As we discussed in the previous post, kiosk security is one of the greatest challenges organizations need to deal with during kiosk application development.
Self-service kiosks are often in unsupervised locations, and thus vulnerable to threats such as information theft, virus and malware, and unauthorized access to the kiosk system. Organizations must have rock-solid security measures in place to protect their kiosks from any security breach.
The following are some of the most common threats and countermeasures related to kiosk software:
Unauthorized access to the kiosk software and operating system
If users can access the operating system of the kiosk, they could do pretty much anything they want to cause damage -- display unauthorized websites, steal/alter sensitive data stored in the file system, download and install malicious applications or a virus, use the kiosk to attack other computers or access the organization's system, to list a few.
Therefore, limiting access to the operating system is one of the most important countermeasures to any security threats. Using kiosk platform software that allows a lockdown of the OS and browser is the most common method. This kind of software ensures that any and all kiosk usage is restricted to its intended purpose by concealing Windows and browser menus, controlling URL access, disabling key combinations such as Ctrl+Alt+Del, and blocking pop-ups and dialogs.
Theft of sensitive data such as credit card numbers, Social Security numbers, passwords, and medical records can result in tremendous damage to the business and reputation.
Although it sounds pretty simple, the best countermeasure is not to store any customer information on the local disk of the individual kiosks. Instead, data should be sent to the central host server via an encrypted connection.
In order to protect each user's private information, it is also important to delete all cookies and cache at the end of every session. In addition, in the case that a user leaves before their session completes, delete the customer information and reset to the top page after a certain period of inactivity. Most kiosk platform software has the capability to automatically handle this.
Virus and malware
Virus and malware can seriously impair the performance of a kiosk system. In a worst case scenario, the affected kiosk might be used to attack other computers or lead to a data breach.
For regular computers, the most effective measures are Automatic Windows Updates and antivirus software. However, they may not work the best for a kiosk particularly when it is a complex system equipped with I/O devices. Although keeping the system updated with the most recent patches and antivirus definitions sound great, automatic updates of the system could cause unexpected results. For example, a major Windows update could lead to incompatibility with a device driver which is used in the kiosk system. Also, it often makes troubleshooting of kiosk problems much more difficult. Therefore, all changes to the system should be tested in a testing environment before implemented at every single kiosk in production.
Actually, as long as unauthorized access to the kiosk is blocked, the chance of a kiosk system being infected with virus or malware is very low, unless it is used to browse various websites. So focusing on locking down the kiosk software and operating system is much more effective.
If you are considering deploying security software, we recommend "white-list" based solutions that are widely used in embedded systems. When white-list based security software is deployed, only pre-configured and authorized applications become executable and no virus or malware can run on the system.
Since this post is a part of a series discussing kiosk software development, here we focused on the software aspects of kiosk security. But needless to say, kiosk hardware protection is equally (or even more) important when considering kiosk security measures. In a future post, we will come back to the security topic again to discuss kiosk hardware protection.
Natsumi Nakamura is in charge of the product marketing for kiosk hardware and software solutions at PFU Systems. She has also played a critical role in hardware/software development as well as business development for several kiosk projects.