Travel

Scammers could steal British Airways passengers’ personal information through the email check-in link


SECURITY experts have warned British Airways that their passengers’ personal information could be stolen by hackers if they use links sent by the airline to their emails to check in.

Experts at Wandera discovered that some of the check in links in emails could disclose a passenger’s surname and booking reference.

 British Airways passengers could face a potential data breach when checking in

2

British Airways passengers could face a potential data breach when checking inCredit: Alamy

Sun Online Travel verified this was the case on a recent booking where a surname and booking number was included in a link from a “manage my booking” email.

Wandera’s report said that the link could be vulnerable to hackers and leave passengers’ details open to scammers.

As the link is not encrypted, the link could be accessed by another user if they are sharing the same WiFi network, such as a public hotspot at a hotel or airport.

If you are using a closed home network, there shouldn’t be any issues.

Details that could potentially be stolen include email addresses, phone numbers, and itineraries.

 With email URLs not encrypted, hackers could intercept private data

2

With email URLs not encrypted, hackers could intercept private dataCredit: Getty – Contributor

The “vulnerability” could cause a number of problems for the passenger, including the safety of their personal information, and even lead to their flight being changed (using an alternative credit card) or cancelled by the hacker.

Wandera alerted British Airways to the vulnerable link.

There have not been any recent reported cases of passengers having had their information stolen.

A British Airways spokesperson reiterated that they have multiple systems in place which protect customer’s information.

They told Sun Online Travel: “Like other airlines, we are aware of this potential issue.

“No passport or payment information can be accessed without further authentication and there is absolutely no evidence of any attempt to take any customer information.”

It isn’t the first time the vulnerability, which was discovered in July, has been found.

In February, a similar problem was discovered with airlines including Thomas Cook, Air France and Vueling who were all advised to make changes to keep it secure.


WIFI BANDITS How hackers are stealing holidaymaker’s personal data by infiltrating phones through fake hotel WiFi


The report explained: “Once the vulnerable check-in link is accessed by the passenger, a hacker can easily intercept the credentials that allow access to the e-ticketing system, which contains all of the personally identifiable information (PII) associated with the airline booking.”

Nabil Hannan, managing principal at Synopsys, commented: “The confirmation number is something that users need to realise is actually private data.

“This situation illustrates that developers are under intense pressure to complete the development of features, and therefore may forget to take a step back to determine the security implications of the feature they’re implementing.

“In other words, there isn’t necessarily a security bug, but rather a security design flaw.”

Hacked iPhone cables let crooks take complete control over your gadgets

Israel Barak, chief information security officer at Cybereason, added: “For the consumer flying with British Airways, or with other carriers, they should be working under the assumption that their personal information has been compromised many times over.”

Wandera advise airlines to not only encrypt the check-in process, but to also use one-time use tokens in the email links to prevent the potential hack.

How to prevent your phone being hacked

To keep your mobile phone safe from hackers, there are a number of things to do:

  • Avoid public WiFi – this can easily be accessed by secondary users if sharing the same network
  • Use security apps – antivirus and added security systems can prevent malware and bugs being uploaded to your phone
  • Turn off autocomplete – if the phone is hacked, removing any automatic personal information such as addresses and credit cards can stop them being stolen

 

However, users can also defend themselves using mobile security services to block any data attacks or leaks while using their phone.

In January, a ticket booking platform breach meant passengers on more than 100 airlines could have had their data hacked.

Airlines such as British Airways, Lufthansa and Qantas were all at risk after Safety Detective Research Lab found the Amadeaus booking platform to be vulnerable.





READ SOURCE

Leave a Reply

This website uses cookies. By continuing to use this site, you accept our use of cookies.