PG - An adversarial approach to Airline Revenue Management

hey everyone um thank thanks for coming long-term uh listener firsttime speaker so uh this will be fun okay so today I'll be talking about tickets and other fun stuff so firstly who am I I'm a I guess seam engineer I with a background in uh data networking Cisco firewalls that sort of stuff and I guess an interest in analytics um my interest in travel hacking and and travel stuff uh relates to I guess when I first moved into state for work and you know I used to always like check in 24 hours before the flight I was like damn how come I can't select these front seats like you know like like this is the second like

who's beat me to it and then you kind of find out that like things are actually reserved and then you learn a bit more about how the how different airlines and other things have have status and then the clubs and all the all the other fun stuff so I guess that that's what really sort of Built My uh interest and then living overseas I used to fly a lot so having said that what what what is this talk not so what you often see on um blogs and things like that is these these sort of outlandish things where it's like oh how do I flew the largest you know the largest top flexible price for something

first class for like nothing right and what you when you end up when you start to read the articles and you get through it you what you find often is it's oh they just got a credit card sign up bonus and here's some miles so in in the case of this this article they didn't actually have an affiliate link but a lot of them is I guess affiliate marketing right so anyway and with that I got just a quick disclaimer um this is obviously for ethical security reasons to help help people in those teams uh fight and prevent uh insure Revenue Integrity so Us in socks uh in in sock teams we often have some extra analytical capability that

that does add for things like fraud and whatnot that I value so similarly just some cits from this talk so I haven't worked in this industry this is just me playing around and my fun you know things I've learned over time just to share with everyone here um so it's not 100% accurate like it's it's just blackbox reverse engineering um so why is the airline industry the way it is essentially it's it's highly regulated um there's bilateral agreements between between um States and they control how much traffic you can have uh have they have the things called the freedoms of the air there's sort of five known um from International treaties like for passenger passenger ones

there's generally it's to carry between your home state and and another state but there's also an interesting one called the fifth Freedom where uh it stops over in an intermediary location it can pick up and drop for people so what you actually see so one of the ones a good example of this is the Emirates flight to New York that stops in Milan so the Emirates are able to sell New York to Milan as a segment and divide Milan to a segment as well as the the straight to New York with a stopper with a um Transit um in terms of um in terms of marketing uh and cheaper Affairs you often find that Airlines

will charge more for a direct flight and this is because things like business travel Travelers and people's uh just people's preferences and competitive attacks often are against like uh against other competitors home ports so you see things like the it might be against London he thr by the the sky team Alliance where they'll be pushing people through Paris or or Amsterdam or whatnot right so having said that what is revenue management so re Revenue management is basically they're trying extract the most amount of money they can and sweat their assets they they want those Planes full and they want them to the the most amount of money people can you know get out of you

um so it's kind of like similar in some ways it's similar to a grocery store with uh perishable Goods except you know people generally have to be somewhere by a time it's rather than you know the broccoli is going to go bad so the things they worry worry about is uh you know like as I said over protection is these are sort of the more Tech teal terms when you look into it you know leaving it go empty or too many cheap sheets and it's full and they can't get any more money for it okay so just so now let talk a little bit about how the fair Fairing and fairs work this is a little bit of a quick

intro but one key point I guess to raise is that especially for international travel or where there's multiple where there's connections and stuff involved it's becomes extremely complex like your fairs so when you're actually searching you never actually really see a full complete result set because they're sort of CPU limited by like 15 to 30 seconds of CPU time when you each search and there's often multiple layers of um casing or caching involved um so yeah there's some stats there I think that's from the APCO website this there's 351 million published fairs so a published Fair there'll be many for a particular market and destination so straight from you know you would see be used to seeing

things like sale faes you know flexi whatnot and each of them have different sort of rules and conditions um they're on uh you know routing or or Max permitted mileage so example of a routing one is this one here it's a Los Angeles the San one um and these are and then I've got the the routing options and layover locations in there that that they outed interestingly just because something's published and it's there doesn't mean it doesn't mean it'll actually work or it's even possible like for instance this one I think there's no I don't think American even has an Austin to sand one direct flight well at least not at the moment so that actually

