Skip to content

Posts from the ‘GDS’ Category

Can GDS Systems Really Be Hacked? The Answer should not surprise you.

December 31, 2016


In a word Yes!

GDS and airline PSS systems are based on old technology in fact so are many other travel systems including Hotel reservation system. Indeed there are many systems out there which can be hacked. Although the systems have been updated since then – many times – some things have not been touched, and for airlines the core security of the technology remains the same.

At this point I need the reader to understand that I am not going to reveal the ways in which the hack took place. I have to be careful in writing this piece not to reveal how many different ways that the hacks have occurred. Suffice to say that EVERY SYSTEM unless it is air gapped is vulnerable to a determined and organized hacking group. Nothing is 100% safe. Guess what older technologies tend to have more flaws as they were designed for different times.

So what is all the fuss about? A German so called White Hat Hacking Group called – SR Labs claims to be able to hack into airline systems and do things that perhaps they should not be able to do. Two media outlets are reporting this to be the case. The BBC actually witnessed one of the hack.  Fortune Magazine also observed this. Further if you want to follow the Annual Hackers Convention (Officially its sponsored by the Hamburg  based Hacking Group: Chaos Computer Club) You can follow their blog here. A command of German or Google Translate may be useful! There will be further announcements coming.  Another article (this time in Dutch) talks through the story as the perils of using Instagram and putting in your Boarding Pass and QR codes to match.

Normally I should be applauding the exposure of this exposure that the GDSs and the airlines are showing their vulnerability. The usual players have come out and denounced the airlines as being bad people and their technologies as being further either stupid and having no security. So the Gnomes of VaultPAD thought it would be good to examine the issue and address the impact.

As we have indicated many times – Airline and GDS systems are built on legacy designs dating from the 1950s. They are largely constructed on a message based technology architectures.  That makes them by definition susceptible to a modern hack. Does that mean that there is a real risk that everyone should be worrying about? I really deplore people who claim to be “White Knight” hackers. In my personal opinion all hacking is bad – by definition there can be no “Good Hacking”. That is a personal opinion – you should draw your own conclusions on the subject. Suffice to say one has to be very wary around any form of hacking.

Let’s break the structure of the hack down into smaller chunks. I am going to walk through the major areas of vulnerability. Consumer access, Application Access, Communications Access and finally issues in creating a Trojan Horse access.

At the lowest level,  there are access links via passwords. These are pretty much the same vulnerability that exists for any other system. One key issue is that the frequency of use means that there are a lot of  people (the author included) who cannot remember the various passwords and password conventions that exist for sites that we need to access. So the utility of passwords is horrid.  Then once in – what can can a hacker do? Well you can hurt the person whose account that has been hacked. That is singular. Can the hacker then cause havoc one the link has been established? This is probably where both the hackers and the writers have failed to grasp some of the concepts of the way PSS and GDS systems actually work.

At the next level bypassing the consumer’s security the next question for hackers is can one access any random person’s PNR just by guessing or brute force the 6 alphanumeric PNR Record Locators? Most airlines and travel sites have addressed with 2 stage (in some cases even more) authentication. Interestingly many of us are already using 2D and 3D Bar Codes and storing them happily on our phones (see the Dutch article above). The ability to gain access to an aircraft can be compromised. Again this is a risk that has been identified and in general many places have this secured. I can identify one country where the security protocols could cause an issue. That is Australia where no ID is required for Domestic travel. That issue however can be compromised in many other ways so it is not the fault of the PSS.

For the communications possibility – many things are possible via IP based networks. One of the reasons the traditional travel systems were secured was based on the way they were constructed. The systems were originally designed to operate on totally closed networks proprietary to specific vendors. Many of these were polling based which by definition had packets of data passing by several network which could be read in the clear using tools as simple as a protocol analyzer. It was simple and very effective going back to the days tht any data network was a very expensive proposition. You can still buy one of these machines on eBay (if you know how to use it!) Actually I feel pretty safe since these networks (and the equipment needed to monitor it) are mostly gone.

