July 28th, 2008
Airport security part 6: Skimming at airport kiosks
We’ve talked a lot about airport security here (see other links at the bottom of this article), but one thing we haven’t covered yet is airport kiosks. Not that they haven’t caught my attention, there’s just so much wrong at the airport, it takes time to cover it all. Richard Stiennon posted a story yesterday about his concern over airport kiosks and the use of a credit card as identification. Stiennon says:
What’s to stop the airline, kiosk manufacturer, or <gasp> a hacker from grabbing my credit card number and CCV info?
Evidently there is some suspicion that that is exactly what is going on at kiosks in Toronto. One airline, WestJet, as a precautionary measure has shut off the credit card scanning function of their kiosks at 28 airports.
My advice: don’t use credit cards as ID.
Very interesting. I’ve had concerns over this, but I’ve never actually heard of it happening in the wild yet. From the article Stiennon mentions:
Visa started investigating after banks noticed apparent fraud on cards of some people who had flown out of Toronto.
While no one is saying exactly what pattern sparked the probe, Visa purchases are monitored by some of the world’s most sophisticated algorithmic tools, called “neural networks,” that watch for and flag irregular spending behaviour.
…
It has not yet been determined whether any information has been stolen from the kiosk system or the databases that support it.
Visa’s investigation began after the financial community came to suspect, in recent months, that certain isolated patterns of fraud appeared to be linked to the use of credit cards in conjunction with air travel through Toronto.
The article does not comment on exactly what is being investigated or if a large-scale data breach is suspected, but, I will say that this reminds me very much of part of the “Bad Sushi” phishing talk, which Nitesh Dhanjani and Billy Rios are putting on again at Black Hat Vegas this year. Within the talk, the two discuss the use of skimming devices, which are affixed on ATM machines and allow the capture of all data on the ATM card.
The airport kiosks may not be the easiest place to affix a skimming device, but imagine the high payout for an identity thief. It’s plausible (barely) to consider a situation in which an attacker uses social engineering techniques to get close enough for long enough to affix a skimmer. Maybe the attacker would get a job with the airline, or, pose as a technician coming to fix the devices. Of course, checking such skimmers would be a problem, but perhaps they could be rigged to use some form of wireless communication to report their results.
I think this scenario a bit of a stretch, but the point is to ask, why are we using our credit cards for identification at the airport? There has to be another way that is just as fast, but safer.
[See similar stories]
- Airport security part 5: Snakes on planes? Check. Marshals on planes? Nope.
- Airport security part 4: Attack of the body scanners!
- Airport security part 3: Planes, trains, and automobiles
- Airport security part 2: TSA is failing us, let my associated ranting begin thusly
- Airport security part 1: Bluetooth, switchblades and — wireless X-rays?
-Nate
Nathan McFeters is a Senior Security Advisor for Ernst & Young's Advanced Security Center in Chicago. The views and opinions expressed in this article are his own and do not represent the views and opinions of Ernst & Young Advanced Security Center or Ernst & Young, LLP. Nathan has performed web application, deep source code, Internet, Intranet, wireless, dial-up, and social engineering engagements for numerous clients in the Fortune 500 during his career at Ernst & Young and has spoken at a number of prestigious conferences, including Black Hat, DEFCON, ToorCon, and Hack in the Box. He can be found at his Pwn* blog and XS-Sniper, a blog with Billy Rios. See his full profile and disclosure of his industry affiliations.
