Password reset unsafe! Personal information easy to discover!

Ok, I admit... the typical reader of Scientific American are probably not the most Internet-savvy folks out there and I actually loved Herbert H. Thompson's article "How I Stole Someone's Identity." Mr. Thompson does a good job explaining how to footprint a person online and begin compromising account after account of theirs simply by using the password reset feature and "security questions" that are used to validate identity.

For many of us, the abundance of personal information we put online combined with the popular model of sending a password reset e-mail has our online security resting unsteadily on the shoulders of one or two e-mail accounts. In Kim's case some of that information came from a blog, but it could just as easily have come from a MySpace page, a sibling's blog (speaking of their birthday, mom's name, etcetera) or from any number of places online.

To someone that has been around information security for a while now, none of this is news. This is actually a little old-school footprint and crack. The problem is: in the old days, the hacker would have to go through great lengths to investigate their marks. As this article shows, those days are gone and now with a simple web search we can find out almost everything about a person. All of our digital shadows are getting longer and keeping track of every account we've signed up for is getting more and more difficult.

It's also critical to remember that once you put data online, it's almost impossible to delete it later. The more you blog about yourself, the more details you put in your social networking profiles, the more information about you is being archived, copied, backed up and analyzed almost immediately. Think first, post later.

Great article and well worth the read.

I'll be posting more about the new risk model in the 2.0 world soon.

TSA takes security to the slopes, travelers run into trees

Michael Chertoff must have gone skiing and thought of this little beauty. If you have flown through DFW and a handful of other airports across the country you may have noticed that there will soon be three lines to pass through airport security. Taking a queue from ski resorts travelers will now have to decide between black diamonds, blue squares, green dots, and purple horseshoes.

Now I won't chide the TSA too much for trying... but let's be honest for a second here. Like skiing, how many blue square travelers will think they're good enough to take on the black diamond line only to clog things up by forgetting their liter of water in the carry on and a pen knife in their pocket. What then? Blue square folks holding up the black diamond line, black diamond travelers in the green dot line because it's empty, and green dot travelers wondering where the lift is. So... basically... what we have now. Now go hit the slopes!

More info about black diamond program here.

10 < 8,000,000

Best Western has let it be known that the compromise that was widely reported was contained to only 10 guests that stayed at one of the chain's many hotels in Germany.

That's three fewer than the 13 customer records that Best Western International Inc. initially said had been exposed, and a far cry from the 8 million stolen records reported by the Glasgow Sunday Herald, a Scottish newspaper that broke the news of the breach on Sunday.

So not so bad... this is great news (unless you are one of the ten people about to get letters and free credit monitoring).

Original Story

• Best Western says data breach even smaller than first thought
  

The Internet is broken

This isn't exactly a "vulnerability" and has been around for years... but it is starting to get used more and more and is begging to get some press. Threat Level over at Wired has a nice summary and explanation of IP Hijacking and how it's getting more play today and there isn't much anyone can do about it.

That's what occurred earlier this year when Pakistan Telecom inadvertently hijacked YouTube traffic from around the world. The traffic hit a dead-end in Pakistan, so it was apparent to everyone trying to visit YouTube that something was amiss.

Pilosov's innovation is to forward the intercepted data silently to the actual destination, so that no outage occurs.

This hack is a symptom of a much bigger issue. The real problem is that the Internet is built and depends on protocols that were created in 1980 (IPv4), 1982 (SMTP), 1984 (DNS), 1995 (BGP), etc. and we (the IT community) have been stacking more complexity on top of very simplistic and insecure infrastructure.

Problems such as spam, IP spoofing, DNS cache poisoning, ARP poisoning, etc. are very effective and hard to detect or stop because the protocols themselves have little to no built-in security mechanisms. Why hasn't the industry fixed this? There is too much money in not fixing the problem. Network hardware vendors such as Cisco, Juniper, 3Com, Nortel, Lucent, etc. have no incentive to fix the inherent problems since they make too much money on selling security devices, software, and services that slap band-aids on the problems, slowing down but never stopping attacks. Once the attacks pick up again or a new threat emerges the vendors are ready with more devices, software, and services... more band-aids.