Finally can anyone place Trojan horse type back doors into the airline or GDS system. Fortunately there is a completely different set of security that protects that. Again this is not infallible. But it will be hard to create a way to bypass the security and have open access to all system including payment etc. Good luck trying to make sense of the core mainframe based systems and their subsystems – the people are mostly dead or like me old and decrepit!

This year there were several major events when whole (GDS and PSS) systems were brought down not by hacking but by simple system flaws with a major impact. I suggest going back and re-reading an article in wrote in TNooz.

I don’t want to paint too rosy a picture. It is not as good as it could be. There are many challenges. It is very clear that we need a new generation of systems. The needs for product service and customer service are long overdue. Add the risk of increased possible security violations and you can see that the need is becoming acute. IE  that need is becoming more pressing as each day passes. Just because the industry was well served using this old legacy technology does not preclude the need for bringing in newer and more modern systems WITH better security. In my eyes – this does need to happen – and soon. If this is another kick to get that change to take place and that the industry and the consumers can be freed from the mounting risk – that is a good thing. However just one word of caution. But as I hope you will consider this adage: Be careful what you wish for.



Presentation slides from WIT 2014 Little Big 10 Debate.

October 29, 2014


October 28th presentation from the WIT 2014.

Check out the presentation.



WIT Great Debate Oct2014 16-9 format-finalwit10_1170x450

Politics and Pricing – a match made in hell.

April 28, 2014


The flap over how to display air fare offers in USA.
Money and Airfares
There is a proposed law in the USA called H.R.4156 more formally “Transparent Airfares Act of 2014” which amends the current law now on the books and passed in “2012 49 U.S. Code § 41712 – Unfair and deceptive practices and unfair methods of competition”. More commonly called the Shuster/De Fazio Law.
The original law can be found here: the wording of the new act can be found in the US Congressional record. here: Don’t worry too much I have pulled out the respective texts – see sidebar below.

Why the flap?

Last year three US airlines (Southwest, Spirit and Allegiant) ironically all categorized as low cost carriers, had a court fight with the US Dept of Transportation of the provisions of 49 U.S. Code § 41712. Read the Bloomberg article here:

The US Airlines association now known as A4A also supported the case and has been prominent is driving new rules and/or regulation that would permit airline pricing to be more like conventional pricing. In the USA – the prices for general retail products, are presented as not tax inclusive. Airlines however must show all fares, fees and taxes into a total all in price. The purpose of the revision would presumably permit the airlines to display different forms of prices leading with a base price.

The folks sponsoring this bill are from the committee who regulates the airline industry. It seems to be a reasonable and relatively minor change. However there are many people who are against it. Here is a smattering of the rhetoric: and here is the Opinion o the Gry

How is it done in other countries – the best example is the European Legislation. This is contained in several statutes but the clearest example is Regulation 1008/2008 I have copied in the relevant working into the sidebar.

In my view the big issue is that the airlines want to be treated like other product categories and to price with a base price of less than the total price to be paid by the individual. This is not sinister and a conscious effort to trick the consumer but it will likely lead to more confusion by the consumer. Diving a little bit into the arcane nature of airline pricing – we find that the lumping of fees and taxes is frequently done together. The complexity of fees and “near taxes” which are not really taxes but are called fees and taxes gives the impression that they are indeed a regulatory imposed charge is false. They are not taxes. Indeed some are displayed as Taxes and yet separately fees and taxes. For an allegedly de-regulated marketplace the sale of travel products is probably one of the most complex and heavily taxed regime’s in the world.

It will get worse.

The introduction of ancillary charges including seats and bags will add even more complexity to the task of the consumer to figure out how much he is going to pay for that trip. Should that be allowed? I believe that as long as there is a clear bottom line price laid out for the consumer for a viable product then the mechanism for pricing should be clear and simple. The fact that regulators love to tax the traveller – as its an easy collection market will make the consumer base subject to more and greater tax burden is inevitable.

Frankly at the end of the day – Governments should get out of the complexity and collect a single tax and reduce the tax burden of collection. Then a simple regulation set of 2-3 taxation charges would be met by the consumer with open arms.


