[matteason]

This is only tangentially related but it always blows my mind how insecure airline booking portals are. For many (most?) airlines all you need is the booking reference (PNR number) and surname to log in and see flight itinerary, contact details and, in some cases, change or cancel the booking. No password or MFA needed.

The kicker is that your PNR number and surname are encoded in the barcode on your boarding pass, easily scannable with a phone app. If you ever post a boarding pass online you're unintentionally doxxing yourself and potentially letting people screw with your flights.

I've seen celebrities do this, and during the Cloudstrike outage one tech CEO posted his handwritten boarding pass on Twitter with the PNR in full view.

https://krebsonsecurity.com/2017/08/why-its-still-a-bad-idea...

[fer]

The issue here is interoperability.

PNR identifier and last name is the only reasonable key to use when a single PNR is meant to be shared among the GDS, the IT provider, the traveler and companions, hotels, car rentals companies, travel agencies and countless other players in the market (sometimes several of each at the same time).

But it's also true it relies on the traveler keeping the PNR reference secret.

Adding MFA would involve adding new segments to all sorts of EDI messages, more complex booking/ticketing/cancelling flows, and getting all those companies on the same page so shit works without impact.

It'd be possible and an impressive engineering effort, but also a royal PITA given all the moving parts in the travel industry.

The few times I had to cancel/rebook or similar I was next to the counter with my ID, but I can think that having people call you and/or send an email for you to click to confirm is easier and has less friction than revamping the whole GDS industry and their (ducks) legacy B2B interoperation.

[IggleSniggle]

You can only imagine the pain of having a "-" in your last name, when some documents accept spaces but not hyphens, and some accept hyphens but not spaces, and some accept neither, and some require other identifying documents to match each other...

I imagine this is the sort of thing that makes these stay so open. If my flight is cancelled and rebooked with a partner, but my id says "Last-Name" and my boarding pass says "LastName" and for some reason I'm in the system as just "Name," then it's really nice the I can still make it on my next flight departing in 10 minutes.

[fer]

My name almost always gets trimmed. Here you can see a bit of the interoperational hell: https://xx1.pass-consulting.com/documentation/xx1-travel-sdk...

The tech in the travel industry is cursed, and the pay is bad. Do not recommend.

[lowercased]

It's worse with some. A recent trip had me create an account with an airline - I can log in and see my trips, points, name, etc... but to see the itinerary, I have to have the PNR number, which isn't anywhere in the authenticated portal area. It's only delivered by email, once AFIACT. I thought I'd lost it at first - couldn't find it for a while (went to spam apparently).

But... if I'm logged in via user/pass... why would this notion of 'view your itinerary' NOT be available? What security benefit is there? None as far as I could see.

[ramses0]

Because then they'd have to `SELECT *` on an unindexed field...

[spi]

I know this is HN and here it's not a popular opinion, but maximum security is _not_ always a good idea. Even setting aside the problem of many different actors having to access these details mentioned below, there's value in a simple login process. Specifically for airplane tickets, the most common ones I had to struggle with multiple times are retrieving reservations bought from a different computer, or by a travel agency. In all these situations, it was exactly the simple approach that saved me. If 2FA was mandatory, the best case scenario was that the travel agency would have to send you a separate e-mail with details about how to access their portal where this 2FA would somehow work. The number of systems multiplies, the number of credentials to remember does, as well. If you are not from your usual workplace (and chances are, if you are travelling, you are not) or from a shaky connection (same), you are in a real problem. In a time-critical scenario, which makes it really worse.

Implementing a "secure" connection here would be a sure road for pain ahead, at least it would need the airplane company to increase customer support a lot, and likely a lot of bad publicity every time something fails. Delays cost money, especially in this industry. And what would you get for that? The safety that, if you publish a picture of your reservation / boarding pass online, nobody can log in with your credentials and cancel your flight? That's a rather niche and very targeted risk, which is better handled by a single customer support agent who, simply, issues you a new ticket.

(by the way, by the time you have checked in and your boarding pass has been issued, a lot of companies just don't allow you to cancel anymore, so it's really a non-issue?)

[thomas-st]

> (by the way, by the time you have checked in and your boarding pass has been issued, a lot of companies just don't allow you to cancel anymore, so it's really a non-issue?)

Which companies have a cancellation policy that is contingent upon getting a boarding pass? I've cancelled checked-in tickets before. If the flight is operated by a different airline than the ticket issuer, you just have to call the operating airline first to undo the check-in (a few airline can even do this online). After that it should be possible to cancel the ticket by the ticket issuer without any problems.

[dustypotato]

Maybe it was after boarding the flight? I still find it convenient . It's not that hard to keep the PNR number and surname. The reason it's so open is that there's an Identity check at the next stage where you can't use them if you're faking.

[callmeal]

The concern is more about DOSing - using a pnr and last name, you can view (and in some cases, cancel) online via the airlines web site.

[interludead]

It's overlooked security issue in the airline industry. Yet I still haven't encountered such data theft stories (I mean personally)