Navigation

Credit-card fraud probe targets Pearson's self-service kiosks

Jul 25, 2008

TARA PERKINS

From Wednesday's Globe and Mail
July 23, 2008 at 1:00 AM EDT

An investigation of suspected credit-card fraud at Toronto's Pearson airport is now concentrating on the security of its 150
self-service check-in kiosks.

In recent months, financial institutions that issue credit cards spotted isolated fraud patterns that appeared to stem from use of the cards in conjunction with getting boarding passes at the Pearson kiosks, according to sources.

While the investigation is in the early stages, it is currently focused on the kiosks, where passengers use passports, frequent-flier cards, reservation numbers, names, and/or credit card data to identify themselves for flights on any one of 13 airlines. It is not known whether any information has actually been stolen or otherwise gone astray.

Some members of the financial industry are very concerned because Pearson is Canada's busiest airport, with 31.5 million passengers travelling through it last year.

One person familiar with the investigation said the fact that personal data at airports might not be secure should send shudders through every airport traveller.

Privacy breaches are serious issues for the financial community, which stepped up its monitoring and reissued a plethora of credit cards last year after hackers broke into the databases of U.S.-based retailer TJX and stole credit- and debit-card information affecting millions of consumers around the world. Credit-card details and other personal data are extremely valuable information for criminals, who can use it to make fraudulent purchases or steal identities.

There are 150 self-serve kiosks at Pearson. The physical machines are owned by the Greater Toronto Airports Authority, the not-for-profit corporation that manages the airport.

While it owns the kiosks' hardware, it has a licence with technology companies that manage the flow of information to the airlines and back.

We don't see the information, we just pass it back and forth, Scott Armstrong, a GTAA spokesman, said Monday. “And that's been audited and that's working the way it's supposed to and our network is secure and it's been checked out very, very recently.

Visa has done some investigating, and we're working with them. And that's not specific just to Pearson, that's just a standard thing. Apparently they have an investigations wing and they like to make sure things are working the way they're supposed to. I don't know what prompted their questions, but our kiosks have proven to be working exactly as they're supposed to.

Visa Canada spokeswoman Tania Freedman said, We're investigating isolated reports of fraud, and we're working with airport officials to investigate the situation.
American Express spokeswoman Lauren Dineen-Duarte said, We're aware of the situation and obviously monitoring it very closely.

We've been in contact with the other card companies as well, working with Visa, MasterCard, etc. But, because it's an active investigation, I can't really give much more detail than that.

MasterCard spokeswoman Julie Wilson said the company could not confirm any specifics regarding this case.

Copies of July 11 letters sent by GTAA chief information officer Gary Long to two technology companies that are involved with the kiosks ARINC Inc. and SITA Inc. were obtained by The Globe and Mail.

They state that Visa is investigating the use of credit cards at the kiosks in Toronto, and that the GTAA has referred the card company's investigators to ARINC and SITA for further inquiry.

We request that you provide your full co-operation to the VISA investigators and if your systems are found to be insecure, the GTA requires that you implement immediate remediation measures,Mr. Long wrote in the letters.

Doug Love, the GTAA's general counsel, sent a letter to the 13 airlines that said: We are very concerned about the potential repercussions of this situation should the travelling public lose faith in the security of the credit card system at Canadian airports I am therefore writing to you to encourage your full co-operation with VISA Canada and other credit card companies and to take the necessary steps to resolve this matter as quickly as possible.

Catherine Mayer, vice-president of airport services at SITA, said the
company had no comment.

Linda Hartwig, a spokeswoman for ARINC, said that ARINC and SITA are master systems integrators that link the airlines' networks to the system. She said that IBM is the software provider. IBM could not be reached for comment late Tuesday.

A spokeswoman for the federal privacy commissioner said on Monday that her office had not yet been made aware of the situation.

PREVIOUS POSTS
Feb 25.08 | MONERIS SOLUTIONS LAUNCHES NEW E-PHILANTHROPY INITIATIVE WITH C.N. WYLIE GROUP!

Moneris’ new eSELECTplus® payment tool will be used with Wylie’s Helpforcharities.com Web site so organizations can easily accept electronic contributions and purchases online
read more

Jan 18.08 | Silent Banker Trojan..Banking in Silence

Beware the Silent Banker Trojan which sits quietly between your computer and your online banking to steal away payments. It can silently change the user-entered destination bank account details to the attacker's account details instead. read more

Jan 14.08 | November 6, 2007 92 Convio Clients Hit In Security Breach

November 6, 2007 92 Convio Clients Hit In Security Breach
Firm says no financial data was accessed
By Mark Hrywna The NonProfit Times read more

Nov 13.07 | VISA PLANS TO RAISE $10 BILLION IN IPO

read more

Oct 24.07 | Court filing in TJX breach doubles toll

Court filing in TJX breach doubles toll
94 million accounts were affected, banks say
By Ross Kerber, Globe Staff | October 24, 2007 read more

Sep 10.07 | SPIguard Security Solutions Inc. QSA certification with PCI Standards Council, L.L.C.

Its official! SPIguard Security Solutions Inc. is certified with PCI SSC as a QSA!
https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf read more

Jul 19.07 | VISA USA GIVES ACQUIRERS DEADLINE TO SUBMIT PCI PLANS FOR LEVEL 4 MERCHANTS

Merchant acquirers working with Visa USA have until July 31 to submit a summary of
their plans for small-merchant compliance with the Payment Card Industry
data-security standard. read more

Jan 18.07 | SECURITY EXPERT BELIEVES BANKS, NOT MERCHANTS, SHOULD 'OWN UP' TO RESPONSIBILITY TO PROTECT DATA

DATA: The data breach confirmed by TJX Cos. today is "quite serious" and looks to be
organized, suggests Avivah Litan, an analyst at Gartner Group. She believes the
payments industry needs to recognize that it may be more cost effective to change
the payment system than ask 5 million retailers to comply with PCI data-security
standards. read more

ARCHIVE