From Wednesday's Globe and Mail
July 23, 2008 at 1:00 AM EDT
An investigation of suspected credit-card fraud at Toronto's Pearson airport is now concentrating on the security of its 150
self-service check-in kiosks.
In recent months, financial institutions that issue credit cards spotted isolated fraud patterns that appeared to stem from use of the cards in conjunction with getting boarding passes at the Pearson kiosks, according to sources.
While the investigation is in the early stages, it is currently focused on the kiosks, where passengers use passports, frequent-flier cards, reservation numbers, names, and/or credit card data to identify themselves for flights on any one of 13 airlines. It is not known whether any information has actually been stolen or otherwise gone astray.
Some members of the financial industry are very concerned because Pearson is Canada's busiest airport, with 31.5 million passengers travelling through it last year.
One person familiar with the investigation said the fact that personal data at airports might not be secure should send shudders through every airport traveller.
Privacy breaches are serious issues for the financial community, which stepped up its monitoring and reissued a plethora of credit cards last year after hackers broke into the databases of U.S.-based retailer TJX and stole credit- and debit-card information affecting millions of consumers around the world. Credit-card details and other personal data are extremely valuable information for criminals, who can use it to make fraudulent purchases or steal identities.
There are 150 self-serve kiosks at Pearson. The physical machines are owned by the Greater Toronto Airports Authority, the not-for-profit corporation that manages the airport.
While it owns the kiosks' hardware, it has a licence with technology companies that manage the flow of information to the airlines and back.
We don't see the information, we just pass it back and forth, Scott Armstrong, a GTAA spokesman, said Monday. âAnd that's been audited and that's working the way it's supposed to and our network is secure and it's been checked out very, very recently.
Visa has done some investigating, and we're working with them. And that's not specific just to Pearson, that's just a standard thing. Apparently they have an investigations wing and they like to make sure things are working the way they're supposed to. I don't know what prompted their questions, but our kiosks have proven to be working exactly as they're supposed to.
Visa Canada spokeswoman Tania Freedman said, We're investigating isolated reports of fraud, and we're working with airport officials to investigate the situation.
American Express spokeswoman Lauren Dineen-Duarte said, We're aware of the situation and obviously monitoring it very closely.
We've been in contact with the other card companies as well, working with Visa, MasterCard, etc. But, because it's an active investigation, I can't really give much more detail than that.
MasterCard spokeswoman Julie Wilson said the company could not confirm any specifics regarding this case.
Copies of July 11 letters sent by GTAA chief information officer Gary Long to two technology companies that are involved with the kiosks ARINC Inc. and SITA Inc. were obtained by The Globe and Mail.
They state that Visa is investigating the use of credit cards at the kiosks in Toronto, and that the GTAA has referred the card company's investigators to ARINC and SITA for further inquiry.
We request that you provide your full co-operation to the VISA investigators and if your systems are found to be insecure, the GTA requires that you implement immediate remediation measures,Mr. Long wrote in the letters.
Doug Love, the GTAA's general counsel, sent a letter to the 13 airlines that said: We are very concerned about the potential repercussions of this situation should the travelling public lose faith in the security of the credit card system at Canadian airports I am therefore writing to you to encourage your full co-operation with VISA Canada and other credit card companies and to take the necessary steps to resolve this matter as quickly as possible.
Catherine Mayer, vice-president of airport services at SITA, said the
company had no comment.
Linda Hartwig, a spokeswoman for ARINC, said that ARINC and SITA are master systems integrators that link the airlines' networks to the system. She said that IBM is the software provider. IBM could not be reached for comment late Tuesday.
A spokeswoman for the federal privacy commissioner said on Monday that her office had not yet been made aware of the situation.