Airport security is a huge story in Ireland this week. Perhaps the media will finally take a good look at the problems surrounding the global systems that track you as you fly around the world. Or probably not.
It’s a bit of a long story and a strange tale. I was researching the subject for Another Case in Cowtown a few years ago, to solve the following totally theoretical and fictitious dilemma: how can someone on the run fly from one country to another while minimising the trail of information left in her wake?
The research didn’t end up in that particular novel, but the more I delved into the subject the more I became intrigued – and shocked, to put it mildly. In a nutshell:
There is a global tracking system, it contains incredibly sensitive personal information on millions of people on the move, and all this information is unbelievably easy to access. What follows is a bit long and slightly technical, but I thought it worth while spelling out the problem in full, as it could have major ramifications in terms of privacy and human rights.
fasten your seatbelts, expect some minor turbulence and put the kettle on and put your feet up while we go on a bumpy ride…
1. The system’s origins
The system can trace its origins back to the early 1970s, when travel agents (remember them?) and airlines around the world had no way of “tracking global inventory in real time”. That’s business-speak for “Bums On Seats Right Now”. It was a major logistical headache.
Say an airline has one final seat left on a flight from Dublin to Paris next month. You’re trying to book it via a travel agent; I’m chasing after the same seat on the same flight through another travel agent; a third person is in, say, New York and about to “do Europe” and wants to book the same seat. If all three of us turn up at the airport for the same seat on the same flight, then where would we be?
(OK, in the past airlines would sometimes deliberately overbook flights, but that’s another story. Nowadays under EU rules, passengers are entitled to compensation if they are “denied boarding”).
Like I said, it’s all about tracking “inventory”. Bums on seats. So they devised a system for travel agents and “travel providers” (first the airlines, then car hire firms, hotels and eventually the railways) to exchange and update and synchronise this reservation information about all their crisscrossing passengers and customers.
The system had to handle complex situations such as:
- Where you’ve booked several connecting flights on different airlines to reach your final destination (“interlining”, it’s known in the trade)
- Where the travel agent has booked not only your flights but also a rental car and your hotel room for particular dates
- Group bookings
- Package holidays
2. The first ‘cloud’
The new computerised system used a massive database to track millions of automated travel transactions across the world. The network linked tens of thousands of travel agents and travel providers.
In the beginning it used huge old mainframes and the kind of text-only computer terminals you see in old (and period) movies: all black screens and glowing green fonts and not a mouse in the house.
Yet it was considered the height of sophistication. Perhaps it was the first “cloud” – at a time when the term “cloud computing” hadn’t been coined yet. They called it a global distribution system, or GDS, and there wasn’t just one GDS but several competing ones.
These systems were far older than the Web, yet they still linger on today. When Windows came along in the mid-1990s, on the surface the interfaces became friendlier. A decade later as the Web really took off, the GDS networks expanded to take in a new generation of booking engines – ones not only of the airlines themselves as their own websites dived into direct selling, but also the new breed of “go-between” travel sites such as Expedia.
Eventually the GDS industry evolved and consolidated into the “big three” platforms of today: Amadeus, Sabre and Travelport. Yet at their very heart is the same basic GDS way of doing things from back in the 1970s. It’s based on a concept called the passenger name record, or PNR for short.
3. The passenger name record
PNR data is, in a nutshell, metadata about the movement of our bodies around the planet. Let’s see how these layers of metadata are built up with, say, Ryanair.
The low-cost airline happens to be tied in to all three of the “big three” GDS networks. Ryanair’s customers interact with these systems every time they buy a ticket online or check in on the Ryanair website or use its mobile app. The Ryanair.com website uses a reservations system called New Skies, developed by a crowd called Navitaire, who have just been bought by one of the “big three”, Amadeus.
Like any airline’s reservation system, Ryanair’s needs to store information about price (as in the air fare, the price of the hotel bed etc) and availability (a seat on a particular flight, the hotel room, the rental car and so on).
Once the booking is made based on this starting information, the given GDS network that the reservation system uses will create a passenger name record. This acts as the “Master PNR”.
If the booking includes add-ons such as a car rental or hotel reservation, or if another airline is providing one or more legs of your trip, the Master PNR holder will automatically pass on copies of your PNR information to the reservation systems of all these other travel providers, so that they can communicate to and fro, and their records about your trip will stay linked together and can be updated with any changes.
Each PNR is automatically assigned a unique reference number, or “PNR locator”. It remains constant for your trip, and is relatively short: six digits. This brevity has huge implications, as we’ll see.
Strictly speaking this six-digit code is not a reference number per se. In fact it’s never just numbers. It’s either alpha-numeric (a mix of letters or numbers) or all alpha. You may be familiar with it. It’s the same six-digit code that you use at online check-in. It’s better known to passengers as their booking number or, in Ryanair’s case, as their “reservation code”.