even though it's published and it's there it's it's kind of useless so similarly with the permitted mileage base some people here who've worked with you know detections and impossible travel whatnot it's it's that um great circle distance uh between the between the different stops and you have um and often they have it's a little bit comp they add a little bit more allowance for like say for instance in this example they allow an extra extra allowance of mileage for a trans the stop over in Chicago where otherwise it wouldn't meet the the maximum distance So speaking about in terms of those fairs there's actually quite a lot of different conditions to take to take um to consider so these are some of the

more pertinent ones for I guess us to to look into that can cause issues um one of the things that I often hear people say is oh they put the price of the flight up and I sort of counter with like you know maybe there was uh Advanced purchase restrictions or things like that in place so often you some of the discount ones they'll be like 14 28 90-day Advanced purchase and what that means is that um yeah the DAT that you know when you fly have it has to be bought you know that many days beforehand so if you just push that the the date out to the next day you can still see maybe that that the departure

date you can you might be able to still access that fair um so how it sort of works this is sort of my understanding of it all um I guess the key the key thing the key point I kind of want to make is that um you're uh just having a reservation in a system is different from the e tiet there's two separate parts and you need that EET to be created and and valid to actually fly so that's the actual coupon that you redeem when you you know get your boarding pass and board the flight um so yeah this CRS and GDs systems you often hear people talk might might hear people talk about Amadeus or saber

they're kind of the big leaders in the market and one other little interesting thing is you can often pull up so this was uh this relates to this particular ticket here um which is a more complex Qatar ticket that had like five different carriers on it so you can see that all these other airlines uh Kath quis katar all use the amadea system but there's a different record locator for the synced record in uh saber for American um and so the other picture I have here just talks about the fact that you need that valid e tiet to be able to actually check in for the flight so that that's a valid reservation but it's

missing the it's not ticketed yet um so how does it all work with with money and and you know I just buy the fair off one and I've this I have this International one with multiple segments of different airlines involved and simplified it it's kind of just looks like this right so there's a thing called the validating carrier um a marketing carrier and you're operating carrier so your validating carrier is the the one that you know issues is issuing the ticket that's it's called like on their stock it's called yeah um and that's who you're buying it from generally It's usually the first like uh International or Long Haul segment the other ones your marketing

carrier is the the flight number It's usually the same as the one that's operating the plane but but sometimes you might have heard a thing called a code share where like you might actually be like you might have bought it as a British Airways flight or something and then it's actually you know you're traveling American flight so yeah and then the way that the airlines control so this is an important in terms of the way that Airlines actually control their Dynamic pricing is through in um inventory buckets so we talked a bit about the fairs so each one of these fairs will will will say which particular piece of inventory they're allowed to book and you can see here on

the the United side it's actually fortunate enough that it actually tells you which um which Fair buckets that they align to it's not always the case on all websites but the generic and as you can see they um they don't necessarily align between different airlines they they have all have their own which way they like to do it so generally these these are like sort of least expensive to most expensive and and you know least flexible to most flexible and often the most flexible ones so the most def flexible in economy actually might be more expensive than the cheaper one in business cheaper ones in business um so what does it actually look like on a

GDs so this is what they actually look like um this is an example of like some people would say the loads or what's available so what these numbers mean is that's the number of of seats available for sale uh at one time currently on offer and if you've ever seen on a website sometimes it might say hurry like um five or five or less seats are left it's because you know the these buckets are showing like five or less you're actually seeing a bit in that inventory um why this one is interesting is this is a this this this is a good example of an it looks like an oversold in economy but the the business class

and first seems to be quite open so um the y0 means it's it's not it's closed and not available so if if you have a you know High status and you're traveling alone for instance you might actually even have a good chance of being um of receiving a upgrade you know operational upgrade so they can fill the rest of that plane up with more economy passengers um similarly when when you're looking at a con uh connections and longer longer things what you're looking for is the lowest lowest booking class available for both segments so for instance here when we look at the an economy thing uh even though while on that first flight there's Oscar and golf

