As Kiosks Become More Sophisticated, Security Risks Soar

Written by Evan Schuman
October 2nd, 2008

When a manager tries to connect a new kind of device to a network, IT is typically all over it, trying to discover potential security issues. But the much bigger risk is when a longtime network element, one that has been seen for years as innocuous and trivial, slowly becomes more intelligent and connected and quietly morphs into something that is anything but innocuous.

It happened five or six years ago when printers, faxes and scanners started getting direct access to the Internet—so a worker in Chicago could scan a document in and have it print out in the company’s Los Angeles and New York offices. These devices were getting smart (more CPU, RAM, hard disk) and connected. But few IT departments initially thought about the security of such devices, and they became an ultra-easy way to sneak into the LAN and get access to something more valuable.

Today, that identical scenario is starting to play out with kiosks. Many of today’s units are given full network access, often with hooks into POS and inventory. Some take payments directly. How many think about PCI strategies for a networked vending machine?

Jeff Wakefield heads up marketing for Verifone and he points to a vibrant, growing kiosk market as a frightening security risk. "IBM and NCR, they generally understand that security is important," Wakefield said, adding that the space today is "hugely fragmented" and that these small niche players often "have no clue about doing anything with security."

He said that he’s seen kiosks asking for debit card PINs but providing no encryption as well as machines giving consumers unlimited access to the Internet. Anything that lets data out can very likely permit data in. And providing consumers—who include bad guys—unmonitored and unlimited direct access is asking for trouble. Those machines that were connected to the full Internet were also tied into the store’s LAN and all of its internal systems. Kiosk firewalls? Why bother? Uh-oh.

"This is something that criminals would absolutely love," Wakefield said. "This is where wireless was a few years ago. Nobody is thinking about the risk."

On top of that, many of these smart kiosks are part of trials, where low investments force even more barebones security. That’s one thing if the technology is an RFID scanner on the assembly line. But when it’s a customer-facing unit, security can’t be scrimped on—even in a trial.

There is a model for good kiosk security: ATMs, which were designed from the very beginning as secure units that expect physical and electronic criminal attacks.

Wakefield described a bad model: gas station payment units. Employees who have to service the units (to, for example, replace their paper) need access, and some units are designed with "one key that will open them all over the country."

The problem is that the units use flat cables with eight-connector pins. The thief merely creates his/her own eight-connector unit and attaches it to something small (Wakefield suggests an MP3 player "because it has lots of memory"), and he/she can then create a Trojan Horse to grab all payment data and wirelessly transmit it to the thief.

More sophisticated kiosks have huge potential, especially as chains start to move closer to merged channel in the coming years. But if their security isn’t made a priority, those smart kiosks are going to make a lot of CIOs feel quite dumb.


2 Comments | Read As Kiosks Become More Sophisticated, Security Risks Soar

  1. Scott Wright Says:

    This is a really interesting story. I used to think of “kiosks” as just being general purpose Internet access points available to the public. But it’s important to be aware that the term is being used to describe more powerful devices that must be secured according to the data they handle, and the threats that they face.

    When did they start giving the name “kiosks” to things like “Quick Pay” terminals and “Self Service Checkouts”? I’d think these should be treated differently than traditional kiosks, in just about every possible way.

  2. Evan Schuman Says:

    Editor’s Note: Although self-checkout is in a related category to kiosks, I think the traditional unit still would not be called a kiosk. But (watch me completely contradict what I just said) as true kiosks start accepting payment and issuing product (whether it’s printing a giftcard or handing the customer an iPhone), the lines are going to get truly blurry.
    What if the next-generation of self-checkout takes the impulse buy to the next level and allows candy bars and magazine to be dropped into the groceries at the push of a button? Why not allow for a customer to replace some other purchase to be delivered to their home later?
    Yep, we’re going to be needing new words to describe this stuff.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.