Tor is blocked by airlines most probably not due to “security” concerns, but rather because airline websites are notorious for using all manner of browser traffic/history sniffing to alter the price for different customers to maximize the ticket price.

To test this out, visit a few airline websites in Private Mode versus Normal Mode in your browser. Its not unusual to see some price differences for the same flights between the two. The airline companies are highly vested in tech that tries to detect when you are price insensitive for flights (like regular trips back home to visit families) and will raise the price accordingly.

Since Tor effectively stops that kind of browser tracking right at the root, it is simply in the airlines best interest to shut down at the root as soon as Tor is detected. Everyone would be writing their airline price crawlers under Tor if such a trick was possible.

In opposition to the assertion regarding the airlines doing it for credit card fraud, I would be suspicious of this simply given that the fact that a lot of other large sites still allow card purchases under Tor browsers.

In my experience, it’s not just Tor; I have found that many companies either block or restrict access via VPN networks. Sometimes the restriction is subtle (e.g., Hilton often reports a login error if I am access it it via a VPN, American Airlines often just spins and never loads when I am on a VPN). I assume they believe that VPN users are more likely to be conducting attacks attempting to gain access to users’ accounts to fraudulently redeem points/miles, gain access to the site itself, or some other malicious activity.

Credit card fraud is a considerable problem for airlines. You would think the fraud risk would be low—after all, passengers usually have to appear in person with photo ID to make use of the service—but as there are a number of types of fraud, “airlines alone lose from $2.4 billion to $4.8 billion to credit card fraud annually.” In particular, fraudsters can buy airline tickets with stolen credit cards and then setup fake travel agencies (online or offline) to resell them to real travelers. Sometimes fraud occurs within real travel agencies, with an insider pocketing the real funds and booking the ticket with stolen card details. Frequently flyer accounts can be compromised and the miles used to book flights that are resold. Others fly using stolen cards as part of criminal activity (if travelers are caught when this happens, they can claim to be a legitimate traveler who has fallen victim to one of the above types of fraud), with tickets sold on blackmarkets accessible over Tor.

Airlines seek to reduce their exposure with a variety of fraud detection and risk management systems. Bookings via Tor can represent a high risk. Airlines don’t want anonymous customers; they want customers who provide as much information about themselves as possible. Customer IP addresses can be used as part of fraud detection systems to identify high risk transactions (this is more difficult for airlines than in other industries, as legitimate customers are likely to need to purchase tickets while traveling). Airline policy may require more scrutiny in these cases, such as requiring the original credit card be presented at check-in (this sometimes varies depending on the country of purchase, in accordance with fraud risk) or even declining the transaction and requiring the customer purchase the tickets in person at a sales office in some countries.

Airlines also use rate-limiting on their websites to prevent bulk automated access. They want to block repeated login attempts to compromise frequent flyer accounts and don’t want people trying to scrape their fares from the booking engine. They block anonymity networks that could be used to help defeat such measures.

I suspect airlines see no real upside in allowing bookings over Tor; legitimate customers need to identify themselves anyway, and few travelers will refuse to purchase if Tor is blocked. But there’s clearly a cost, in that it makes things easier for those committing fraud. As such, the decision to block access comes easy for them.

This doesn’t happen with all airlines, obviously. I tried to visit several airlines with Tor and found I could not access Lufthansa or Air Canada, but I could access British Airways, American Airlines, Air India, Emirates and Etihad.

In the two cases, I saw the following error:

Access Denied

You don’t have permission to access “http://www.aircanada.com/” on this server.

Reference #18.acbc3b17.1577480243.f2b7aef9

This error comes from the Akamai CDN, which blocks all Tor exit nodes. Any web site that uses Akamai to serve its content will also, as a side effect, block Tor access. This is not necessarily a decision that those airlines have taken explicitly, but Akamai does offer its customers the option of blocking Tor exits, so they may have chosen to do so, either explicitly or by default. The airline could turn this off, but good luck getting through to the person (or people) who can actually do it or order it done.