Toronto airline kiosks breached

Just in case you thought it was safe to put your credit card into an airline kiosk, The Red Tape Chronicles has posted a quick warning:

Airline travelers may want to think twice about swiping their credit cards at airport self-service check-in kiosks following the possible theft of credit card account numbers from the kiosks at Canada’s largest airport in Toronto.

One Canadian airline, WestJet, already has suspended use of credit cards for check-in at the Toronto kiosks in the wake of the investigation by Visa and MasterCard, which was revealed last week. Fliers can still use the machines, but now must use other methods – by swiping frequent flier cards, entering confirmation codes or using their passports.

Figures. Is there any way for a customer to identify a compromised kiosk? Of course not. The investigation team could not even find evidence.

…Scott Armstrong, spokesman for the Greater Toronto Airports Authority, which owns the machines, said investigators inspected the devices and found no signs of tampering. That suggests the data was collected by the machines and stored somewhere, then stolen by hackers who managed to access it – either directly or through the network that connects the kiosks to the airlines.

No signs of tampering does not mean you can trust the kiosk. Avivah Litan from Gartner, who seems to be quoted in security stories all the time even though she has no insightful comments, provides readers with this nugget of nonsense:

Unless the kiosks are equipped with the latest in tamper-proof technology and card readers that encrypt data when the card is swiped, they are highly prone – given their public locations – to criminal tampering. They are a perfect target for thieves.

Ms. Litan, I know you represent Gartner and your name is all over these stories, but please take a close look at the facts. Latest in tamper-proof technology and card readers that encrypt data…pfffftwhat TF are you talking about? Consumers obviously could never identify a secure kiosk. Are you suggesting some sort of “Seal of PCI DSS”? How would you recommend they identify a card reader that encrypts? Please, someone get me a towel for my monitor. Kiosks in public locations a perfect target for thieves? Are you f%#$^@#ng kidding me? Where do you think companies should put a kiosk? Locked in a safe? IT IS A KIOSK!

Whew, don’t even get me started on this kind of “analysis”. Apologies, ranting. Had to get that out. Must catch breath.

The bottom line here is that there are a couple things happening that expose risks of un-staffed payment card readers, and the two may even be related. First, PCI is actually moving the bar, tightening controls at merchants, and so attack vectors are changing. Those who fall below the new baseline, even though they are not merchants, are going to have to keep up with the Jones or see threats turn their way. Second, the underground economy continues to expand and become more sophisticated in parallel with the growth of technology. Like water running downhill, it will find a path of least resistance.

The real question is not just who wrote the kiosk software, but who approved use of credit cards in them and for what purpose? Was it for payment? I mean did anyone believe them to be in compliance with the PA-DSS (payment application data security standard) or similar? It’s a trick question, really, since the PA-DSS is brand new and even the best practices for payment applications have been recently introduced. Anyone familiar with the card payment security standards knows this. That means attackers know this and they also know which implementations are insecure. On the other hand, consumers do not know either. So, again, who approved credit cards at airline kiosks and why?

Hopefully people who read this story also will see the connections to electronic voting systems and realize why they are a really, really bad idea.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.