Let’s suppose for a minute that an unscrupulous character – or even a legit one – has access to your PNR for a given journey. The following is the typical kind of information they can expect to glean from it:
- The passenger name (you)
- Your contact details including your email address and possibly your mobile phone number
- Your itinerary
- Your current travel status (including confirmations and check-in status)
- Check-in baggage information
- Ticketing and fare details (not necessarily the exact amount but at least the type of fare)
- The name of the person who made the booking (not necessarily you)
- The supplier – the travel agent or airline office’s contact details
- A timestamped IP address for the online transaction
- The form of payment and credit card number used (but redacted as in “****1234” to leave, say, the final four digits)
- Taxes paid to various authorities
- Frequent flyer data if applicable
- “Special Service Requests” such as meal requirements (halal, kosher, etc), wheelchair assistance
So that’s PNR and GDS. A set of global systems containing a significant amount of private and sensitive information about billions of travellers. Therefore you might expect some basic security precautions, right? The typical kind of measures they use to protect sensitive data nowadays? Precautions such as – in the IT security industry’s buzzwords – “constrained access”, “strong user authentication”, “rate-limiting protection against web attacks”?
The more you delve into it, the more you find that these precautions are either non-existent or a joke. Possibly disastrous in real life, of course, but opening up plenty of crime fiction possibilities as well…
4. Who can access the system?
OK, let’s start with access. Once you’ve booked your flight, your PNR can be accessed by anyone who works for:
- The travel agency or the website (such as a travel site or the airline’s own site) that was used to create your booking
- The airline – both flight crew and ground staff
- The other airline(s) if you’re “interlining”
- Other travel providers if you’re hiring a car or reserving a hotel room as part of that booking
- The GDS companies themselves – this will often include their IT support staff in other companies, and the people who are brought in to debug their systems or clean their digital toilets, metaphorically speaking
So that’s the first scary bit: each node in the global network is a potential access point, a weak spot as it were. Oh, and in the above list of people I nearly forgot to include Customs and Security. Government departments such as the US Department of Homeland Security often have access too.
5. The EU’s PNR directive
Since the 9/11 attacks there’s been an ongoing battle between the US and EU authorities – and privacy rights organisations – about whether and how airlines flying into the USA should be required to supply PNRs in advance of the flight for pre-checks of passengers.
The controversial EU Passenger Name Record (PNR) directive was eventually passed last April, giving member states two years to transpose it into national law. After that, airlines must hand EU countries their PNR data of passengers flying into or out of the EU. The data will then be forwarded to a single designated unit in each country, the “Passenger Information Unit” (PIU).
Many States have been playing the “crime and terrorism” security card in recent years, pushing the airlines into collecting and handing over more and more information in the PNR, from passport details (nationality, number, expiry date) to gender and date and place of birth.
(In terms of crime fiction, I also looked at a few obvious scenarios, such as how the police can obtain PNR data from travel companies or computer reservation systems using search warrants, subpoenas and so on for a criminal investigation. If the crime involves a flight between two other countries, they can get the data via existing international agreements for co-operation between law enforcement agencies.)
6. The short and simple passwords
Supposing your character is not in an airline or travel agency or police department. How hard – or easy – would it be to get into one of the GDS networks to read the information about a particular passenger?
Would you need a password to get in? Possibly. Well, not exactly a password, more the combination of an agent ID for the user name, which isn’t that hard to find, and a password that’s usually something like the letters ‘WS’ (for web service) plus the date when the account was created – a six-digit number, as in ‘DD MM YY’.
Even if you don’t know that date, the odds are quite low: with only 365 or 366 possible days in a year, it will take a computer program just a couple of minutes to brute-force its way through the past 40 years of ‘DD MM YY’ permutations to crack the password.
About two minutes. Then you’re into an account that gives access to the private information of not just one person or a few thousand but millions. Because once you are into that one account you can access any PNR record on the global system.
But there’s worse. It’s no longer the 1970s: nowadays passengers themselves can access their own information – and possibly other people’s too. Take Ryanair again, whose website uses Navitaire’s New Skies reservations system. As a Navitaire press release from 4 January 2017 puts it:
The solution is designed for efficiency utilizing a single record approach, which manages both the offer and the order throughout the passenger lifecycle. Real-time data for on-demand decision making and omni-channel processing are hallmarks of New Skies, which have been leveraged extensively by airlines with clear leadership in innovation, such as Ryanair.
Strip out the business flimflam, and basically it means it’s easy-peasy for consumers to retrieve their own booking info from the New Skies system. Simply go to the ‘My Bookings’ page on Ryanair’s website, type in your “reservation number” (it’s your PNR locator, remember?) and your email address (up to last month I think you could alternatively use the last four digits of your credit card number instead of an email address). And that’s it. You’re in.
In many of these web-based systems, all you need to authenticate a booking – and to begin to delve into the metadata – is two easy-to-find pieces of information: an email address or surname, and a corresponding PNR.
If the six-character PNR is supposed to be a password, it is way too short. It is easy for a shoulder surfer to memorise at a glance, and it’s not user selectable or changeable – you’re lumbered with it as your reservation code, even if you cancel your trip. Worst of all, as passwords go your PNR isn’t exactly top secret. It’s everywhere.
