Airport security part 6: Skimming at airport kiosks

Airport security part 6: Skimming at airport kiosks

Summary: We've talked a lot about airport security here (see other links at the bottom of this article), but one thing we haven't covered yet is airport kiosks.  Not that they haven't caught my attention, there's just so much wrong at the airport, it takes time to cover it all.

SHARE:
TOPICS: Banking
6

We've talked a lot about airport security here (see other links at the bottom of this article), but one thing we haven't covered yet is airport kiosks.  Not that they haven't caught my attention, there's just so much wrong at the airport, it takes time to cover it all.  Richard Stiennon posted a story yesterday about his concern over airport kiosks and the use of a credit card as identification.  Stiennon says:

What’s to stop the airline, kiosk manufacturer, or <gasp> a hacker from grabbing my credit card number and CCV info?

Evidently there is some suspicion that that is exactly what is going on at kiosks in Toronto.  One airline, WestJet, as a precautionary measure has shut off the credit card scanning function of their kiosks at 28 airports.

My advice: don’t use credit cards as ID.

Very interesting.  I've had concerns over this, but I've never actually heard of it happening in the wild yet.  From the article Stiennon mentions:

Visa started investigating after banks noticed apparent fraud on cards of some people who had flown out of Toronto.

While no one is saying exactly what pattern sparked the probe, Visa purchases are monitored by some of the world's most sophisticated algorithmic tools, called "neural networks," that watch for and flag irregular spending behaviour.

...

It has not yet been determined whether any information has been stolen from the kiosk system or the databases that support it.

Visa's investigation began after the financial community came to suspect, in recent months, that certain isolated patterns of fraud appeared to be linked to the use of credit cards in conjunction with air travel through Toronto.

The article does not comment on exactly what is being investigated or if a large-scale data breach is suspected, but, I will say that this reminds me very much of part of the "Bad Sushi" phishing talk, which Nitesh Dhanjani and Billy Rios are putting on again at Black Hat Vegas this year.  Within the talk, the two discuss the use of skimming devices, which are affixed on ATM machines and allow the capture of all data on the ATM card.

The airport kiosks may not be the easiest place to affix a skimming device, but imagine the high payout for an identity thief.  It's plausible (barely) to consider a situation in which an attacker uses social engineering techniques to get close enough for long enough to affix a skimmer.  Maybe the attacker would get a job with the airline, or, pose as a technician coming to fix the devices.  Of course, checking such skimmers would be a problem, but perhaps they could be rigged to use some form of wireless communication to report their results.

I think this scenario a bit of a stretch, but the point is to ask, why are we using our credit cards for identification at the airport?  There has to be another way that is just as fast, but safer.

[See similar stories]

-Nate

Topic: Banking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

6 comments
Log in or register to join the discussion
  • Not just at YYZ

    I know those kiosks at Toronto Airport, having just used one. I don't
    think someone added a skimmer externally. They have trained staff
    helping passengers, and who would spot anything amiss. Also,
    airports have CCTVs, so the chance of being identified is high if a
    skimmer was detected.

    If the problem is at Toronto, you can bet its elsewhere. Canadians are
    much more conservative than our American cousins. If an Airport
    Authority noticed even the least bit of "weirdness" it would not bow to
    the economic pressure of the airlines to stay quiet.

    From reading the Canadian stories. The Kiosks are owned by the
    Airport Authority. They license their use to each airline. A 3rd party
    company manages the network link from the kiosk to the credit card
    company's systems and the airline systems.

    Also note, anyone who used their credit card to check-in also likely
    used their CC to purchase something (gum, magazine) at a store
    inside the airport.
    snberk203
    • Yes, good points

      Certainly I don't expect it to be only in Canada, in fact, I think for some of the reasons you mentioned, the fact that there may be concerns in Canada, concerns me even more here in the US.

      Also, I didn't mean to suggest that this potential breach had to do with skimmers (hopefully that is not how it came across), I was simply discussing the possibility of that type of attack, which seems unlikely, but would be a high value target.

      -Nate
      nmcfeters
  • RE: Airport security part 6: Skimming at airport kiosks

    This is why the CCV2 code (the one that online merchants and such use) is not encoded on the magnetic strip and cannot be skimmed in such a manner.

    Of course, this does not mean this is not a real concern as many do not verify the CCV2 code when a purchase transaction is made. But alot of people do, so that's some consolation at least.
    CapnJeff
    • Yep

      Good point.

      -Nate
      nmcfeters
  • Use your driver's license

    Most airline kiosks (at least in the US that I've used) allow driver's licenses with mag-stripe ID to be used (as long as it has name and address that match what's on your reservation). I use my driver's license which has only my name, address, DL # (of course), but NO SSN or other pertinent ID. It's not perfect, but it's better than giving out SSN or credit card info. You should make sure that yours does NOT have your SSN before using it, though.
    bruce@...
    • Airports are International Driving licenses are not

      Many countries do not have mag stripes on licenses or still use paper ones and only have machine readable as an option like the UK.
      GreyTech