When my wife and I were first dating she had a business trip to San Francisco. I confirmed her upgrade on United even though she hadn’t given me the flight number or record locator.
I knew the route she’d be flying, and when she got back, so it was easy to pull up her flight details and get her reservation changed. I used miles — United only charged 10,000 miles back then and no cash co-pay — rather than a confirmed upgrade certificate because those certificates were paper back then and I wanted to surprise her (not hand her a certificate and explain what I was doing).
She told me later that she had to decide whether she thought it was sweet and awesome — or creepy — that I’d altered her reservation without telling her. Ultimately she must have decided it was sweet…
Several readers have asked me what I think about the story going around how easy it is to ‘hack’ someone’s reservation (thanks to Paul H., Scott H., Ryan K. and others).
[T]hey figured out how to force the various portals to the Global Distribution System to let them know if they’ve guessed someone’s reservation locator code, which they can use to arbitrarily alter your flight plans, sending you to different cities, reseating you, or cancelling your flight.
The GDS has many portals, and many of those are not rate-limited; to make things worse, the space of all possible locator codes is pretty small, since it’s non-case-sensitive letters and numbers (excluding 1 and 0, which could be mistaken for the letters I and O). So by sending a lot of guesses to a lot of places very fast, it’s not hard to figure out whether any surname has a valid code associated with it.
The focus has been on ‘brute force’ attacks, testing every conceivable record locator against a last name until you find the one you want. But the real vulnerability — where actual nefariousness exists — tends to come in the form of social engineering.
If you have some information about a person and their travel plans you can work to uncover the rest in a series of phone calls to airlines — for instance if you know when and roughly where a person is traveling, and what airlines they might be on, it’s relatively simple to call up and give a flight number and date along with a last name and the agent on the phone will confirm the person is on the flight. You’re calling, perhaps, to handle seat assignments for them but don’t have the record locator. If you guess the flight wrong, hang up and call back. And once you’ve guessed correctly, agents are happy to give out the record locator, which you can then usually pull up on the airline’s website and it may contain other information as well.
This is all too real for travel bloggers. I tend to be pretty circumspect about posting details of my upcoming travel. Lucky from One Mile at a Time had a blog reader change his Tampa to Paris itinerary to fly Raleigh to Los Angeles instead. And just a few months ago someone else re-booked a hotel reservation he posted about to the hotel’s most expensive room available and for their romance package.
It’s hard enough to keep travel bookings intact the way you made them — with flight changes, aircraft swaps, lost seat assignments, and partner reservations that cancel out when the issuing airline fails to reticket a booking after a change — that once you add in nefariousness it becomes even more important to ‘garden’ your reservations and makes me even more grateful for the times that Award Wallet has sent me emails of changes to my bookings that it detects (when I have it update each of my frequent flyer accounts every day).
It’s also another reason that I love online check-in — one last opportunity to check that everything is in order, not just with your reservation but with your ticket, when there’s still plenty of time left for a fix.