Skip to content

Posts tagged ‘Technology’

Can GDS Systems Really Be Hacked? The Answer should not surprise you.

December 31, 2016

VaultPad

In a word Yes!

GDS and airline PSS systems are based on old technology in fact so are many other travel systems including Hotel reservation system. Indeed there are many systems out there which can be hacked. Although the systems have been updated since then – many times – some things have not been touched, and for airlines the core security of the technology remains the same.

At this point I need the reader to understand that I am not going to reveal the ways in which the hack took place. I have to be careful in writing this piece not to reveal how many different ways that the hacks have occurred. Suffice to say that EVERY SYSTEM unless it is air gapped is vulnerable to a determined and organized hacking group. Nothing is 100% safe. Guess what older technologies tend to have more flaws as they were designed for different times.

So what is all the fuss about? A German so called White Hat Hacking Group called – SR Labs claims to be able to hack into airline systems and do things that perhaps they should not be able to do. Two media outlets are reporting this to be the case. The BBC actually witnessed one of the hack.  Fortune Magazine also observed this. Further if you want to follow the Annual Hackers Convention (Officially its sponsored by the Hamburg  based Hacking Group: Chaos Computer Club) You can follow their blog here. A command of German or Google Translate may be useful! There will be further announcements coming.  Another article (this time in Dutch) talks through the story as the perils of using Instagram and putting in your Boarding Pass and QR codes to match.

Normally I should be applauding the exposure of this exposure that the GDSs and the airlines are showing their vulnerability. The usual players have come out and denounced the airlines as being bad people and their technologies as being further either stupid and having no security. So the Gnomes of VaultPAD thought it would be good to examine the issue and address the impact.

As we have indicated many times – Airline and GDS systems are built on legacy designs dating from the 1950s. They are largely constructed on a message based technology architectures.  That makes them by definition susceptible to a modern hack. Does that mean that there is a real risk that everyone should be worrying about? I really deplore people who claim to be “White Knight” hackers. In my personal opinion all hacking is bad – by definition there can be no “Good Hacking”. That is a personal opinion – you should draw your own conclusions on the subject. Suffice to say one has to be very wary around any form of hacking.

Let’s break the structure of the hack down into smaller chunks. I am going to walk through the major areas of vulnerability. Consumer access, Application Access, Communications Access and finally issues in creating a Trojan Horse access.

At the lowest level,  there are access links via passwords. These are pretty much the same vulnerability that exists for any other system. One key issue is that the frequency of use means that there are a lot of  people (the author included) who cannot remember the various passwords and password conventions that exist for sites that we need to access. So the utility of passwords is horrid.  Then once in – what can can a hacker do? Well you can hurt the person whose account that has been hacked. That is singular. Can the hacker then cause havoc one the link has been established? This is probably where both the hackers and the writers have failed to grasp some of the concepts of the way PSS and GDS systems actually work.

At the next level bypassing the consumer’s security the next question for hackers is can one access any random person’s PNR just by guessing or brute force the 6 alphanumeric PNR Record Locators? Most airlines and travel sites have addressed with 2 stage (in some cases even more) authentication. Interestingly many of us are already using 2D and 3D Bar Codes and storing them happily on our phones (see the Dutch article above). The ability to gain access to an aircraft can be compromised. Again this is a risk that has been identified and in general many places have this secured. I can identify one country where the security protocols could cause an issue. That is Australia where no ID is required for Domestic travel. That issue however can be compromised in many other ways so it is not the fault of the PSS.

For the communications possibility – many things are possible via IP based networks. One of the reasons the traditional travel systems were secured was based on the way they were constructed. The systems were originally designed to operate on totally closed networks proprietary to specific vendors. Many of these were polling based which by definition had packets of data passing by several network which could be read in the clear using tools as simple as a protocol analyzer. It was simple and very effective going back to the days tht any data network was a very expensive proposition. You can still buy one of these machines on eBay (if you know how to use it!) Actually I feel pretty safe since these networks (and the equipment needed to monitor it) are mostly gone.

Finally can anyone place Trojan horse type back doors into the airline or GDS system. Fortunately there is a completely different set of security that protects that. Again this is not infallible. But it will be hard to create a way to bypass the security and have open access to all system including payment etc. Good luck trying to make sense of the core mainframe based systems and their subsystems – the people are mostly dead or like me old and decrepit!

This year there were several major events when whole (GDS and PSS) systems were brought down not by hacking but by simple system flaws with a major impact. I suggest going back and re-reading an article in wrote in TNooz.

I don’t want to paint too rosy a picture. It is not as good as it could be. There are many challenges. It is very clear that we need a new generation of systems. The needs for product service and customer service are long overdue. Add the risk of increased possible security violations and you can see that the need is becoming acute. IE  that need is becoming more pressing as each day passes. Just because the industry was well served using this old legacy technology does not preclude the need for bringing in newer and more modern systems WITH better security. In my eyes – this does need to happen – and soon. If this is another kick to get that change to take place and that the industry and the consumers can be freed from the mounting risk – that is a good thing. However just one word of caution. But as I hope you will consider this adage: Be careful what you wish for.

Cheers

Timothy.

