amadeus selling platform connect & it security

Amadeus Selling Platform

Connect & IT Security

Guidelines

Information Security

Sep 2020

IT Security Team

Last update: 15/SEP/2020

of 18 amadeus.com

© 2

020 A

madeus G

ulf

Contents

Introduction ................................................................................................. 3

Amadeus Selling Platform Connect Security ...................................................... 3

Amadeus and Travel Agencies Security Responsibilities ...................................... 3

Selling Platform Connect Designed with Security in Mind .................................... 4

Fraud .......................................................................................................... 8

What to do in case of Fraud? .......................................................................... 8

Information Security ................................................................................... 11

Tips for Keeping Internal Fraud Incidents at Bay – Agency ............................... 12

Tips for Keeping Internal Fraud Incidents at Bay – Employees .......................... 12

Password management ................................................................................ 14

Amadeus Selling Platform Connect Password Policy ......................................... 14

Drive-By-Infection....................................................................................... 15

Strong Passwords ....................................................................................... 15

Best Practices to Protect your System ............................................................ 17

Conclusion ................................................................................................. 18

IT Security Team


of 18 amadeus.com

© 2

020 A

madeus G

ulf

Introduction

The protection of information and information systems from unauthorised access, use, or disruption

required to have good work practices that comply with the security policies for minimise breaches.

Amadeus commitment to information security is to protect its products and customer data according

to relevant laws and regulations, contracts and risk assessments.

Security is a shared responsibility between travel agencies and Amadeus.

Amadeus Selling Platform Connect Security

Amadeus ensures that its core systems and applications proposed to travel agencies are compliant

with stringent external and internal security standards.

Travel agencies should ensure that their systems and processes and properly secured to protect

their business from fraud attempts.

General

Amadeus Security Policies and Standards that are implemented with a proper governance, ensure

that all Amadeus and Customer assets are adequately protected according to latest laws and

regulations.

For product development, Amadeus Secure Development Lifecycle (SDL) specifies mandatory

controls to be implemented at each stages of the development and provides formal security

deliverables.

Regular external audits are conducted on Amadeus internal environment to prove, maintain

compliance and certification with:

_ PCI DSS (Payment Card Industry Data Security Standards).

_ SSAE16 – SOC1, which is an American auditing standard that provides guidance on

auditing method to evaluate the impact of security on overall company’s financial health.

_ ISO270001:2013, a framework of policies, internal standards, and procedures that

includes all legal, physical and technical controls involved in an organization's information

security risk management processes.

Amadeus and Travel Agencies Security Responsibilities

Amadeus’s Security Responsibility:

_ Amadeus shall ensure proper information security protection mechanisms and controls

implemented in the products that are offered to the Travel Agencies.

_ Amadeus shall ensure that audits, vulnerability assessments, penetration testing, risk

assessments and compliance with local laws, regulations and international standards

mentioned previously are performed on an ongoing basis on the products.

IT Security Team


of 18 amadeus.com

© 2

020 A

madeus G

ulf

Travel Agencies Security Responsibility:

_ Travel Agencies shall ensure that their systems and processes are properly secured to

protect their business from any unauthorized access and fraud attempts. Ensure that

local users have access to the IT Systems based on roles and job description.

_ Phishing or social engineering threats can be prevented by local employees’ awareness

trainings and email filtering protections.

_ Travel Agencies shall ensure that patches and keeping the systems up to date (Operating

systems, updated applications including browsers and anti-virus, etc.) are being

performed.

_ Ensure that there is a password management standard that enforces the baselines of

having a strong password.

_ Travel Agencies shall ensure that they have a proper incident management that includes

a formal incident reporting process.

Failure to comply with those basic principles by travel agencies will cause any data breach

associated risks, Amadeus won’t be held liable in case of fraudulent activities.

Selling Platform Connect Designed with Security in Mind

Sell Connect Architecture

_ Authentication and authorization mechanisms at the heart of the application.

_ Inactivity time-out and re-authentication.

_ Systematic logging of activity through built-in analytics.

_ Concealment of credit cards data in all flows.

_ Included in PCI DSS audit scope.

