Damn, this is an unsettling story, especially since the victim wasn't duped into anything like usually happens with things like this, but at least it ended well.
The core problem seems to be logging into that insecure wifi connection at the airport which allowed the session cookies and cc details to be sniffed. I do wonder why they didn't use a VPN in the first place which would have prevented this attack.