SIDE BAR – The relevant text from the current law and the proposed change.

For the purpose of the story I have pulled out the text of the existing law and the relevant section on airfare price disclosure:

Section 1 – Existing law.

c) Disclosure Requirement for Sellers of Tickets for Flights.—
(1) In general.— It shall be an unfair or deceptive practice under subsection (a) for any ticket agent, air carrier, foreign air carrier, or other person offering to sell tickets for air transportation on a flight of an air carrier to fail to disclose, whether verbally in oral communication or in writing in written or electronic communication, prior to the purchase of a ticket—
(A) the name of the air carrier providing the air transportation; and
(B) if the flight has more than one flight segment, the name of each air carrier providing the air transportation for each such flight segment.
(2) Internet offers.— In the case of an offer to sell tickets described in paragraph (1) on an Internet Web site, disclosure of the information required by paragraph (1) shall be provided on the first display of the Web site following a search of a requested itinerary in a format that is easily visible to a viewer.

Section 2 New law

The new law’s entire text is:
a) Full Fare Advertising- Section 41712 of title 49, United States Code, is amended by adding at the end the following:
`(d) Full Fare Advertising-
`(1) IN GENERAL- It shall not be an unfair or deceptive practice under subsection (a) for a covered entity to state in an advertisement or solicitation for passenger air transportation the base airfare for the air transportation if the covered entity clearly and separately discloses–
`(A) the government-imposed taxes and fees associated with the air transportation; and
`(B) the total cost of the air transportation.
`(A) IN GENERAL- For purposes of paragraph (1), the information described in paragraphs (1)(A) and (1)(B) shall be disclosed in the advertisement or solicitation in a manner that clearly presents the information to the consumer.
`(B) INTERNET ADVERTISEMENTS AND SOLICITATIONS- For purposes of paragraph (1), with respect to an advertisement or solicitation for passenger air transportation that appears on an Internet Web site, the information described in paragraphs (1)(A) and (1)(B) may be disclosed through a link or pop-up, as such terms may be defined by the Secretary, that displays the information in a manner that is easily accessible and viewable by the consumer.
`(3) DEFINITIONS- In this subsection, the following definitions apply:
`(A) BASE AIRFARE- The term `base airfare’ means the cost of passenger air transportation, excluding government-imposed taxes and fees.
`(B) COVERED ENTITY- The term `covered entity’ means an air carrier, including an indirect air carrier, foreign carrier, ticket agent, or other person offering to sell tickets for passenger air transportation or a tour or tour component that must be purchased with air transportation.’.
(b) Limitation on Statutory Construction- Nothing in the amendment made by subsection (a) may be construed to affect any obligation of a person that sells air transportation to disclose the total cost of the air transportation, including government-imposed taxes and fees, prior to purchase of the air transportation.
(c) Regulations- Not later than 120 days after the date of enactment of this Act, the Secretary shall issue final regulations to carry out the amendment made by subsection (a).
(d) Effective Date- This Act, and the amendments made by this Act, shall take effect on the earlier of–
(1) the effective date of regulations issued under subsection (c); and
(2) the date that is 180 days after the date of enactment of this Act.

How is it done in other countries – the best example is the European Legislation. This is contained in several statutes but the clearest example is Regulation 1008/2008

Section 3

EU regulation 1008/2008 Section 16 states:

Customers should be able to compare effectively the prices for air services of different airlines. Therefore the final price
to be paid by the customer for air services originating in the Community should at all times be indicated, inclusive of all
taxes, charges and fees. Community air carriers are also encouraged to indicate the final price for their air services from third countries to the Community.

Mobile Web – Frustration or Paradise?

February 17, 2013


Way back in the 1990s the world’s first true global roaming phone was the Motorola Timeport. I recall one of my colleagues at the time was SO frustrated with the experience that he went home one day and got a hammer and nail and drove a stake through the heart of the errant device.

Have things improved lately?

Well according to most surveys despite the wonderful projections of how we are all going to be mobile in just a few years – there is a very strong undercurrent of dissatisfaction with Mobile based applications and the Mobile web in general.