Sell Connect is developed using a methodology which includes security

requirements at all steps of the cycle, from design to final implementation:

_ Threat Modelling

_ Security code reviews

_ Automated vulnerability scans

_ Penetration tests

_ Mandatory trainings on secure coding and testing

_ Supported by a security champions (white hats) network

IT Security Team


of 18 amadeus.com

© 2

020 A

madeus G

ulf

Selling Platform Connect User Authentication Principles

Selling Platform Connect is compliant with current Amadeus corporate security policies, in particular

the one stating that any access to travel agent reservation platforms over the Internet must be

protected by Strong Authentication.

The current solutions to implement this requirement are:

_ Cookie-based Two Factor Authentication. It is based on an out of-band one-time

password delivered via SMS or email.

_ DDNA – Digital DNA.

Those solutions increase the strength of the authentication with a minimal impact on the users.

Selling Platform Connect Two-Factor Authentication

The travel agent needs to login with Two Factors:

_ Something he knows: password

_ Something he has.

1. A unique usage code sent to a mobile phone or an email address.

2. An already-used browser (cookie)

3. A specific computer (desktop/laptop)

Recommendations:

_ TFA (Two-Factor Authentication) is recommended when connecting over any type of

connection (leased line or internet)

_ Amadeus proposes following 2 options to implement TFA:

_ Internet browser based

_ Hardware footprint

Two-Factor Authentication: Internet Browser Based

_ The second authentication factor is a One Time Password (OTP) sent via SMS or email

to a given email address or phone number.

_ This password (PIN) is stored at workstation in a specific Amadeus cookie and passed

at logon time to the application to check access rights.

Limitations:

_ Period of validity of the PIN is not limited as long as they are in use. Unused PINs are

deleted automatically after 30 days,

_ If the cookie is not cleaned then the PIN will be still valid

_ If the workstation is compromised and the TFA is sent by mail to the infected machine

IT Security Team


of 18 amadeus.com

© 2

020 A

madeus G

ulf

Two-Factor Authentication: Hardware Footprint (DDNA)

Digital DNA = a DNA for a physical device

As the DNA is unique for humans, Digital DNA is unique for devices (Laptop, Desktop, USB key)

The computer becomes the second factor of authentication: uniqueness is achieved by the

computation of a hash of device attributes that is unique and do not change over time or usage

(accessible only from an installed plug-in)

DDNA is a proof of device ownership: allows to build a “something you have” authentication factor

There are 2 options to enroll a workstation to DDNA:

_ An admin enrolment flow: the user must contact the administrator to get his/her device

registered.

_ A self-registration flow: at login time, in case the device is not recognized, the user

receives an OTP to register the device by him/herself.

Note you can use Amadeus Selling platform connect form the restricted terminal

Limitations:

_ The Portability Control will force a travel agent to only work from devices that are

registered with her/his LSS credentials

_ Self-registration can only be done for one workstation at a time and do not support

USB stick yet.

Frequently Asked Questions for TFA

1. TFA is based on the utilization of cookies. Do cookies have an expiration date?

➢ It all depends on the client‘s browser security policy. Some companies may setup a cookie

clean-up process, otherwise the cookie stays on the client computer. Any company who

sets a browser to automatically clear cookies at exit time can also configure it to exclude

Amadeus cookies by setting Amadeus as a trusted site.

2. If the cache is cleared will it delete the cookie and the user will be sent an OTP again?

➢ Indeed, if no cookie is recognized, a new One Time Password (OTP) is send.

3. If the user receives an OTP (SMS or email) and they do not action, how is the OTP reset?

➢ This OTP is valid for a limited time period. To reset it you need to retry to log in on the

product.

4. How long does the user have to wait for the SMS or the email?

➢ 15 minutes. In case the agent does not receive any notification email within 15min,

please contact Amadeus helpdesk

5. How many OTPs can be allocated?

➢ A new unique OTP is generated each time a user tries to access the product from an

unknown location.

IT Security Team


of 18 amadeus.com

© 2

020 A

madeus G

ulf

User Traceability - Amadeus Single User Session

The Single User Session functionality ensures that 2 (or more) agents cannot sign in Selling Platform

Connect at the same time by using the same username.

This product feature is critical for the application to comply with Amadeus security policy, allowing

in particular an optimised user identification and traceability. It applies to both production and

training environments.

