As Kiosks Become More Sophisticated, Security Risks Soar
Written by Evan SchumanWhen a manager tries to connect a new kind of device to a network, IT is typically all over it, trying to discover potential security issues. But the much bigger risk is when a longtime network element, one that has been seen for years as innocuous and trivial, slowly becomes more intelligent and connected and quietly morphs into something that is anything but innocuous.
It happened five or six years ago when printers, faxes and scanners started getting direct access to the Internet—so a worker in Chicago could scan a document in and have it print out in the company’s Los Angeles and New York offices. These devices were getting smart (more CPU, RAM, hard disk) and connected. But few IT departments initially thought about the security of such devices, and they became an ultra-easy way to sneak into the LAN and get access to something more valuable.
Today, that identical scenario is starting to play out with kiosks. Many of today’s units are given full network access, often with hooks into POS and inventory. Some take payments directly. How many think about PCI strategies for a networked vending machine?
Jeff Wakefield heads up marketing for Verifone and he points to a vibrant, growing kiosk market as a frightening security risk. "IBM and NCR, they generally understand that security is important," Wakefield said, adding that the space today is "hugely fragmented" and that these small niche players often "have no clue about doing anything with security."
He said that he’s seen kiosks asking for debit card PINs but providing no encryption as well as machines giving consumers unlimited access to the Internet. Anything that lets data out can very likely permit data in. And providing consumers—who include bad guys—unmonitored and unlimited direct access is asking for trouble. Those machines that were connected to the full Internet were also tied into the store’s LAN and all of its internal systems. Kiosk firewalls? Why bother? Uh-oh.
"This is something that criminals would absolutely love," Wakefield said. "This is where wireless was a few years ago. Nobody is thinking about the risk."
On top of that, many of these smart kiosks are part of trials, where low investments force even more barebones security. That’s one thing if the technology is an RFID scanner on the assembly line. But when it’s a customer-facing unit, security can’t be scrimped on—even in a trial.
There is a model for good kiosk security: ATMs, which were designed from the very beginning as secure units that expect physical and electronic criminal attacks.
Wakefield described a bad model: gas station payment units. Employees who have to service the units (to, for example, replace their paper) need access, and some units are designed with "one key that will open them all over the country."
The problem is that the units use flat cables with eight-connector pins. The thief merely creates his/her own eight-connector unit and attaches it to something small (Wakefield suggests an MP3 player "because it has lots of memory"), and he/she can then create a Trojan Horse to grab all payment data and wirelessly transmit it to the thief.
More sophisticated kiosks have huge potential, especially as chains start to move closer to merged channel in the coming years. But if their security isn’t made a priority, those smart kiosks are going to make a lot of CIOs feel quite dumb.
-Marc
October 2nd, 2008 at 5:36 am
This is a really interesting story. I used to think of “kiosks” as just being general purpose Internet access points available to the public. But it’s important to be aware that the term is being used to describe more powerful devices that must be secured according to the data they handle, and the threats that they face.
When did they start giving the name “kiosks” to things like “Quick Pay” terminals and “Self Service Checkouts”? I’d think these should be treated differently than traditional kiosks, in just about every possible way.
October 2nd, 2008 at 12:43 pm
Editor’s Note: Although self-checkout is in a related category to kiosks, I think the traditional unit still would not be called a kiosk. But (watch me completely contradict what I just said) as true kiosks start accepting payment and issuing product (whether it’s printing a giftcard or handing the customer an iPhone), the lines are going to get truly blurry.
What if the next-generation of self-checkout takes the impulse buy to the next level and allows candy bars and magazine to be dropped into the groceries at the push of a button? Why not allow for a customer to replace some other purchase to be delivered to their home later?
Yep, we’re going to be needing new words to describe this stuff.