Airport security part 6: Skimming at airport kiosks
We've talked a lot about airport security here (see other links at the bottom of this article), but one thing we haven't covered yet is airport kiosks. Not that they haven't caught my attention, there's just so much wrong at the airport, it takes time to cover it all. Richard Stiennon posted a story yesterday about his concern over airport kiosks and the use of a credit card as identification. Stiennon says:
What’s to stop the airline, kiosk manufacturer, or <gasp> a hacker from grabbing my credit card number and CCV info?
Evidently there is some suspicion that that is exactly what is going on at kiosks in Toronto. One airline, WestJet, as a precautionary measure has shut off the credit card scanning function of their kiosks at 28 airports.
My advice: don’t use credit cards as ID.
Very interesting. I've had concerns over this, but I've never actually heard of it happening in the wild yet. From the article Stiennon mentions:
Visa started investigating after banks noticed apparent fraud on cards of some people who had flown out of Toronto.
While no one is saying exactly what pattern sparked the probe, Visa purchases are monitored by some of the world's most sophisticated algorithmic tools, called "neural networks," that watch for and flag irregular spending behaviour.
...
It has not yet been determined whether any information has been stolen from the kiosk system or the databases that support it.
Visa's investigation began after the financial community came to suspect, in recent months, that certain isolated patterns of fraud appeared to be linked to the use of credit cards in conjunction with air travel through Toronto.
The article does not comment on exactly what is being investigated or if a large-scale data breach is suspected, but, I will say that this reminds me very much of part of the "Bad Sushi" phishing talk, which Nitesh Dhanjani and Billy Rios are putting on again at Black Hat Vegas this year. Within the talk, the two discuss the use of skimming devices, which are affixed on ATM machines and allow the capture of all data on the ATM card.
The airport kiosks may not be the easiest place to affix a skimming device, but imagine the high payout for an identity thief. It's plausible (barely) to consider a situation in which an attacker uses social engineering techniques to get close enough for long enough to affix a skimmer. Maybe the attacker would get a job with the airline, or, pose as a technician coming to fix the devices. Of course, checking such skimmers would be a problem, but perhaps they could be rigged to use some form of wireless communication to report their results.
I think this scenario a bit of a stretch, but the point is to ask, why are we using our credit cards for identification at the airport? There has to be another way that is just as fast, but safer.
[See similar stories]
- Airport security part 5: Snakes on planes? Check. Marshals on planes? Nope.
- Airport security part 4: Attack of the body scanners!
- Airport security part 3: Planes, trains, and automobiles
- Airport security part 2: TSA is failing us, let my associated ranting begin thusly
- Airport security part 1: Bluetooth, switchblades and -- wireless X-rays?
-Nate