Note that the Single User Session is defined by default.

Accessing Selling Platform Connect via the Amadeus network (LAN-to-LAN VPN)

Amadeus offers the travel agency to access its system and applications through Amadeus private

intranet.

This solution mainly consists in connecting the travel agency’s intranet to Amadeus intranet, which

is particularly adapted to big size Travel Agencies who already have their own secured intranet.

Office ID Security Settings

No specific LSS security settings exist at the office level. All security parameters are managed via

the ASM (security web interface) by the Affiliate.

Affiliate – together with the Travel Agency – should review periodically existing EOS agreements to

ensure that they correspond to the exact need of the agency.

Office Setting:

_ Travel agencies may consider to restrict the ticketing capability to only a selected number

of people hence reducing the risk of fraud. This can be done in User Group definitions.

IT Security Team


of 18 amadeus.com

© 2

020 A

madeus G

ulf

Fraud

Fraud is an intentionally deceptive action designed to provide the perpetrator with an unlawful gain,

or to deny a right to a victim.

Fraud Scenarios

(*) Notes:

1. Via phishing, visiting malicious webpages, opening infected documents,

2. Often OTPs are sent to a generic mailbox. This account should not be shared.

3. Malware can install a Remote Access Tool (RAT) with capability to activate a

session if the workstation is not powered off. But fraudulent access - with this

credential - is only possible when legit T/A is not logged on.

If stolen credentials have rights to create additional accounts, the fraudster

can create a new account (or register a new device) and use them anytime!

What to do in case of Fraud?

By the Travel Agent:

_ Each affected agency should be advised to identify the compromised computer and

disconnect its network access.

_ To ensure all infections are eliminated, rebuild the computer from scratch, with a new

Operating System installation.

• Eventually get system image prior to forensic investigations in order to

determine root cause of the infection.

• Note: Scanning with an anti-virus product does not guarantee that all traces of

an infection have been successfully removed.

IT Security Team


of 18 amadeus.com

© 2

020 A

madeus G

ulf

_ Report the case in details to the Amadeus IT Service Desk along with malicious actions

that were performed:

• Date and time of the fraudulent activity, list of all fraudulent PNRs, list of fraudulent

tickets, compromised account and/or sign, Office ID, Workstation IP.

_ Urgent actions to take: void or refund as many tickets as possible, in last resort contact

the airline to suspend e-ticket coupons to prevent the tickets from being used. This will

protect your revenue.

_ As per IATA requirements, cancel the flights and report the case to IATA or your local

BSP.

_ Report the case to local or national law enforcement, as appropriate to the country.

_ Once notified the Amadeus Service Desk will perform following actions (as per existing

procedure):

• Immediately lock the Amadeus User Account.

• Log an incident record to SMC Distribution

• Provide support to the customer to void, refund or suspend the tickets: this

must be done with the agreement of the Travel Agencies.

• The Travel Agencies must confirm the rebuild of workstation before a new

installation is executed.

• Investigate with the customer the root cause and collect associated

evidence.

_ Most credentials thefts or malware installation are done via phishing emails. Refer to

section “Travel Agency Security” for recommendations on how to avoid.

_ Hereafter an example of mail to warn Travel Agencies in your market:

We would like to inform you that phishing has taken place on some markets. In some cases the

attackers, impersonate Amadeus on email, attempt to infect computers.

We would like to advise you to take a couple of steps of caution to avoid being affected.

1. Amadeus never sends software updates via email.

2. Always verify that the sender email domain is correct.

3. Never open attachments or click on links in an email unless you are sure the action

is safe.

4. Please report suspicious emails by logging a case in Amadeus Service Hub.

5. You should run current anti-virus software in real time mode on all computers.

Please share those guidelines with all members of your agency.

IT Security Team


of 18 amadeus.com

© 2

020 A

madeus G

ulf

Travel Agencies Local Administration duties

Hereafter some best practices to consider:

● Delete unused accounts.

● Freeze accounts of users temporarily inactive (long sick leave for example).

● Use professional email addresses and phone numbers in the user account.

● Only maintain one single account per Travel Agent.

● And never – ever! - Share accounts and passwords.

An additional simple measure to limit the risk is to shut down the workstation during night

and on non-working days. So anyone is requested to shut down their workstation when

leaving the office!

