According to an article on MSNBC.com, there has been a data breach at the Toronto, Canada airport that may have been through the check-in kiosks. Similar to my blog on instant photo machines, the ability of machines to take more information than they need is certainly something that manufacturers should address, and quickly.
One airline at the airport has already suspended using credit-card information to check in, so even though a “full report” has yet to come out detailing HOW, we can draw some conclusions based on that action, and this statement:
“But Scott Armstrong, spokesman for the Greater Toronto Airports Authority, which owns the machines, said investigators inspected the devices and found no signs of tampering. That suggests the data was collected by the machines and stored somewhere, then stolen by hackers who managed to access it – either directly or through the network that connects the kiosks to the airlines.”
That is a logical conclusion, if skimmers were not attached. Given that the skimmers would have to be inside the machines in order not to be really obvious (if you travel a lot, like I do, you know what they look like.)
But what is the most disturbing is how the airlines and kiosk makers are taking turns not commenting. There are over 70,000 self-serve kiosks in American airports, that actually capture and send ALL the mag stripe data during the course of check-in to the airline. What do the airlines do with that data? How is it transmitted?
What do you want to bet that a technique similar to Hannaford’s data breach is in play?
Is this covered under the PCI DSS credit card regulations? Probably NOT, because no charges were made. And it’s an internal network, so encryption would not be required.
Why were they capturing ALL the stripe data? Because they can. Because it’s easier to program than eliminating “some data.” Because no one thought about the security of the data the machines were handling.
Keep your credit card in your pocket when you check in. That’s where mine will be.