Main article: Passenger air travel
Largest systems
For 2023, the leading developers of booking systems in Russia are:
- Siren-Travel with Leonardo system
- TAIS with USS TAIS system
For 2016, the largest online flight booking systems in other countries are offered by the following companies:
2022: Against the background of the conflict in Ukraine, all Russian airlines switched to domestic booking systems
All 53 Russian airlines switched to domestic booking systems, as reported by the Ministry of Transport of the Russian Federation on November 1, 2022. The department stressed that thanks to such import substitution, information security and protection of personal data of passengers and crews, independence of passenger traffic from foreign systems, possible failures and outages are ensured.
Since 2021, within the framework of the interdepartmental commission under the leadership Ministry of Digital Development Russia of the Ministry of Transport of Russia, industry departments, leading airlines and developers of domestic systems have joined forces to transfer air carriers to domestic ones. software A plan was worked out for phased migration, systematic transfer of data to domestic systems, adaptation of the Russian one software to the requirements of airlines.
Also, in case of disconnection of Russian airlines by foreign providers under the conditions of sanctions, an emergency launch plan for domestic systems was worked out for all airlines. Airlines chose from two Russian systems: Leonardo (developed by Sirena Travel JSC in partnership with Rostec State Corporation) and TAIS (ORS JSC).
Aeroflot completed the transition to the Leonardo automated air transportation registration information system (AIS OVP) on October 29, 2022. The transition also provided for regular flights of the subsidiary airline Rossiya (charter flights were fully provided in the Leonardo system).
Ural Airlines, together with Sirena Travel JSC, switched to AIS OVP Leonardo on October 2, 2022.
As the Deputy Minister of Transport of the Russian Federation Dmitry Bakanov emphasized, all calculations within domestic booking systems take place in rubles.[1]
2019: Medvedev ordered the developers of ticket booking systems to transfer the data of Russians to servers in the Russian Federation
In early August 2019, Prime Minister Dmitry Medvedev signed a decree obliging manufacturers of air ticket booking systems for domestic flights to transfer servers with personal data of passengers to Russia.
 | Data Base and processing computer systems (servers), databases of systems that ensure the registration of internal air transportation of passengers should be located on the territory of the Russian Federation, the document says. |  |
The new restrictions were adopted in order to preserve the confidentiality of personal data and ensure transport security, RBC reports with reference to a copy of the document. Through booking systems, foreign special services can theoretically find out information about the movements of Russians, including officials and military personnel, a source close to the government explained to the publication.
The requirement to transfer the data of Russians to servers in the Russian Federation will affect foreign booking systems used by Russian airlines, including Sabre (serves Aeroflot and), "Russia" Navitair (), "Victory" (). Amadeus S7
In 2019-2020 it is necessary to ensure the movement and placement of servers and data transfer systems on the territory of the Russian Federation. By the end of 2021, "migration of personal databases and all technologies to the territory of Russia" should be carried out.
The cost of transferring servers to Russia for foreign companies can be measured in hundreds of millions of dollars, estimates Alexander Sizintsev, director of economics and finance at TAIS, the developer of the National Reservation System.
| | The architecture of global foreign systems does not allow the separation of hosts. They are made as a single center for processing airline orders from around the world, and it can be quite costly to duplicate the local version of the system , the expert says.[2] | |
2018: Ministry of Transport postpones demands to move air reservation servers to Russia
In November 2018, it became known that the Ministry of Transport of the Russian Federation postponed the requirements for the transfer of air reservation servers to Russia. The delay should help airlines technically prepare for the innovation.
According to the newspaper Kommersant , citing Deputy Minister transport Alexander Yurchik, the government will give airlines a delay to reorganize work with personal data of Russians until October 31, 2021.
.jpg)
In July 2018, the Ministry of Transport developed a draft resolution according to which, from January 1, 2020, booking and selling tickets, as well as registration for domestic Russian flights, must pass through servers located in Russia.
By November 2018, companies use systems whose servers are located abroad to book air tickets. Among such systems, in particular, the American Sabre (it is used by Aeroflot), which, according to Vedomosti estimates, in 2017 was the largest provider in Russia with a share of 38.5%. There is also a Russian reservation system "Siren-Travel" (it is used by Utair) - it, according to the publication, occupied 30% on the market.
Deputy General Director of Aeroflot for Information Technology Kirill Bogdanov said that Sabre, with which the airline works, will transfer data and processing to the Russian Federation, and at its own expense.
| | The use of domestic systems... these are systems to ensure the operation of the second tier of airlines, as the manufacturers of these systems themselves recognize in principle, "Bogdanov said. | |
Kommersant writes that the cost of using foreign services by Russian air carriers has not been disclosed. Experts estimate the migration of technology and data at tens or hundreds of millions of dollars for IT companies.