Travel Agency Security

Most common cyber threats to Travel Agencies are social engineering attacks, especially Phishing,

which attempt to steal confidential data, to install remote desktop utilities & backdoors and to install

malware.

It is under the responsibility of the Travel Agencies to protect their own infrastructure.

A key part of this protection concerns travel agent awareness and training.

IT Security Team


of 18 amadeus.com

© 2

020 A

madeus G

ulf

Information Security

Information security is the practice of preventing unauthorized access, use, disclosure, disruption,

modification, inspection, recording or destruction of information.

Main cyber threats to travel agencies

IT Security Team


of 18 amadeus.com

© 2

020 A

madeus G

ulf

Tips for Keeping Internal Fraud Incidents at Bay – Agency

Tips for Keeping Internal Fraud Incidents at Bay – Employees

IT Security Team


of 18 amadeus.com

© 2

020 A

madeus G

ulf

How did My Computer Get COMPROMISED?

Phishing

Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords

and credit card details by disguising as a trustworthy entity in an electronic communication. Typically

carried out by email spoofing or instant messaging, it often directs users to enter personal

information at a fake website, the look and feel of which are identical to the legitimate site.

How to prevent Phishing (malicious emails)

• Never click on any links in an e-mail. Instead, use an internet search engine to find the web

site wanted, or manually type in the address of the site.

• Never respond to any suspicious e-mail requesting personal information. If a company is

requesting personal information about your account or are saying your account is invalid,

visit the web page and log into the account as you normally would.

• Finally, if not sure whether Amadeus is the true sender of the received e-mail, please contact

Amadeus over the phone or via a known support e-mail address to get confirmation before

any action is taken.

• Most Phishing-related risks can be avoided through awareness and training of employees.

IT Security Team


of 18 amadeus.com

© 2

020 A

madeus G

ulf

Password management

Recommendations

• Don’t share or communicate your passwords to anyone, NEVER !

• Don’t use generic passwords.

• Change password at least every 60 days.

• Create strong password:

o Use a unique combination of letters (mixing upper- and lower-case), numbers, and

symbols (special characters).

o Use at least 8 characters for your password, more is better.

o You must not use your Selling Platform Connect password anywhere else.

o Do not use the e-mail password, nor the network username.

o Do not use an easily guessed password, such as “p3ssw0rd”, or combinations of

adjacent characters on your keyboard.

o In general, avoid using the same password on multiple web sites, and make sure

your e-mail password stays unique.

o Never store any passwords in plain text anywhere and web browser, if needed use

a secure password manager.

Amadeus Selling Platform Connect Password Policy

• Minimum Length (Digits) : 8

• Enforce both alphabetic and numeric characters : Yes

• Enforce both lower and upper case : Yes

• Enforce Special Character : Yes

• Password Validity (Days): 60

• Maximum Password attempts (Digits) : 6

• Minimum Password history (Digits) : 6

IT Security Team


of 18 amadeus.com

© 2

020 A

madeus G

ulf

Drive-By-Infection

Recommendations

• Sometimes by just browsing a site can result in downloading and installing a malicious

program on the workstation:

• Avoid to visit non-professional related sites.

• Check that you are at the right website when downloading software or upgrades.

Even when using a trusted site, double check the URL before downloading to make

sure you haven’t been redirected to a different site.

• Keep your system up-to-date

• Windows security updates

• Updates for all other software (Browser, Adobe Flash player, JAVA, PDF reader, ...)

• Turn on the automatic updates feature if possible

• Always use up-to-date antivirus software.

• Use automatic update function.

• Don‘t surf the internet with Administrative privileges.

• Restrict access to some web sites.

Strong Passwords

Why a strong password?

Passwords provide the last line of defence against unauthorized access to your computer.

Weak passwords can be cracked in a very short time, even with a standard notebook.

A modern notebook can run 10 million cracking attempts per second!

Here are some examples for the time it would take a standard notebook/PC to crack

passwords with various lengths and combinations of characters:

However, the really bad guys use much stronger systems for password cracking.

IT Security Team


of 18 amadeus.com

© 2

020 A

madeus G

ulf

They need less than a minute to crack an 8 character password.

