29 July 2008

Are Thieves Using Self Check-in Kiosks?

Web: www.fishfotoworldwide.com -- E-Mail: fish@flyingwithfish.com

29/07/2008 – Are Thieves Using Self Check-in Kiosks?

In the past week Canadian low cost airline WestJet stopped allowing passengers to check-in with their credit cards as the self check-in kiosks. WestJet is not trying to be difficult, they are not trying to force you to wait in line for an agent, what WestJet is doing is trying to protect their passengers from potentially being victims of credit card fraud.

Recently both MasterCard and Visa in Canada began investigating a potential security breach of airline self check-in kiosks at Toronto's Pearson International Airport (YYZ). While neither MasterCard nor Visa will comment on how credit card information may have been stolen via the Kiosks software, it is suspected that savvy thieves have found a way to collect and store the data, then retrieve the stolen data through the network that connects the kiosks directly to the airlines.

While the incidents bring investigated are currently isolated to YYZ, it does not mean that is not being employed elsewhere in a way that is not yet detected. It also does not mean that thieves are not working to employ this technology elsewhere to collect as much credit card data as possible.

An odd twist in this potential security breach is that in theory an airline check-in kiosk should only be reading your credit card for your name to match it to your reservation. When you check-in, the kiosk asks you to swipe your card and type in your destination airport. This information combined is used to eliminate the potential of confusing passengers with the same name. When you check in, you do not need to use the same credit card you purchased the ticket with. Any valid credit card with your name can be used to check-in.

Since the current software that drives the self check-in kiosks should read no vital credit card information passengers should be protected from credit card theft. Clearly in some cases this is not what is happening and the hacked machines, which are produced by IBM Canada and use software created by both ARINC of Annapolis, Maryland (USA) and SITA or Geneva, Switzerland, are not only reading vital data, but more importantly, the machines are storing it somewhere within the machines' systems.

So are thieves hacking the software in a small number of the 70,000+ self-service check-in kiosks at North American airports? Not exactly.

While companies such as Kinetics, which creates the software used in approximately 75% of the self check-in kiosks in the United States, will not discuss the specific details of how the machines work, it is known that a self service check-in reads your information off the magnetic strip on the back. The software reads all the information in that magnetic strip, and then it only takes the data it needs. One the system has the date it need it should purge the rest of the data from the system....... but only if the software being used it programmed to purge this information.

How can you avoid having your credit card information from a potentially unsecured self check-in kiosk?

When you check in you can use your reservation number or your passport. Some airlines allow you to check-in using your airline frequent flyer card. When using an airline frequent flyer card you must usually use the membership card of the airline you are traveling on and not those of affiliate or partner airlines (with limited exceptions). Personally, I find it easy enough to have my reservations number with me; it is stored in my Blackberry. I type it in; take my boarding pass and head to security.

Not all airport thieves are watching you and waiting to steal your items. Some are far away sitting a computer waiting to take what they want undetectable to unsuspecting passengers.

Happy Flying!

1 comment:

Anonymous said...

is it potentially not unlike the atm/gas station scams where a phony scanner is placed over the actual slot? whenever i fly UA or DL, i manually enter my FF# from memory. otherwise, i also use my res #.