The head of Infomost, Boris Rybak, says that in order to work in the global market, a local service must be associated with the services of other countries with gateways and interfaces.[3]
2016: Not even basic passenger data protection found in Amadeus, Sabre and Travelport systems
The largest online flight booking systems are extremely vulnerable to hacker attacks and can be easily used to illegally obtain personal data of passengers, experts from the German company Security Research Labs say.
The problem, experts say, is booking codes (PNR - Passenger Name Record), unique identifiers in databases related to civil air travel. These databases contain a lot of information about each passenger, including full name, contact information, time and route of flights, number in the cabin of the aircraft and information about luggage, credit card numbers, and so on, up to passport data.
PNR codes, which are six-digit alphanumeric combinations, are used to quickly access all of this data.
In more than 90% of cases, air travel tickets (as well as hotel reservations, etc.) are booked through global distribution systems (GDS) of only three companies - Amadeus, Sabre and Travelport. According to experts from Security Research Labs, these systems lack proper user authorization systems, the PNR code can be used to change, including unauthorized, air travel data.
Finding out someone else's PNR code is very simple: these identifiers are printed on boarding passes and luggage tags. And anyone who can find a photo of such a coupon or take it on their own can access the passenger's personal data through the website of the airline or the global distribution system.
| | The personal data of passengers is also threatened by the fact that these identifiers can be selected through a brute force attack. The method of forming these six-digit codes makes them even weaker than five-digit passwords... which today are considered too weak for almost any application on the Web. Two of the three main GDS operators assign codes sequentially, which makes the task of enumerating them even easier. Finally, GDS and airline sites allow thousands of combinations to be searched from the same IP address. Knowing only the names of passengers, their booking codes can be found on the Internet without special problems, - says the publication of Security Research[4] | |
Experts point out that a number of threats to the safety of passengers stem from this. Attackers can use the personal data they collect for fraud with flights (up to flying at someone else's expense), as well as for phishing attacks.
Security Research Labs is not the first company to warn that PNR codes pose a threat to passengers' personal data. A couple of years ago, Kaspersky Lab warned about this, which strongly did not recommend taking images of its air tickets in the public domain[5].
In the middle of this year, it became known that a 32-year-old resident of Cameroon was able to get full access to the GDS system (just, by the way, through phishing), and between 2011 and 2014 he actively traveled around the world, not forgetting to resell the tickets he bought for nothing. The damage from his actions amounted to $2 million. In 2014, he was arrested in France and extradited to the United States, where he is now on trial.[6]
Security Research Labs experts say that GDS databases were created in the 1970s and 1980s, their architecture was then advanced, but now, in the Internet era, these databases are devoid of even a basic degree of security. In particular, there is no multi-step authorization by definition.
While the entire Internet is discussing what authorization factors to use in the second and third order, GDS does not even have the first stage, according to the publication Security Research Labs. Experts consider it necessary to equip GDS systems with brute-force protection and an unlimited number of attempts to match PNR codes from the same IP address.
| | Outdated systems that have been equipped with the ability to connect to the Internet in the absence of their own means of protection are a fairly common problem, "said Ksenia Shilak, a representative of SEC-Consult. - This is especially often observed in the industrial sphere: old production complexes designed in the pre-Internet era are directly connected to the Internet, and are at risk of hacker attacks simply because their software components were designed without taking into account possible cyber threats. With GDS, apparently, this is about the same situation: these systems were developed when no one imagined that they would be so easy to access. With their current architecture, the very concept of privacy turns out to be nonsense: the data that should be guarded as the apple of the eye literally lies in the most prominent place. | |
Sabre officials said they had implemented numerous fraud protections but declined to tell Reuters any details. Amadeus said it has carefully reviewed the SR Labs publication and is taking the necessary steps to ensure additional security. Travelport did not comment on the publication.[7]
Notes
- ↑ All domestic airlines have completed the transition to Russian booking systems
- ↑ Authorities ordered ticket booking systems to move servers to Russia
- ↑ Ministry of Transport postponed booking
- ↑ Labs. Security Research Labs
- ↑ in 7 ways to make malicious fun of those who posted photos of the boarding pass on the Internet
- ↑ Cameroonian infiltrated the global airline booking system and flew $2 million
- ↑ Flight booking systems lack basic privacy safeguards, researchers say
| The site content is translated by machine translation software powered by PROMT. The machine-translated articles are not always perfect and may contain errors in vocabulary, syntax or grammar. Read original article If you find inaccuracies or errors in the results of machine translation, please write to editor@tadviser.ru. We will make every effort to correct them as soon as possible. |