ISPs... have been holding their breath, "hoping that people don’t discover (this) and exploit it."

How do we fix this? We need the users of these products big and small to start demanding fixes to the fundamental security issues. Without monetary incentive these companies will continue to push their "fixes" upon us and leave the core infrastructure of the Internet vulnerable to attack. Until then? Keep buying band-aids, check DNS and eBGP periodically to ensure proper resolution and routing and cross your fingers.

Seriously now, we're starting to spoil them

Hackers are going to get lazy at this rate in Britain.

A computer hard disc containing one million sets of bank details was bought on eBay for just £35.

The secondhand PC contained details of customers from American Express, NatWest and Royal Bank of Scotland. The files included names, addresses, sort codes, account numbers, credit card numbers, mobile phone numbers, mothers' maiden names and even scans of signatures - more than enough for an identity thief.

Why Red Hat should be ashamed

This is big. Real big. As a former Red Hat Enterprise Linux (RHEL) admin and dabbler in things Fedora I find this news very disturbing. I'm not upset that servers at RH got compromised... that happens. What shouldn't happen is a breach of the infrastructure servers that manage your package signing. When trust is a key part of your business model (who is going to purchase an OS let alone download and install packages they can't trust?) keeping encryption management servers protected as much if not more than your financial databases.

Certificate Authority (CA) servers, key management systems, and certificate management systems should among be the most difficult systems on your network to access, no exception. They shouldn't run web servers or the public Internet (or your Intranet for that matter). The NIDS/NIPS systems should be cranked up and watching for the baddies and your firewalls should be blocking all inbound and outbound communication other than only what is absolutely needed to function in the environment. Many businesses keep these servers off the grid (no network connectivity) in a secured room and all package signing is done via sneakernet (carrying data to be signed on physical media into the room).

Red Hat has recreated the keys for Fedora packages but there was no mention if they are creating new RHEL keys. If I were running RHEL servers I would be compiling OpenSSH from source at this point. This is coming from someone who doesn't typically fall into the "Henny-Penny" category of infosec professionals. I like to temper my paranoia with a healthy dose of reality. However, on this one I think I am upset that Red Hat's infrastructure is architected in such a way as to let this happen and can't trust they aren't still rooted in some way. I have a feeling many security-conscience system administrators will be looking sideways at any and all new packages from Red Hat and Fedora for the next few months.

I am harsh because I love. I have run Red Hat since 1998 (5.2) and still run a Fedora laptop at home and use my RHEL 4 VM a few times a week at work. I have fought long and hard to get management sign-off at various jobs to bring Linux into the datacenter and hate when the community gives Microsoft ammunition for white papers.

Related Articles

Red Hat admits breach of its servers, Fedora
Red Hat confirms security breach
Red Hat, Fedora servers compromised
Red Hat hack prompts critical OpenSSH update

Best Western refutes breach claims

As a follow up to my post yesterday "Over 8 million Best Western records stolen and sold to Russian mob," Best Western is reporting that only 13 records (not 8,000,000) may have been exposed. A company spokesman states:

There was one instance of suspicious activity at a single hotel with respect to 13 guests, who are being notified. We are working with the FBI and international authorities to investigate the source of the other claims, which were never presented to us for investigation prior to publication of the Herald story. We have found no suspicious activity to support them.

Best Western points to their compliance with the PCI DSS as further proof that the allegations aren't true. Now everything they are saying may be true, only one hotel was involved in the breach, and only 13 records were compromised, and that they are fully PCI DSS compliant. However, with statements such as

... our most recent internal review was conducted in August 2008, as was our most recent external test and review. Both evaluations showed Best Western to be compliant with PCI DSS. 

... it sounds as if they are relying on the fact they are PCI compliant as proof that such an audacious hack (the 8 million, not 13) can not happen. It can. Hannaford was "compliant" with the DSS but there were 4.2 million credit card numbers involved in that breach. That brings up the larger topic of compliance vs. best practices... which will have to wait for a different post.

In the end,  I hope BW is correct in their investigation and the reports were wrong. I've stayed at numerous BW hotels over the past few years myself so I'm a stakeholder of sorts in all this.

Related Articles

• Best Western Responds to Sunday Herald Story Claiming Security Breach
• Best Western refutes story claiming 8 million customer records were breached
  
• 8 Million-Record Data Breach Claim 'Grossly Unsubstantiated,' Says Best Western
  
• Best Western Hack Worst Exaggeration In History?
  

Congress to DHS - Terror Watch List needs major overall

Interesting story in the Wall Street Journal regarding a Congressional report finding that the TWL is:

...hobbled by technology challenges, and the $500 million program designed to upgrade it is on the verge of collapse, according to a preliminary congressional investigation.

Interesting fact I didn't know... the TWL DB was built by Lockheed Martin (I know when I think database I think Lockheed... WTF?) back in 2001 and is unable to do keyword searches... they have a person build a query. I'm not kidding. I'll repeat. The Department of Homeland Security builds the Terror Watch List by running a friggin' query.

Related Articles

• Flaws Found In Watch List For Terrorists - Wall Street Journal
• Congress Finds Critical Failures Affecting Terror Watch List - Securty Management
  
• Technical Flaws Hinder Terrorist Watch List; Congress Calls for Investigation - House Science and Technology Committee
• Miller letter to Inspector General Maquire Regarding Technical Flaws in Terrorist Watch List [pdf]
• Memo to Subcommittee Chairman Miller [pdf]
  

Over 8 million Best Western records stolen and sold to Russian mob

Looks like this one is going to be up there with the TJX and Hannaford breaches. The London Telegraph is reporting that over 8 million customer accounts have been stolen from Best Western and sold to the Russian mafia. This story is still breaking but from the article:

It is believed an Indian hacker succeeded in bypassing the security software and placing a Trojan virus on one of the firm's machines used for reservations.

The next time a staff member logged in, his or her username and password were collected, stored then put up for sale on a website operated by a branch of the Russian mafia.

The stolen data includes a range of private information such as home addresses, telephone numbers, credit card details and place of employment.

Best Western fixed the security breach on Friday after being alerted by a Sunday newspaper, which had discovered the crime.

A Sunday newspaper discovered the crime? Jeez. I'm sure there will be much, much more to come about this one.

Original Story: Hackers steal details of millions of Best Western hotel guests

They have the technology, but no security

Great article in the London Times this morning entitled "We have the technology, but no security." Author Simon Davies goes through the laundry list of compromises that have hit the British government over the past year and correctly comes to the conclusion that it is a lack of standards, policy, and understanding about data security that lead to a culture of carelessness.

Hackers in Britain don't need to scan servers for vulnerabilities nor do they have to prepare "spear phishing" attacks to compromise desktops within the government... they just need to walk around the street and look for discarded DVDs and USB key drives.   Their problems are definitely on the people and process side of the security triad (people, process, technology).

I hope someone in the British government takes control of the situation and institutes an educational program coupled with a strong encryption and data access policies with the necessary technical controls to help enforcement.

Related Articles

• Britain 'worst in Europe for privacy'
• Information on thousands of prisoners missing
• UK gov't loses 4 million citizens' personal info
• Pitfalls of miniaturisation as PA Consultancy loses prisoners' details
• UK Government Spills Personal Data of Millions 
• Thousands of personal records lost each month 
• Tories call for data loss prosecutions
• UK gov't loses personal data on 4M people in one year
  

a wii haiku

a cord pulled too hard

the wii falls down crashes breaks

my heart sinks to floor

TSA ninja strikes, renders nine planes helpless.