It’s in the subject line of the email confirmation from your airline.
It’s printed on every piece of paper associated with your flight, from your luggage tags to the boarding pass you printed out before the start of your trip.
It’s the scrap of paper that you’ve just thrown away at the end of your journey.
And it’s the holiday snap that thousands of passengers will upload to their Instagram and Facebook accounts and Twitter feeds, often with a handy “#boardingpass” hashtag.
Yet even though the PNR is printed on every ticket and itinerary, ordinary travellers are never told that they should hide and safeguard it as though it were a seriously important password. Instead, it’s treated as a piece of throwaway “booking” information.
Anyone who knows your PNR and surname can access your passenger name record, find your home phone number and email address, your IP address and possibly even your postal address and passport number and date of birth, along with all your travel details, possibly including hotels and car rentals and frequent flyer info.
And if anyone at the back of the class says many airlines have replaced the number on your boarding card with a barcode, I’m fully aware of that. But even a barcode is a doddle to read and turn back into PNR digits, once you have any one of a dozen basic smartphone apps or barcode-reading websites.
7. Any rate-limiting protection measures?
Now, suppose your character does know the person’s surname (or in Ryanair’s case their email address) but doesn’t know their PNR for a particular trip. How hard is it to guess those six digits, using the brute force of a computer? How many possible combinations are there?
For a simple six-digit number from “000000” to “999999”, there will obviously be a million possible permutations. If the code is alpha-numeric, with each digit standing for any one of 36 numbers or characters (“0” to “9” plus 26 letters of the alphabet), that six-digit code could have 36 to the power six possible combinations. I think that’s over two billion variations.
Yet – here’s where we get all Bletchley Park and Traffic Analysis – the booking digits used by particular reservation systems follow specific patterns. Sometimes the numbers are generated sequentially, so the first couple of digits will stand for the date range of the booking. Some systems don’t use certain numbers at all, such as the numeral “1” because staff (and, more frequently now, consumers) might mistake it for a letter “I” or “L”, or a zero that could be confused with the letter “O”, and so on. Of the “big three” systems, apparently the Sabre GDS network doesn’t use any numerals at all, just letters.
While all this begins to narrow things down quite considerably, it still leaves your PNR-cracking character with one major possible stumbling block if he or she is using a brute-force approach on a website: it might have “rate-limiting protection” measures. You’re probably well aware of one common and pesky example of such measures. It’s the “Captcha” form that asks you to prove you’re a human rather than a robot.
(Trivial fact #1: CAPTCHA is a so-called “backronym” – it stands for “Completely Automated Public Turing test to tell Computers and Humans Apart”. Trivial fact #2: I often use an Amazon Fire tablet nowadays, and end up being fobbed off as a misfiring synth from Humans.)
Each of the main GDS providers also has consumer portals, such as:
- VirtuallyThere.com (Sabre)
- CheckMyTrip.com (Amadeus)
- ViewTrip.com and MyTrip.com (both Travelport)
And here’s the twist. Many of these real-life sites will allow your character to do multiple lookups with no Captchas or other discernible rate-limiting protection measures. The Ryanair site’s “My Bookings” section doesn’t bother with a Captcha form: you or your computer script can brute-force the number to your heart’s content.
8. How long does the data stay alive?
All this data is easily accessible through such sites. But even if you have the passenger’s PNR locator and the relevant other piece of information such as their surname or email address, you may face one final hurdle: what if the PNR data has a shelf-life and a use-by date?
After closing the check-in, the airline itself will store the final PNR for about three months. Under the new PNR directive, the European Commission has proposed that PNR data be retained for five years and thirty days (why the extra 30 days I do not know).
But for flights between the EU and USA, under a highly controversial 2012 deal, the EU-US Passenger Name Record (PNR) agreement, the US authorities are allowed to keep PNR data in an active database for up to five years, then move the data to a “dormant database” (???) for up to ten years, with stricter access requirements for US officials.
And let’s not forget the GDS companies and reservation systems people, all firmly in the “data warehousing” business. Once your trip is completed (or even cancelled) they don’t erase the record as such but copy it from the live system to an archive one, where it can be stored indefinitely.
9. We are all just inventory now
All that sensitive information swishing around, all those people with access to it, and all this with no constrained access, no strong user authentication, no rate-limiting protection, and “passwords” that are a joke.
If it all sounds like a complete omnishambles, it is. These GDS networks weren’t built with modern security in mind. Fron the early 1970s – a time when most of the world had never seen a computer – they evolved over time in a higgledy-piggledy way to make life easy for travel agents and airlines and – eventually – state agencies.
It is a system that since its very start has downgraded this highly sensitive personal information into mere “data”, turning people into mere “inventory”, ripping privacy apart and leaving a higgledy-piggledy legacy that we still live with today.
For more on the issue see this recent article in the Guardian: