Just in case you thought it was safe to put your credit card into an airline kiosk, The Red Tape Chronicles has posted a quick warning:

Airline travelers may want to think twice about swiping their credit cards at airport self-service check-in kiosks following the possible theft of credit card account numbers from the kiosks at Canada’s largest airport in Toronto.

One Canadian airline, WestJet, already has suspended use of credit cards for check-in at the Toronto kiosks in the wake of the investigation by Visa and MasterCard, which was revealed last week. Fliers can still use the machines, but now must use other methods – by swiping frequent flier cards, entering confirmation codes or using their passports.

Figures. Is there any way for a customer to identify a compromised kiosk? Of course not. The investigation team could not even find evidence.

…Scott Armstrong, spokesman for the Greater Toronto Airports Authority, which owns the machines, said investigators inspected the devices and found no signs of tampering. That suggests the data was collected by the machines and stored somewhere, then stolen by hackers who managed to access it – either directly or through the network that connects the kiosks to the airlines.

No signs of tampering does not mean you can trust the kiosk. Avivah Litan from Gartner, who seems to be quoted in security stories all the time even though she has no insightful comments, provides readers with this nugget of nonsense:

Unless the kiosks are equipped with the latest in tamper-proof technology and card readers that encrypt data when the card is swiped, they are highly prone – given their public locations – to criminal tampering. They are a perfect target for thieves.

Ms. Litan, I know you represent Gartner and your name is all over these stories, but please take a close look at the facts. Latest in tamper-proof technology and card readers that encrypt data…pfffftwhat TF are you talking about? Consumers obviously could never identify a secure kiosk. Are you suggesting some sort of “Seal of PCI DSS”? How would you recommend they identify a card reader that encrypts? Please, someone get me a towel for my monitor. Kiosks in public locations a perfect target for thieves? Are you f%#$^@#ng kidding me? Where do you think companies should put a kiosk? Locked in a safe? IT IS A KIOSK!

Whew, don’t even get me started on this kind of “analysis”. Apologies, ranting. Had to get that out. Must catch breath.

The bottom line here is that there are a couple things happening that expose risks of un-staffed payment card readers, and the two may even be related. First, PCI is actually moving the bar, tightening controls at merchants, and so attack vectors are changing. Those who fall below the new baseline, even though they are not merchants, are going to have to keep up with the Jones or see threats turn their way. Second, the underground economy continues to expand and become more sophisticated in parallel with the growth of technology. Like water running downhill, it will find a path of least resistance.

The real question is not just who wrote the kiosk software, but who approved use of credit cards in them and for what purpose? Was it for payment? I mean did anyone believe them to be in compliance with the PA-DSS (payment application data security standard) or similar? It’s a trick question, really, since the PA-DSS is brand new and even the best practices for payment applications have been recently introduced. Anyone familiar with the card payment security standards knows this. That means attackers know this and they also know which implementations are insecure. On the other hand, consumers do not know either. So, again, who approved credit cards at airline kiosks and why?

Hopefully people who read this story also will see the connections to electronic voting systems and realize why they are a really, really bad idea.

A few weeks ago I flew into Toronto for a presentation on security. The customs officer asked me a series of questions about my work, as was expected. It went something like this:

Here on business? What are you doing?
I will be speaking on Internet security.
Will you be paid?
No, not by the conference.
You work for free?
No, my company pays me a salary.
Aha! So you do get paid. Where are they based?
In the United States.
Thank you, have a nice day.

Unfortunately it sounds like Halvar Flake ran into the same set of questions when entering the US for BlackHat and made a mistake. The Blackpages describe his experience:

In the process of checking his luggage, some portion of his printed materials for his training were discovered. This triggered a series of questions about his business and his immigration status, with the US officials finally settling on the position that if he was going to profit as an individual speaker at Black Hat, he was a de facto employee of the conference and could not enter the States without qualifying for and obtaining an H1B visa.

The “de facto employee” interpretation sounds incorrect to me, but who knows what was said at the time. It is certainly hard to think clearly after flying long distances across time zones and it is not uncommon for officials to ask intentionally misleading and confusing questions to trip people.

I am reminded of a story of Ellis Island where a German immigrant practiced his answers in English over and over to ensure his chances of admitted to America. Upon reaching the station for entry he was asked “Name please?”. In a sudden panic the German blurted out “Ich…Ich…vergessen!” The officer, without batting an eye, wrote down “Mike Ferguson” on the man’s entry card and said “Welcome to America! Next, please.”

Mistakes on the border are common and I don’t have any details on this incident, but I will say that when I had dinner with Halvar at RSA this past year he argued a number of very obtuse angles on some common topics like how to social engineer. Joanna Rutkowska and he teased out questions of human behavior and I only intervened to steer them away from mathematical and scientific expectations and into the realm of what I consider the greater reality of social, cultural and historical factors in security. He is obviously a very smart guy with strong opinions. He may even enjoy taking a contrarian position, which can be great in research but I suspect it might not have been to his benefit when facing an immigration officer.

Perhaps if he had been better prepared by the conference organizers about the state of American employment/visas, or researched the requirements, or if he had just said he was paid by a German firm to speak at a conference in America, he would have been cleared. Now due to a simple misunderstanding about compliance he will have to present remotely or worse, not at all. I hope he is able to clear things up for the future and his story might present a lesson learned in the security community about…security.