From the National Security Ninjas Desk:

ABC News: TSA Fires Back: Blames Airline for 'Security Violation'

I'll start with a summary from the article:

A TSA inspector, as part of a spot security check, used a sensitive aircraft probe as a handhold to gain access to parked American Eagle planes at Chicago's O'Hare airport.

The TSA ninja caused AE to ground nine Eagle commuter jets, causing 40 flights to be delayed, maintenance costs to repair the broken parts (they ain't cheap folks), and loads of pissed passengers.

To top it off:

TSA, however, strongly defended its inspector's actions, noting in a
statement that he was able to gain interior access to seven of the nine
aircraft he inspected, which was an "apparent violation of the
airline's security program."

The kicker is that the TSA is considering fining AE for the "violations." I'd like to deconstruct the argument that AE was in "violation of the airline's security program." Airplanes aren't cars and the airport tarmac isn't a Wal-Mart parking lot, in order to get onto the tarmac you must pass through... you guessed it, TSA security check-points.

Furthermore, you need specialized badges, passcards, and need to be recognized by sight to get into the secured areas. Trust me... it ain't easy. So if you look like you belong, you're a familiar face, and you are out on the tarmac, most likely people will let you go on with your day because the airport is a busy, busy place and they all have things to do.

I can understand if the guy bribed an Eagle shift worker for a uniform, knocked out a sleeping American Eagle security henchman standing guard outside the plane, and got inside the plane without breaking anything. Where exactly did the TSA agent gain unauthorized access in "apparent violation of the airline's security?" What they did do was walk through security checkpoints, walk into areas they are allowed to go, broke several planes so they couldn't take off, and wasted the time of a lot of hard working people.

If you are reading this blog you most likely understand that insider threats are one of the largest problems facing information security today. But seriously, this is like the IT security guy complaining that he was able to hit a server with a hammer when he has badge access to the datacenter and keys to the cage and rack where the server was located... it's just not a fair assessment.

The TSA should stick to what it's best at: frisking nuns, making up rules as they go along, peeking straight through our clothing, and detaining five year old children.

Related Articles

• TSA inspector damages planes and causes major flight delays
• TSA investigating possible violations by American Eagle
• TSA investigating American Eagle at O'Hare
• Pilots Outraged Over TSA's Botched Security Check
• Inspector's method grounds 9 aircraft, TSA says
• Jets grounded after inspector grabs sensitive equipment
• Jets grounded after inspector grabs instrument
• TSA Snafu Damages Nine Planes at O'Hare Field
• TSA Follies
• TSA inspector breaks airplanes by climbing on them using instruments as handholds

To cert, or not to cert, that is the Question:

Mike Rothman wrote an interesting article titled "Security certifications: Are they worth the trouble?" at SearchSecurity.com. His take was pretty close to the one I have and his expierence is in line with what I have experienced in my years within the IT field. From the article:

I've never really been a fan of certifications for two reasons: some of the smartest security folks I know don't have any, and some of the least capable do.

I don't have a CISSP, nor have I earned a CEH, CISA, Security+, etc. Quite honestly I am too busy to study for any of them. I have found a few types of "certified" folks out there:

• Smart, dedicated professional looking to expand knowledge and become an expert in their chosen field spending hours studying texts, reading white papers, etc.
  
• Smart, dedicated professional that went to training and took the exam at the end because... "why not?"
  
• Poor soul sent to a boot camp training course to take on new technology / responsibility that they have no experience in, took the test on Friday afternoon after getting their free travel mug and polo shirt.
  
• Sales engineers and the ilk that need certifications to "prove" expertise... I still remember the CISSP, CEH, LMNOP vendor dude that didn't understand basic routing issues and insisted that eBGP could NOT be run on an internal network.