As you can see in the table above, the length and complexity of the password are the deciding

factors. Follow the best practices below for generating difficult to crack passwords.

DOs:

• DO use passwords of at least ten characters (unless the system does not allow it). The

more characters, the more difficult a password is to crack. Length is key!

• DO use a combination of character types: Use numbers, lowercase letters, uppercase

letters and symbols in your password. (ex. XkeDZaJ6QG3E8!jKq3%yIOd3)

• DO change your password often: Change your passwords at least every three months.

DO NOTs:

• DO NOT use dictionary words: they are tried first by password crackers. If your password

is summertime, your server is probably already cracked.

• DO NOT use names of pets, people, places, events, etc.

• DO NOT reuse passwords

• DO NOT use adjacent keyboard strings: qwerty1234 is not a good password

How do I create a strong password?

Create your strong password by following these tips:

• Create an acronym from an easy-to-remember piece of information. For example, pick a

phrase that is meaningful to you, such as My son's birthday is 12 December, 2004.

Using that phrase as your guide, you might use Msbi12/Dec,4 for your password.

• Substitute numbers, symbols, and misspellings for letters or words in an easy-to-remember

phrase. For example, My son's birthday is 12 December, 2004 could become

Mi$un'sBrthd8iz12124.

• The best way: simply use a short sentence like this: iloveparisinthesummer. 21

characters means a huge number of possible combinations, very difficult to crack even for

professionals. To make it even more secure you can spice it up with some special

characters: iLoveParisinthe$ummer

How to remember my passwords?

We all have lots of passwords. We have to change them regularly and still be able to remember

them.

It is no problem to write them down, but Passwords should never be recorded in plain text.

If your job requires keeping track of passwords or other user credentials in documents such as Excel

or Word, then make sure you always use a password protected file that you do not call

“passwords” !

IT Security Team


of 18 amadeus.com

© 2

020 A

madeus G

ulf

Alternatively, you can use password managers. These are small programs in which you can

store your passwords safely. You then only need to remember a single password, the one you need

to open your password manager.

You can use KeePass for your password management and creating strong password. KeePass: http://keepass.info/

Never Ever Give Your PASSWORD Away.

No one needs your password! Ever! Not even an administrator!

Your password is your digital “identity”. Whoever uses your password is operating in your name.

Treat your password like the PIN number of your credit or debit card. Don’t share it with colleagues,

even when you’re on holiday.

Never give your password to any member of the IT department. No one – not even those working

in user services or the computer centre – needs your password to carry out their work.

If someone should ask you for your password, for example on the telephone, just reply: “I’m sorry,

I refuse to share my password” and report the incident to the helpdesk. Such requests are

generally dubious.

Best Practices to Protect your System

➢ Change Selling Platform Connect password to Complex

➢ Change your Email Password frequently with complexity by Monthly.

➢ Don’t keep your passwords in notes in the system.

➢ Never save the password in any browser.

➢ System Shutdown or Disconnect Network Cable after office hours.

➢ Un-Install PC Remote Access software like TeamViewer / Any Desk / any other.

➢ Select your Email Service Provider with Strong Password policy.

➢ Never open/reply to any email from unknown sources and do not open attachments

which seem suspicious.

➢ Your Password is your system Security – Never reveal to any one!

IT Security Team


of 18 amadeus.com

© 2

020 A

madeus G

ulf

Conclusion

This document has discussed the most important, and often least understood, aspect of security.

The security policy:

A security policy establishes the expectations of the customer or user, including what their

requirements are for confidentiality, integrity, and appropriate management of their data, and the

conditions under which they can trust that their expectations are met.

Security is a shared responsibility

_ Amadeus is constantly monitoring the evolving threat landscape to proactively adapt

security measures when needed.

_ Amadeus Selling Platform Connect is equipped with a strong authentication mechanism

which helps validating the true identity of the travel agent.

_ Travel Agencies have a key role in securing their environment:

• Defining user access as per business needs (least privilege)

• Hardening Travel Agencies IT environment: Keeping all operating systems

and internet browsers up-to date and installing and maintaining a firewall and anti-

virus software.

• Educating travel agents on information security will reduce the risk of fraud and

cyber-attacks.

amadeus selling platform connect & it security

Documents