Aussie airline at potential risk of hacking
A US cyber security research team has warned travellers they should be mindful when using online check-in services, claiming some airlines are exposing valuable personal information to potential hackers.
According to security researchers at enterprise security firm Wandera, multiple major airlines around the world are sending passengers unencrypted check-in links through their e-ticketing systems, putting personal data at risk of being accessed by hackers and modified.
The threat research team discovered that some of the major airlines are falling short on security and passenger protection, including Australian budget airline Jetstar.
The report claims that once information was exposed by checking-in for a flight online using public Wi-Fi, a hacker using the same network could easily intercept and steal data such as full names, email addresses, passport numbers, booking references, flight and seat numbers.
However, Jetstar has strongly rejected the research, saying that no passenger information has been put at risk.
According to Wandera, hackers were able to even change booking details, and/or print off their boarding passes once intercepted.
"Our threat researchers discovered that the check-in links sent to the passengers are
unencrypted," a statement read.
"On clicking those links, the passenger is redirected to a site where they are logged in automatically to their flight check-in session and in some cases they can then make any changes to their booking and print off their boarding passes.
"A hacker on the same Wi-Fi network as the passenger can easily intercept the link request.
"The hacker can then gain access to the passengers online check-in. All of the major airlines that we identified are putting passenger data at risk."
In a statement to news.com.au, a spokesman for Australian budget airline Jetstar said they had "no evidence" of Wandera's security breach accusations.
"We take cyber security and privacy extremely seriously and have no evidence of our customers' booking details or data ever being misused by unauthorised parties through the booking link," the statement read.
"To ensure our customers' information remains protected we have multiple layers of security in place and are continuously implementing further cyber safeguards for emails, itineraries and our systems.
"Sensitive customer information such as payment details are not accessible through a customer's booking link."
But a spokesperson for Wandera said they stand by their claims.
"We are confident in the findings we have shared with the affected airlines," a spokesperson said. "Wandera's investigation uncovered multiple security flaws that may have resulted in passenger data being exposed to unauthorised third-parties.
"Wandera is not in a position to know if passenger data was compromised by a malicious actor, nor can we confirm yet that the affected airlines have implemented an appropriate fix."
According to Wandera, the initial vulnerability was discovered in December last year when they noticed unencrypted travel-related details were being sent to one of their secured customers.
The company then investigated further and found that many airlines had the same issue with their e-ticketing systems.
According to the company's CEO Eldar Tuvey, a total of 40 major airlines were then investigated and nearly a quarter were found to be vulnerable.
Speaking to news.com.au, editor-in-chief of Finder.com.au, Angus Kidman, said while hacking your booking might be annoying, the biggest concern was around access to other personal information.
"A hacker tweaking your booking is an annoyance, but they can also potentially get access to your credit card and passport details, which is much more problematic," Mr Kidman said.
"The most important lesson here is to be wary of public Wi-Fi. There are always risks involved when browsing using unsecure networks.
"If you're clicking on that link when you're at home you shouldn't have an issue. But be cautious elsewhere. Rely on your phone's mobile connection and don't use Wi-Fi to download tickets or check in."
In an interview with Forbes, Mr Tuvey said the fact that the links were being sent "unencrypted" meant that anyone using the same Wi-Fi network as the passenger would be able to intercept the credentials by simply listening to the broadcasts happening over the air between the passenger's wireless device and the access point.
"This is no different than when two people talk across a crowded room" Tuvey said.
"Any third party in the room who stops to listen is likely to capture details from the conversation."