like available your actual lowest is cubec on there and then similarly in business we see under Romeo is there's only one seat left so if you got two passengers it would and you do a search another search for two people at once it'll actually bump you up to a higher fair in in Delta class yeah so this just going back over this is an old this is an an old um boarding pass of mine that's kind of interesting you can you so some of the things you can see on it um it's the EET number starts with uh 125 which is the first three digits of these are actually the issuing Airline the database that it goes to so

interesting kind of fact is Americans one is01 because they they were the first to have a computerized reservation system when and that's a whole other story but yeah this shows a couple of other pieces of information of unusual sort of things where it's it's been printed by a Lingus it's on ba ticket stock it's uh a code share flight it's this American flight with a ba yeah just tying together some of those Concepts I get guess and the um that 25 number I think is the sequence number so sometimes you might also see a number that says seq usually that's the order that um like you've checked in or or it's gone on the Manifest

when you've done that so yeah so now in terms of talking about some of the vulnerabilities and attacks so fuel sear charges are probably the most uh vulnerable element of dynamic pricing oh sorry of um pricing in the market now uh they were introduced start sort of started with ba I think in 2004 um in response to some of the oil sort of shocks that were happening at that time and they wanted an easy sort of lever that they could pull to change like the pricing of multiple flights at once but what airlines have sort of discovered is that um they didn't have they weren't it's like oh these are great it's kind of like hotel resort fees and stuff you see

in here in Vegas right so they they don't have to pay commissions on they weren't paying commissions on it they weren't uh um they charged them on Redemption tickets and all sorts of stuff so what's what's interesting is that often you can see especially on some of these really um competitive market some of these transatlantic flights the actual Base ticket fair is like $1 and then there'll be like $400 of sech charges so if we can beat these or if they can be beaten it's it's quite a vulnerability in their their system so the way they the way they're applied is there's these records uh the S1 and S2 records in um sort of like database records that

that appli like a kind of like a firewall rule in and that's what this sequence number is this is a screenshot from of of the the Trav velocities online um user guide and it's showing it's showing yeah an application of a search charge with a sequence number so how how can they be beaten well it's the key the key fact to know about these is that they're actually the the records uh relate to the validating uh sorry the marketing carrier publishes the amount but the validating carrier or the one that issues the ticket is the one that makes the decision on when to like whether they want to apply it or not so back in the old days before there

was a bit more restrictions you could actually just go to another carrier to issue the to issue a ticket without on and completely B bypass it so that got a little bit harder um but there's other ways there's still other ways to to force Mis prices um for instance the pointer sale has been an issue for some airlines in the past where because of the local regulations in that country they might have restrictions or um or limits on how much they can charge and yeah so this is kind of this is a bit of an example this this slide shows something from the appco manual on as as part of like of these um these

records right so this is a subset of of the rules that can be matched and if you're thinking like if you're think of like a pentester or you're thinking like someone in our community you can start to see some of these where vulnerabilities might creep in with some of these things so see like on the for instance on that last line if you read that text um when the journeys between Seattle and New York at all ticketed points are holy within the US so what happens if we have another another segment that's on there that might be like in Mexico or Canada or something on there right that that might be a high search charge but that's an

example of like the logic that the way logic can be um broken so here's an example of this is a example of something that one of the ones I found quite some time ago it's he it's a bit heavily redacted but um essentially this was a cheap well cheapish uh International Fair for £700 but the interesting thing about it is that the um this the search charge amount is like 50 60% right so it's quite a it's a low fair but this you get 60% or 55% of it and how do we how do we break it well it can be broken with another like another fair that can be uh combined with it so essentially

this this one here has has has broken those basically it's dropped down the end down all those rules and nothing is applied it's hit the any rule in the firewall and it's and we're we're home you know we're home but what it has done is because you've added another flight it's actually added to the base cost of the of the fair but that increase is less than the search charges and that's kind of the the Crux of how um the online sort of community call them um f fuel dumps and they'll say like a this would be example of adding a first segment but people add third and other segments um there's also other ways that

that these things get broken so say I've seen one in the past where it was like add this search charge for first transatlantic segment and this search charge for for last trans Atlantic segment but when you did a multi- city and you book two back to back it would only apply it on the first and the last you basically got the other one just for the base Fair um yeah so another sort of thing to talk about is is I guess Arbitrage is is something to be aware of um there are sort of costs and inconveniences associated with it though but for instance um if you're looking at this this particular business um like one of these round the world fairs you