I am, of course, taking a light-hearted job at my certified security bretheren out there. Seriously though, I have not impressed with some of the CCIE (I helped one write an ACL on a PIX firewall once... no joke), CISSP, CEH, etc. that I have been meeting and interviewing lately.

I think what is beginning to happen with security certifications is what has happened with Cisco certifications and college degrees... so many unqualified, uninterested, and incompetent people have been attaining the high level certs that they are becoming almost worthless as a selection criteria of value or knowledge.

That being said, I would actually consider a certification that still meant something like the CISSP (but that is changing by the day) or a newer, lesser known SANS certification (management or technical tracks... I still haven't decided which direction I want my career to go). Of course that would put me in the first type of certified professional I listed above ;)

Squirtle: squirting browser-based NTLM site on your intranet

Just a quick note about something interesting I ran across out at Google Code. Squirtle uses Internet Explorer's use of trusted zones and grabs NTLM hashes when a user browses to a site that is running squirtle. No muss, no fuss, just pure Windows credential hashes. After glancing through the code I honestly can't imagine why it took so long for this to come along. Personally, I think XSS and social engineering are your most likely attack vector and that deploying squirtle is dead simple... and NTLM is just dead (FD: I have never liked nor thought NTLM was effective and was a MS lock-in trick to make people feel better... but not make them more secure (like SMB signing). More info here and here.

Continental expands paperless boarding pass effort

Continental has expanded their pilot program for paperless ticketing as reported on KXAN (Austin, TX NBC affiliate). The program allows passengers pass through airport "security" and board planes with electronic boarding pass barcodes that are sent to the passengers and can be downloaded and viewed on devices such as cell phones. The TSA will have scanners at checkpoints that can scan the barcode on the device, eliminating the need for paper. I can't comment in too much detail since I have been involved in the architecture of this program for my employer. I will post about this again as the more information becomes public regarding the security of the program. For now, I will list a few articles that give more details regarding the program. You can piece together a good amount of information regarding the program by reading them (Be warned... some of them are re-posts and article amplifications and don't offer much anything new... sort of like this post :) ).

Related articles

• TSA Greenlights Paperless Boarding Passes
• TSA, Continental initiate paperless boarding
• Continental Airlines offers Mobile Boarding Passes
• Itineraries: Paper Is Out, Cellphones Are In
• Paperless Boarding Passes Coming To Cellphones [Cellphones]
• Cell phone as boarding pass
• Sojern gives airlines a new way to make money - your boarding pass
• Paperless Boarding Pass Program Kicks Off
  
• iPhone as electronic airplane boarding pass

PCI DSS update (1.2) pre-released and boy howdy it's about time!

The Payment Card Institute (PCI) Security Standards Council has pre-released it's highly anticipated Data Security Standards (DSS) version 1.2. The standard is due to be officially released in October of this year (2008) but the PCI wanted to give businesses a chance to examine the changes and begin re-architecting half the stuff they hurriedly put in place this year in order to meet the June 30 deadline for 1.1. Enough of my babbling, onto the good stuff:

• Relaxed firewall configuration review from three months to six.
• Language changes to include routers into the fold (not just firewalls).
• Clarified the requirement applies to wireless environments “attached to cardholder environment or transmitting cardholder data.”
• Got rid of WEP language... long live WEP! (just kidding of course)
• Finally got rid of the silly SSID hiding requirement... I got in some very intense arguements here about the futality of hiding the SSID... so that's a big ITYS to my colleagues (except you Ryan).
• Clarified the local user accounts databases need to be encrypted but the DB in my secure data center sitting behind eight layers of security devices need not go through the hassle... not that they shouldn't be encrypted... maybe I won't share that new requirement with management ;)
• Wireless networks must follow industry best standards (whatever that means... more ambiguity!) for encryption, AAA, and transmission.
• New WEP projects must be implemented by the end of March 2009 (hear that PM's... better hurry) and all WEP must die by June 30, 2010
• AV is now required to all operating systems and must be updated and protect against known attacks
• Thankfully loosened patching requirements to allow a risk-based prioritization of patches.
• 6.6 is mandatory! All Internet facing websites have to either be behind a WAF or have vulnerability assessment tools pointed their direction or a rubber-glove code review
• You have to test and verify that passwords must be unreadable both at rest and in motion.
• They did something surrounding the 2FA requirement for access but I guess we'll have to wait to get the actual requirement (bummer)
• Passphrases join passwords as acceptable forms of authentication (another ITYS)
• Must visit all off-site storage facilities at least once a year. (Ugh!)
  
