Self-serve kiosks call for protection against hackers
Image courtesy of iStock
John Ayers is vice president of product management at Netsurion with experience building teams and managing SD-WAN, security, governance, risk and compliance within internal and external working environments.
by John Ayers
Today's restaurants are loaded with internet-connected technologies, and in the present age of digital transformation, the rate at which new technologies are onboarded feels like an all-out arms race.
As consumer demand for digital convenience increases, restaurants are pushed to meet, rather than exceed, expectations for quality, speed and convenience. In the rush to keep up and quickly deploy new technologies, additional security vulnerabilities are often introduced. Restaurants and fast food chains have always been a prime target for cybercriminals due to their high volume of low dollar credit card transactions and typically lagging security posture.
Yesterday's solutions don't cut it
In the past, standard security measures — firewall, antivirus and even encryption — were a solid response to the cyber threats facing diners.
With the rapid addition of internet-connected technologies that touch the same network as the point-of-sale system, new opportunities for credit card data breaches are popping up. Vulnerabilities can be found in many network gateways, such as: self-ordering kiosks, digital menu boards, the tabletop tablets, loyalty program applications, guest Wi-Fi, digital inventory tracking, employee scheduling software, or ironically enough, physical security cameras. The fact is, if one of these systems is vulnerable, your credit card is as well.
So, let's take a closer look at a new self-service kiosk as an example. The kiosk you are looking at is most likely just a Windows-based PC in a sleeker body running a web-based application that communicates with a server for menu data — typically located in the provider's data center or on site. For example, McDonalds' new kiosks are not only a digital menu board, but also an order fulfillment where customers can order, purchase and then pick food up at the counter. This means that the kiosk is connected to the store's network through Wi-Fi or through a direct Ethernet cable.
To communicate over the internet, the kiosk must enable security trolls to protect the access. The kiosk is also in charge of protecting the POS system so that it cannot be compromised by the digital menu via shared internet access. A successful intrusion into the kiosk device could be the foothold a hacker needs to make a hop or two into the POS and begin exfiltrating credit card data. Such POS intrusions have been known to go undetected for months.
What can be done
In the above example, the situation can be prevented by implementing recommended best practices such as the following:
- Segmenting the network to separate POS traffic from all others.
- Deploying cloud next-generation firewall services to ensure security policies stay current while monitoring and preventing an intrusion.
- Using endpoint threat protection on the kiosk device and POS systems for real-time alerts of anomalous and potentially malicious behaviors and events.
As on-premise firewall devices become more expensive and more complex, one critical consideration every store should be considering is managed SD-WAN (Software-Defined Wide Area Networking). SDXcentral, an independent media company, defines SD-WAN as a specific application of software defined networking technology applied to WAN connections, which are used to connect enterprise networks over large geographic distances.
SD-WAN is an effective way to roll secure and resilient connectivity, threat protection and PCI DSS compliance into one efficient, simpler and less expensive solution. With SD-WAN, simpler multi-purpose edge routers are deployed to the stores while the smarts, such as next-generation firewall protection, intrusion detection and more, are deployed and orchestrated via the cloud.