can see like just from Hong Kong to Japan is half right or or you know United States to Canada is you know 30% or or so less so if you think about if you if you plan around that and you know it might be a little bit out of your way but you know something to consider um we've also seen things where um some countries with more volatile currencies uh and when they have fixed exchange rates like in Egypt there was a case where they um you know they dropped their exchange rate 50% and then yeah so Hidden City ticketing is another thing you might be familiar with the skip lagged website that went around a

few years ago um as you can see this is this is this is exploit market dynamics so it's um even though it's the same flight for Dallas to Atlanta they're competing with American on the Dallas to Nashville side and it's potentially more Leisure Market vers uh um business market so Airlines don't really like this because it um it sort of stuffs up their loads and whatnot because people are missing the second segment um but said don't check don't try don't try this too often or try and check a bag on it um so I'll just also touch on mistake fairs so these are the ones you sort of hear uh online that's like when these first

class tickets sometimes sometimes makes depress when they get a lot of attention there be a ticket for you know um I think Kath had some from um Vietnam to the US for $500 for first class international return so in the past these were quite you kind of wanted them them to touch us soil because of the enforcement of the dot of the post postp purchase price uh increase legislation um however there was in 2015 there was a um United did a had a divide by 1000 an issue where in when they were issuing fairs in Danish Crona the currency separate the decimal point they use in Denmark is actually a comma so that so led to a divide by

thousand issue with the filing and they let that run on for quite a while and then but basically the Dos come out and saying that they only really want to enforce on Bonafide mistakes that that consumers have made now my kind of point is that some some of these like when we used to seeing like $1 return based fairs on some of these transatlantic routes anyway when is a mistake really a mistake or is just a sale so that's why Ro as RoR and kitty would say I just like the fair because um blogs that promote them you know Assist I guess go go to the point of the demonstr that's demonstration that it's a mistake right

if if these blogs label them as mistakes so I guess the interest of ethics and uh the purpose of this talk in terms of how we help or how how um security teams that in this industry can sort of help with that what can they do for detection and response now this is a bit of a black box for me because I because like I said I'm I'm just ENT on everything here uh but the biggest stick they hold that that's quite sort of public is the adms or agency debit memos so you can actually find their guidelines on on adms if you just Google you can find it but these These are really um they're often used for like

attacks that agents would would or that abuses and attacks that agents might use on on things so that's things like with holding fictitious bookings and just like like waiting not ticketing them and then just for a customer and then redoing it as soon as it's time out with so they can extend you know hold hold a fair without paying for it until the customer's ready that sort of thing right so but there's other stuff they could do I mean they could think with us and think like us and look at the cents per mile like like mile Runners do um yeah finally like all right so if you're interested how do you get closer to H

closer to this data and and find out see these numbers and all that sort of stuff so what I can recommend there's the GDs while you can't get access to a GDs you can um pay for these sort of readon access through these Services expert flyer and KVs tool they're they're they're pretty good um but the the better one that I like to use is Ias matrix it's for for pricing so you can kind of get the fairs and other details from expert flyer but and availability but Matrix is so powerful to to um to play with uh and the most useful feature I find is actually turning off the availability check to get more and

putting more specific things I'm trying to work in it so that I can make the best use of that 15 or whatever 30 seconds of CPU time you get for searching so I know this was a short talk talk but in terms of talking about the all the sorts of attack vectors that these uh that could be fac by rep management teams and I mean they they sort of range from innocuous to outright militias so people you know people compromising accounts and selling miles or cashing out in gift cards or just even like as we said before just like holding up all their maliciously sort of holding lots of space and then dump you know canceling at last minute so that

the things empty um but it it's it's not really an us it's not always an us first them thing for for a consumer like we get upgrades sometimes we get all the all these nice things so uh yeah it's it's so thanks everyone and uh I do have a couple of other I guess um resources for some of the people there I did see some of the uh people take photos of the slides so some of these are are worth a read especially um car dearin who who is one of the chief engineers at ITA he there's an MIT um set he does on the computational complexity and it's really really interesting um yeah so yeah thanks

[Applause]