• Added some flexibility surrounding cameras to allow other access control types.
• Finally clarified what "secure media" meant. It applies to electronic AND paper media and how to destroy it.
  
• Logs for external devices must send logs to internal logging servers (well DUH!)
• Relaxed audit trail requirements to three months and that they can be archived but quickly restored.
• More guidance surrounding wireless analyzers and WIDS/WIPS, ASVs must be used in quarterly external scans and internal and external pen tests but you don't have to use a QSA or ASV for those!
• This one I don't get: 'Expanded list of examples of critical employee-facing technologies to include “remote access technologies, wireless technologies, removable electronic media, email usage, internet usage, laptops, and Personal Data Assistants (PDAs)”' (Big WTF?!?!?!)
  
• Security policy must be reviewed by all employees annually.
• Cleared up language regarding service provider account access and hygiene.
• Generally cleaned up language for consistency and clarity (we'll see about that!)

All-in-all I am glad to see some of the clarifications and new requirements but there is still enough ambiguity and confusing language in the "clarifications" to keep security professionals busy and QSA's well employed over the next few years.

Hack the Vote

Image by Amarand Agasi via Flickr

Christopher Beam wrote a short article for Salon last week with an attention-getting title: Hack the Vote - Five ways hackers could tamper with the 2008 elections over at Slate. After wasting five minutes of my time reading the article I thought I would waste another five minutes of my time writing a short summary of how "hackers" can "tamper" with the elections this fall. Please note that Mr. Beam has the word "hackers" in his title but consistently refers to them as "tricksters." Mr. Beam's short list of ways hacker-tricksters (hicksters?) can sabotage the vote are:

1. Fake e-mails. Seems that some hicksters (I'm starting to like it... I'm slapping a trademark on it) are actually politically-savvy phishers. He offers defending against phishers with "rapid response" getting the word out about the scam to the people most likely to get duped. I do love this little bit of genius from the article: "...Obama's donation page has a security seal at the bottom designating it an "authentic site." Notice, also, that you can easily copy the seal and post it on your own site." I actually did LOL when I read the last sentence.
2. Dummy Web sites. I'm not sure how this one made it in but Mr. Beam spends a good amount of screen real estate rambling about: fake content, misspelled domain names, the Obama-Clinton XSS incident, the recent DNS flaw, and finally SQLi. His solution? Well, not much since every security professional I know is struggling with the exact same issues day-in day-out... but I'll give Mr. Beam credit for bringing some of these vulnerabilities to the general public's attention.
3. Social networking. I see this potentially being an issue for Obamanics but for McCainites? Not so much. Unless you count the golf course or barbershop.
4. Robo-calling. Um. Yeah, weren't they cold calling my parents to sling some serious mud back when it was Nixon vs. McGovern?
   
5. Search-engine deoptimization. Potentially could be a problem if the hicksters are very very motivated and very very organized but his scenarios are too localized to be effective (buying ads to mislead people where to vote?). Google (and the other search engines) have gotten much better about rooting out "google bombing" and other SEO tricks and hacks (hicks?).
   