Examining Global Travel Trends – Domestic vs International Travel

April 6, 2014

VaultPad

Examining Travel Trends is a fascinating exercise. Gleaning nuggets of wisdom is often fun to do. As I travel a far amount – I am not likely to be your typical traveller. However there are trends that support what one can intuitively feel.

For some time I have been watching the decline of the domestic market travellers. On face value this trend was driven in most part by the high cost of fuel. In general many believe that the high cost of both gasoline and aviation fuel have slowed growth of domestic travel (both leisure and business). However there are other trends which are fueling the decline in growth. Image

The following chart shows the disparity between domestic and international growth rates in accommodation 2002-2023. (From the Oxford Economics/Amadeus Travel Trends 2014. http://blogamadeus.com/wp-content/uploads/2014/04/AmadeusTravelTrends.pdf).

In my view there are multiple factors driving this trend, here are my take on these:

  1. Hassle factor – short haul traffic is not fun. In all regions of the world the ability to travel at all has created a barrier to entry that just makes short haul travel – well not nice.
  2. Technology reduces the need. Desktop communications such as Skype and Join.Me has dramatically reduced the need for direct face to face travel in total but particularly for short haul. Desktop small meetings have also reduced the need for these to take place. This may seem counter intuitive to the need for increased meetings (yes you know what I mean).
  3. Unmetered (free) mobile communication tools the emergence of such tools as WhatsApp, Wechat, Line etc etcmeans that the small meeting market has become itself mobile
  4. Yes men can actually multi-task. We have all learned the skill of multi-tasking.
  5. Consolidation and Concentration in the air transportation sectors. Domestic and International is now an oligopoly. This has resulted in far higher costs per travel unit
  6. Congestion and poor shorthaul traffic infrastructure and lack of efficient medium haul public transport. (See also #1)
  7. Cost per unit of each travel component. Hotel, Air, Ground, Meals etc etc
  8. Peer to Peer travel products such as AirBnb, Uber et al. While I personally find these services to be illegal or unreliable – the other factors make these attractive.

I think its important to recognize that when we are looking at the long view – be careful with short term data trends.

Cheers

 

 

 

 

How Well Do Predictions Work – a Review of 2012

December 29, 2012

VaultPad

Each year the team at TNooz does a series of predictions. This coming year the focus is on Mobile, surprising since I think we are already there. It is one of the most popular series the team does.

But how well did we do for 2012? The TNooz predictions for 2012 were not that bad. But in the interests of a true public service – perhaps a bit of self flagellation is in order.

First what did I predict?
1. User experience hits home

I predict that the current dissatisfaction with user experience with travel brands on the web will accelerate in 2012. In fact, I believe that we will start using the term “consumer fatigue”.

This will have a massive impact on web search and shopping for other products, but it will hit travel hard as the current processes and widget-based explicit interaction are really rather awful.

2. Cash for cache

The process of availability cache creation will start to cause significant issues. Owners of inventory will effectively start charging for the access to an “approved” state of availability.

This will cause significant problems for the metasearch or search companies in the travel industry

HOW DID I DO

1. User Experience. Oh yes. Decidedly this has happened. Some hard data shows that users are moving away from the conventional UX particularly in mobile. Mobile search has also proved to be an obstacle to “sellers” and users alike.  I will give myself 7/10 marks for this one. It is a slow burn and one that will happen over time. The problem is that the manifestation of it will come in different ways. While its not cited as the reason – I believe that a large part of IATA’s NDC effort has now focused on the Users ability to provide information via the intermediary channel to the supply community.

The issue of handling the ocean of data and how we access it is not going to get easier. Big Data tools are slowly making it better but we still have no trust (or rather not enough trust) in what we are seeing. Essentially we dont trust machine results enough to rely on them.

2. The battle over cache, Again a behind the scenes battle and one that will continue for a long time. Part of the problems with transactional sites is that they need to work on cache for performance. As users have little to no trust in the results anyway – web site performance matters more than accuracy and quality of results. Its logical. If the site doesn’t perform fast enough then users bail out of the process and click away before even analyzing the results. In the case of the airlines – this is endemic driven by the airlines’ need for obfuscation of the price. In the case of hotels – it is natural given the complexity and multiple models of the accommodation market. However I will only give myself 5/10 for this one. Its there but I can’t demonstrate that it has proved to be as important as I think. Trust me though behind the scenes this one is a 9/10.

So how will I do in 2013? A good question. Let’s see.
Cheers

Timothy

The App Economy Hot or Overinflated?

November 26, 2012

VaultPad

 

An article from McClatchy newspapers has appeared today across the USA extolling the benefits of the “App Economy”. Headline writers are salivating over words like “Sizzles” and “Hot”. However there is a real problem with this focus.

The sad truth is that Mobile Apps and now anything that used to be called an Application is being managed in a manner that cares little as to the value of what is being produced.

Metrics that count Apps as a requirement for a higher social score/ranking are just ludicrous (and I don’t mean the rapper either). So everyone jumping into Apps is a cautionary take of jumping and not thinking. The APP economy is simply nuts.

Have a read of my article in TNooz and then think very carefully if you want to bet the farm on developing Apps.