July 23, 2008

Security - Toronto Airport Kiosks Being Investigated

An investigation of suspected credit-card fraud at Toronto's Pearson airport is now concentrating on the security of its 150 self-service check-in kiosks. If true then it would be in the software and IBM is the software provider. IBM could not be reached for comment late yesterday.

An investigation of suspected credit-card fraud at Toronto's Pearson airport is now concentrating on the security of its 150 self-service check-in kiosks.

In recent months, financial institutions that issue credit cards spotted isolated fraud patterns that appeared to stem from use of the cards in conjunction with getting boarding passes at the Pearson kiosks, according to sources.

While the investigation is in the early stages, it is currently focused on the kiosks, where passengers use passports, frequent-flier cards, reservation numbers, names, and/or credit card data to identify themselves for flights on any one of 13 airlines. It is not known whether any information has actually been stolen or otherwise gone astray.

Some members of the financial industry are very concerned because Pearson is Canada's busiest airport, with 31.5 million passengers travelling through it last year.

One person familiar with the investigation said the fact that personal data at airports might not be secure "should send shudders through every airport traveller."

Privacy breaches are serious issues for the financial community, which stepped up its monitoring and reissued a plethora of credit cards last year after hackers broke into the databases of U.S.-based retailer TJX and stole credit- and debit-card information affecting millions of consumers around the world. Credit-card details and other personal data are extremely valuable information for criminals, who can use it to make fraudulent purchases or steal identities.

There are 150 self-serve kiosks at Pearson. The physical machines are owned by the Greater Toronto Airports Authority, the not-for-profit corporation that manages the airport.

While it owns the kiosks' hardware, it has a licence with technology companies that manage the flow of information to the airlines and back.

"We don't see the information, we just pass it back and forth," Scott Armstrong, a spokesperson for the GTAA, said Monday. "And that's been audited and that's working the way it's supposed to and our network is secure and it's been checked out very, very recently," he said.

"Visa has done some investigating, and we're working with them," he added. "And that's not specific just to Pearson, that's just a standard thing. Apparently they have an investigations wing and they like to make sure things are working the way they're supposed to.

"I don't know what prompted their questions, but our kiosks have proven to be working exactly as they're supposed to," he said.

Visa Canada spokeswoman Tania Freedman said, "We're investigating isolated reports of fraud, and we're working with airport officials to investigate the situation."

American Express spokeswoman Lauren Dineen-Duarte said, "We're aware of the situation and obviously monitoring it very closely."

MasterCard spokeswoman Julie Wilson said the company could not "confirm any specifics regarding this case."

Copies of July 11 letters sent by GTAA chief information officer Gary Long to two technology companies that are involved with the kiosks - ARINC Inc. and SITA Inc. - were obtained by The Globe and Mail.

They state that Visa is investigating the use of credit cards at the kiosks in Toronto, and that the GTAA has referred the card company's investigators to ARINC and SITA for further inquiry.

"We request that you provide your full co-operation to the VISA investigators and if your systems are found to be insecure, the GTAA requires that you implement immediate remediation measures," Mr. Long wrote in the letters.

"As the GTAA takes seriously the possibility of credit card fraud which may be occurring at Toronto Pearson, we have also advised the 13 airlines on the ARINC and SITA ... platforms at Toronto Pearson of the VISA investigation and have requested them to contact VISA and to co-operate in their investigation."

Doug Love, the GTAA's general counsel, sent a letter to the 13 airlines that said: "... We are very concerned about the potential repercussions of this situation should the travelling public lose faith in the security of the credit card system at Canadian airports, or should the credit card companies and/or card issuers take steps to advise people to stop using credit cards for check-in at Canadian airports. I am therefore writing to you to encourage your full co-operation with VISA Canada and other credit card companies and to take the necessary steps to resolve this matter as quickly as possible."

Mr. Love's letter said that because the GTAA only owns the kiosks' hardware, the airport authority does not interact with information passing between the machines and the airlines. "Accordingly, it is only the airlines, ARINC and/or SITA who can provide the necessary information to Visa Canada to conduct its investigation, and only these companies that can provide the appropriate remedy should any of their systems be found to be insecure."

Catherine Mayer, vice-president of airport services at SITA, said the company had no comment.

Linda Hartwig, a spokeswoman for ARINC, said that ARINC and SITA are master systems integrators that link the airlines' networks to the system. "We're kind of the glue that holds it all together," she said. "We don't have any content in the kiosks ... All we can do is kind of help anybody that needs it. The software is not ours."

Ms. Hartwig said that IBM is the software provider. IBM could not be reached for comment late yesterday.

Peter Fitzpatrick, a spokesperson for Air Canada, said "We take matters such as this seriously in all aspects of our business and we will support this assessment as necessary, to the fullest extent we can."

Other airlines that use the kiosks are Air France, Air Jamaica, American Airlines, Caribbean Airlines, Continental Airlines, Delta Air Lines Inc., Jazz Air, KLM Royal Dutch Airlines, Northwest Airlines, United Airlines, US Airways and WestJet.

A spokeswoman for the federal privacy commissioner said on Monday that her office had not yet been made aware of the situation.

Each of the credit-card companies noted that cardholders are not responsible for any fraudulent purchases made with their cards. The banks or financial institutions that issue the cards are responsible for those costs.

Sophisticated monitoring and fraud-detection systems typically keep card fraud to slightly more than 0.1 per cent of total sales volume, Visa has said. It developed statistical tools, referred to as neural networks, that monitor purchases and identify unusual spending behaviour that could point to fraud.

source link

Posted by staff at July 23, 2008 12:13 PM