Ultimately the article closes out with the statements that it should have started with:

That's not to say these Internet tricks will upset the election—or even dent it. There are plenty of bright mischief-makers out there, but how many of them want to screw up elections? (Elect John McCain for the lulz!) And it may turn out that traditional methods of voter manipulation—such as, say, paying busloads of homeless people to pass out inaccurate sample ballots—will prove more effective. Plus, one smear campaign probably equals a thousand polling-place misinformation campaigns.

Using credit cards at airport kiosks is as safe using them anywhere else... which isn't saying much.

Image via Wikipedia

Bob Sullivan wrote a post titled "Are airline kiosks safe?" for The Red Tape Chronicles at msnbc.com last week that made me frown when I first read it. (Note: I'll give Bob Sullivan credit... at least he tried to be balanced, read on). On July 24th the The Toronto Star broke a story titled "Airports a natural target for credit card fraud: Expert." Ok, airports are a target... so are discount retail chains and grocery stores... what's with the title? It turns out that Visa was investigating "isolated fraud incidents" that were occurring when people used the cards to check in to their flights and get their boarding passes. What drives me nuts is that the article spends almost 500 words scaring the bejeebus out of people when right in the middle of the article there is this gem of a quote:

"WestJet has cautioned against pinning the blame solely on the kiosks until the investigation is complete."

Eh? They didn't really know where the fraud was originating from, the banks (which do not usually have detailed information regarding POS (Point of Sale) location or IT infrastructure of organizations) were guessing that the kiosks was a logical place to start looking. Makes sense to me. But then the UPI picked up on the story with the albeit better title "Toronto airport credit card scam probed." Unfortunately, this article also takes the tact that it's better to scare people about swiping your card than emphasize that the banks were investigating whether there was something to investigate.

Well, not long after the UPI story came out the security and travel blogosphere grabbed the ball and ran. With titles like these who wouldn't be scared about checking in at a kiosk?

• Does using your credit card to check-in expose you to fraud?
• Airport kiosks may be stealing your credit card info
• Beware of credit card fraud at Toronto’s airport ticket kiosks
• Credit Card Fraud At The Airport (with authority FTW!)

Ok, ok, I know what you're thinking, it's better to spread the word about possible fraud than to keep it quiet and let people continue to be at risk. Fine. I agree... although I think by upping the hyperbole you spread FUD (Fear, Uncertainty, Doubt) and damage the airports, the kiosk owners, and the airlines. Let's stick to the facts and leave the outrageous headlines out (except for the last one I listed above... if a reader of "Nuttin' But Pimp" takes anything on that site seriously... well then send me an email because do I have some offers for you!

Why am I picking on this particular news item? Well, just a few days after the initial story broke (five (5) days to be exact) cbc news reported that "No fraud linked to Toronto Pearson airport kiosks." Yes, that's right... they did an audit and found that there are "no confirmed cases of fraud currently at [Pearson] airport kiosks."

I scoured the blogosphere for follow-up articles giving the "all clear" to let people use credit cards in addition to their passports or PNR numbers to check into their flight. I could only find a few stories in the Canadian press about it. At least there will be one article out there spreading the good news. Swiping your credit card (CC) at an airport kiosks is just as dangerous as storing your CC information online, swiping it at the grocery store, handing it to a waiter at a resteraunt, etc. In other words, not really all that safe at all but convenient.

Shout out to Howard for sending me the msnbc post.

Related Articles

• Airport's self-serve kiosks tied to fraud
• WestJet to pull credit card readers at check-in kiosks
• WestJet shutters credit card kiosks
• Stop that card
• No fraud at Pearson kiosks: Ottawa
• Ottawa preparing report on Pearson airport kiosks
• Ottawa to probe possible airport kiosk fraud
• Credit card firms investigate fraud at Canadian airport kiosks
• WestJet suspends credit-card check-in amid fraud fears
• Expert warns travellers in wake of Pearson probe
• No fraud linked to Toronto Pearson airport kiosks
• Credit card firms investigate fraud at Canadian airport kiosks

Edit: Fixed some spelling and cleaned up the language a bit.