The Mobile Experience is almost universally a compromise – and frequently not a good one at that. A 2011 Survey by Modapt, Inc. and Morrissey & Company suggested users are frustrated with Mobile Web experience. In this survey the majority of respondents were Smart Phone users. This would tend to indicate that the users were early adopters and savvy technology users. Yet their responses were not that happy.

  • While 95% of respondents reported using advanced smartphones, more than 86% found their mobile browsing experience to be either ‘okay’ or ‘frustrating’.
  • The Big 3 of user frustration are: slow downloads 40%, Difficult to navigate 40%, and Hard to find/read information 20%
  • Nearly one-half (48%) of smartphone users never make purchases via mobile

In a similar study published in August 2012 that confirmed the early results.  Keynote Competitive Research studied mobile behaviour from a much broader sample of US users. The study showed that 60% of tablet users expect to wait less than three seconds to get to a website, while 48% of PC Web users want download speeds faster than two seconds. Smartphone users also have high expectations, with 64% wanting a website to load within 4 four seconds and 82% of respondents wanting the website to load within five seconds. Even more startling is that 16% of users will not return to a site if it takes longer than six seconds to load, with 6% of users opting instead for competitor websites.

While Apps have created small specific applications – the explosive growth of the App market has created a number of cascading problems. Already we have the usual types of problems. Phantom downloads, poor search and even worse badly written Apps. As the barrier to entry is so low – almost everyone has been encouraged to enter the mobile web. This has created a cottage industry of plain awful App writers. Poor security (both with data and just in general) has created an opportunity for a new breed of hackers to steal your data. With Apple’s Passbook now a fixture in the iOS world – there are clear indications that the back door entry into your personal data from badly designed Apps (as well as Apple’s low barrier to certification processes) are going to result in security breaches. We just haven’t seen them – yet. From the Modapt study, Not surprisingly, fully one-half (50%) of smartphone users say they feel less secure about paying for something via mobile browser than desktop browser.

Another big issue is the nature of both Wifi and Cellular data based performance from the network. Wifi 802.11ac performance is now acceptable for most data applications but frequently the problem is not in the local network but in the backbone. The expectation of free wifi that most users have is now tempered with smart acces points having dual speeds. Crippled and OK. Crippled are free, OK is if you pay a premium.But we are to blame as well. Count the number of Wifi enabled devices you have. And then try and turn them on at the same time in a hotel or airport. Even a few years ago I was in a leading e-commerce player in a major market and was appalled to learn that their backbone to the web was not even a 56K circuit, yet they had hundreds of users in their environment. Cellular data performance is just plain awful for data. I have used extensively iOS, Android and Blackberry data devices using Cellular connections around the world. Frankly they all suck.

And then there is the cost. Several times in my speaking engagements I have asked the audience to honestly admit (of those who data roam) if they have ever left their data circuits on and received a large bill. go on admit it – you have too! (Oh yes and I do it frequently. Mostly because I am lazy or just forgetful.)

Consumer expectations and network performance are clearly in a state of dissonance.

Actually i am pessimistic about the network speed issue. 4G LTE the standard of choice for mobile data via cellular is not that much of a performance bump from 3G. Sadly APP and Mobile Web providers have chosen to take advantage of the speed to bulk up their offerings instead of allowing lighter applications to prevail and for the users to get real speed.

Nothing can be more frustrating for a user that to show up while data roaming and seeing a little notice that says. Download our App and get better access faster. In your head you calculate that the downloading the App will cost about $25 and so you wait in line… now even madder than you were before you saw that little sign. And its not just the consumers who are frustrated. Kayak recently abandoned its relationship with one of the current darlings of the Mobile Web. GetyourGuide. Further I have spoken to many players who have spent large amounts of money developing web applications only to be very frustrated with the results. Typical complaints are:

  • Poor adoption
  • Low usage
  • High costs

Google – with so much vested in mobile (not necessarily in mobile e-commerce (MCommerce) have some good advice for you. They even have a website to help you Go Mobile.

Mobile providers – networks and application systems need to up their game. There is just too much crap out there and that has to change.