be the airline the booking was made from, because they all accept and share the same booking codes.

The researchers showed that it was possible to find booking codes with open ended tickets, leaving the possibility of someone getting a free flight by changing the booking.

The airline booking systems are in need of a major overhaul, but the airlines clearly don't care enough right now. Hopefully this is a catalyst for change.

None
None
HN Theater is an independent project and is not operated by Y Combinator or any of the video hosting platforms linked to on this site.
~ yaj@
;laksdfhjdhksalkfj more things
yahnd.com ~ Privacy Policy ~
Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.