July 29, 2008 at 8:00 AM ET
Airline travelers may want to think twice about swiping their credit cards at airport self-service check-in kiosks following the possible theft of credit card account numbers from the kiosks at Canada's largest airport in Toronto.
One Canadian airline, WestJet, already has suspended use of credit cards for check-in at the Toronto kiosks in the wake of the investigation by Visa and MasterCard, which was revealed last week. Fliers can still use the machines, but now must use other methods – by swiping frequent flier cards, entering confirmation codes or using their passports.
About 31 million passengers fly through Toronto's Pearson International Airport every year, making the potential haul for credit card thieves able to access data entered into the 150 check-in kiosks enormous. But a possible kiosk-related heist raises questions about the security of the self-service machines at other airports, which are used by millions of travelers every day in the U.S and elsewhere.
It's still unclear how thieves could have stolen credit card numbers from the kiosks. A Canadian government report is expected later this week.
One possibility: Scammers attached small skimming devices to the kiosks that lifted the numbers from unsuspecting travelers, a technique often employed by criminals to steal information at bank ATMs.
But Scott Armstrong, spokesman for the Greater Toronto Airports Authority, which owns the machines, said investigators inspected the devices and found no signs of tampering. That suggests the data was collected by the machines and stored somewhere, then stolen by hackers who managed to access it – either directly or through the network that connects the kiosks to the airlines.
Put away your credit card?
Because of the uncertainty about the system in light of the investigation, some security experts are suggesting consumers should change the way they check in for flights.
"Next time you go to an airport kiosk for self-service check in, just type in your ticket reference number," said Avivah Litan, a security analyst at research firm Gartner. "Unless the kiosks are equipped with the latest in tamper-proof technology and card readers that encrypt data when the card is swiped, they are highly prone – given their public locations – to criminal tampering. They are a perfect target for thieves."
If the kiosks turn out to be the source of the stolen credit card information, that would raise another question: Why would the machines read credit card account numbers and other personal information, and store that data? Security consultants say the kiosks need only read names off the cards to check in passengers, but the machines in Toronto – and similar machines in the U.S. – could be set up to collect and store more data.
The kiosks in Toronto are made by IBM Canada, and the data is managed by two firms -- ARINC Inc., based in Maryland. and SITA Inc., a European consortium based in Geneva.
Linda M. Hartwig, a spokeswoman for ARINC, declined to comment on the apparent security breach. But she said the kiosks read everything on the entire credit card magnetic stripe – including account numbers and expiration dates -- then hand the information off to the airline. She said no data is stored on the kiosk itself.
Spokesmen for the other software company, SITA Inc., did not return calls seeking comment.
U.S. kiosk maker won't comment
In the U.S., about two-thirds of the kiosks used at airports are provided by Florida-based Kinetics, Inc., a subsidiary of NCR Corp. The firm would not discuss how its kiosks worked.
Several airlines contacted referred questions to Visa. A Continental Airlines spokeswoman, for example, said the airline wouldn't reveal if its kiosks collect credit card numbers while checking in fliers.
Christopher White of the Transportation Security Administration said the Toronto incident was "not an aviation security issue, it's more of a customer service issue, " and referred questions to the industry group, the Air Transport Association.
Elizabeth Merida, a spokeswoman ATA, would say only that there are no reports of similar credit card heists in the U.S..
Violation of state privacy law?
It's unclear what consumers expect when they use a credit card at the kiosks. The machines generally display a message such as "Your credit card will not be charged," suggesting that the account number won't even be read by the machine.
But that's probably not technically feasible, said Greg Buzek, president of research firm IHL Group, which studies the self-service kiosk industry. Credit-card-reading software generally will pull all data that's on the magnetic stripe and only later distinguish between names, account numbers, expiration dates, etc., he said.
After the account numbers have been read, they might be deleted -- but only if the software has been programmed to do so, Buzek said.
"What happens is completely up to the way the software is designed," he said. To make sure account numbers are not stored, "somebody has to physically take that information, take that data, and delete it."
Failing to do so might violate various state laws, said privacy expert Larry Ponemon, who runs research firm The Ponemon Institute. In California, for example, companies that collect information about consumers that is otherwise "non-public" are required to disclose that.
"Most people when they go to a kiosk just think of it as a way to identify you, not as a system that captures your credit card information," Ponemon said.
Kiosks wildly popular
Kiosks are enormously popular with airlines and fliers alike. Buzek said about three-fourths of consumers say they prefer checking in via kiosk. At Continental Airlines, more than 85 percent of travelers check in using them, he said.
The trend toward self-service machines has exploded in recent years. There are now about 70,000 ticketing kiosks in North America – including self-service movie theater or bus ticket machines -- performing $370 billion in transactions annually. That figure is expected to rise to $1.25 trillion by 2012.
But favoring machines over humans could have unexpected security consequences, warned Robert Grapes, chief technologist at Virginia-based security firm Cloakware Inc.
"We strive to make things convenient and we strive for a reduction of operational costs, but we focus on convenience more than security and now we're getting bit by that," he said.
RED TAPE WRESTLING TIPS
• Because the airlines and the kiosk makers have so far not been forthcoming about how their systems work, it's unclear how consumers should react to the Toronto airport story. There's no need to stop using airport kiosks, however. It's safe to use airline-issued record locators, such as confirmation codes, when checking in. Most machines accept frequent flier cards, too.
• It's easier to check in with your credit card, though, so it's important to keep the risks in perspective. Remember, your liability for theft from your account is legally capped at $50, and consumers generally aren't forced to pay anything when they report their cards as stolen. Still, a compromised credit card is a hassle, so a little caution could be worthwhile.