As Kiosks Become More Sophisticated, Security Risks Soar

When a manager tries to connect a new kind of device to a network, IT is typically all over it, trying to discover potential security issues. But the much bigger risk is when a longtime network element, one that has been seen for years as innocuous and trivial, slowly becomes more intelligent and connected and quietly morphs into something that is anything but innocuous.

It happened five or six years ago when printers, faxes and scanners started getting direct access to the Internet—so a worker in Chicago could scan a document in and have it print out in the company's Los Angeles and New York offices. These devices were getting smart (more CPU, RAM, hard disk) and connected. But few IT departments initially thought about the security of such devices, and they became an ultra-easy way to sneak into the LAN and get access to something more valuable.

Today, that identical scenario is starting to play out with kiosks. Many of today's units are given full network access, often with hooks into POS and inventory. Some take payments directly. How many think about PCI strategies for a networked vending machine?

Jeff Wakefield heads up marketing for Verifone and he points to a vibrant, growing kiosk market as a frightening security risk. "IBM and NCR, they generally understand that security is important," Wakefield said, adding that the space today is "hugely fragmented" and that these small niche players often "have no clue about doing anything with security."

He said that he's seen kiosks asking for debit card PINs but providing no encryption as well as machines giving consumers unlimited access to the Internet. Anything that lets data out can very likely permit data in. And providing consumers—who include bad guys—unmonitored and unlimited direct access is asking for trouble. Those machines that were connected to the full Internet were also tied into the store's LAN and all of its internal systems. Kiosk firewalls? Why bother? Uh-oh.

"This is something that criminals would absolutely love," Wakefield said. "This is where wireless was a few years ago. Nobody is thinking about the risk."

On top of that, many of these smart kiosks are part of trials, where low investments force even more barebones security. That's one thing if the technology is an RFID scanner on the assembly line. But when it's a customer-facing unit, security can't be scrimped on—even in a trial.

There is a model for good kiosk security: ATMs, which were designed from the very beginning as secure units that expect physical and electronic criminal attacks.

Wakefield described a bad model: gas station payment units. Employees who have to service the units (to, for example, replace their paper) need access, and some units are designed with "one key that will open them all over the country."

The problem is that the units use flat cables with eight-connector pins. The thief merely creates his/her own eight-connector unit and attaches it to something small (Wakefield suggests an MP3 player "because it has lots of memory"), and he/she can then create a Trojan Horse to grab all payment data and wirelessly transmit it to the thief.

More sophisticated kiosks have huge potential, especially as chains start to move closer to merged channel in the coming years. But if their security isn't made a priority, those smart kiosks are going to make a lot of CIOs feel quite dumb.