The Real Security Threat to Your Travel Reservations

When my wife and I were first dating she had a business trip to San Francisco. I confirmed her upgrade on United even though she hadn’t given me the flight number or record locator.

I knew the route she’d be flying, and when she got back, so it was easy to pull up her flight details and get her reservation changed. I used miles — United only charged 10,000 miles back then and no cash co-pay — rather than a confirmed upgrade certificate because those certificates were paper back then and I wanted to surprise her (not hand her a certificate and explain what I was doing).

She told me later that she had to decide whether she thought it was sweet and awesome — or creepy — that I’d altered her reservation without telling her. Ultimately she must have decided it was sweet…

Several readers have asked me what I think about the story going around how easy it is to ‘hack’ someone’s reservation (thanks to Paul H., Scott H., Ryan K. and others).

[T]hey figured out how to force the various portals to the Global Distribution System to let them know if they’ve guessed someone’s reservation locator code, which they can use to arbitrarily alter your flight plans, sending you to different cities, reseating you, or cancelling your flight.

The GDS has many portals, and many of those are not rate-limited; to make things worse, the space of all possible locator codes is pretty small, since it’s non-case-sensitive letters and numbers (excluding 1 and 0, which could be mistaken for the letters I and O). So by sending a lot of guesses to a lot of places very fast, it’s not hard to figure out whether any surname has a valid code associated with it.

The focus has been on ‘brute force’ attacks, testing every conceivable record locator against a last name until you find the one you want. But the real vulnerability — where actual nefariousness exists — tends to come in the form of social engineering.

If you have some information about a person and their travel plans you can work to uncover the rest in a series of phone calls to airlines — for instance if you know when and roughly where a person is traveling, and what airlines they might be on, it’s relatively simple to call up and give a flight number and date along with a last name and the agent on the phone will confirm the person is on the flight. You’re calling, perhaps, to handle seat assignments for them but don’t have the record locator. If you guess the flight wrong, hang up and call back. And once you’ve guessed correctly, agents are happy to give out the record locator, which you can then usually pull up on the airline’s website and it may contain other information as well.

This is all too real for travel bloggers. I tend to be pretty circumspect about posting details of my upcoming travel. Lucky from One Mile at a Time had a blog reader change his Tampa to Paris itinerary to fly Raleigh to Los Angeles instead. And just a few months ago someone else re-booked a hotel reservation he posted about to the hotel’s most expensive room available and for their romance package.

It’s hard enough to keep travel bookings intact the way you made them — with flight changes, aircraft swaps, lost seat assignments, and partner reservations that cancel out when the issuing airline fails to reticket a booking after a change — that once you add in nefariousness it becomes even more important to ‘garden’ your reservations and makes me even more grateful for the times that Award Wallet has sent me emails of changes to my bookings that it detects (when I have it update each of my frequent flyer accounts every day).

It’s also another reason that I love online check-in — one last opportunity to check that everything is in order, not just with your reservation but with your ticket, when there’s still plenty of time left for a fix.

About Gary Leff

Gary Leff is one of the foremost experts in the field of miles, points, and frequent business travel - a topic he has covered since 2002. Co-founder of frequent flyer community InsideFlyer.com, emcee of the Freddie Awards, and named one of the "World's Top Travel Experts" by Conde' Nast Traveler (2010-Present) Gary has been a guest on most major news media, profiled in several top print publications, and published broadly on the topic of consumer loyalty. More About Gary »

More articles by Gary Leff »

Pingbacks

Comments

  1. Delighted to concur 100% with your post though I don’t find awardwallet particularly useful in this regard as it cannot monitor United or Southwest reservations (among others). However I think most airlines and hotels typically email travelers as soon as a reservation is changed, so that should be sufficient to provide notice of changes, assuming your account has not been hacked.

    That being said, the reminder about posting travel info on social media is spot on, as it can be used by many criminal types (i.e. burglars). OTOH social media check-ins and posts can also be used for good purposes (i.e. to track a missing person). Somewhere there is a fine balance, that probably starts with limiting who can see your timeline, etc.

  2. Many airlines require you to log in to your frequent flyer account to access a reservation online if the record locator is attached to one, but more should…

    Funny of all, Spirit actually requires you to log in with your FreeSpirit login (your email) and password when managing a reservation by record locator and last name, but this is probably really so they can get a hold of your email address and send you weekly ads…

Leave a Reply

Your email address will not be published. Required fields are marked *