CONTINUE TO SITE »
or wait 15 seconds

Article

Three weak spots to protect with kiosk software

Vandalism and the elements are obvious threats to self-service tech. Here's how to protect against the inconspicuous ones.

June 14, 2011

This story is excerpted from “Strategies for Kiosk Security: The Software,” a white paper available for free download after registration.

The physical environment is just one part of kiosk security. Controlling access to the software is equally important.

“You also need to look at the operating system, the application that is running on the kiosk and the transport mechanism that is sending information between the kiosk and a host,” said Robert Giblett, director of self-service solutions at Mechanicsburg, Pa.-based Versatile Systems, a provider of turnkey kiosk solutions.

“In addition, you want to have the ability to monitor the activity of the kiosk, not just to see how often customers are using the kiosk but also to see if someone is trying to break into it,” he said.

The operating system

Kiosk deployers look at physical security and application security, but they also need to look at the underlying platform to make sure the kiosk is secure.

“There are many security issues to review with regard to an operating system, especially if you are running Windows,” said Brad Steiner, solutions manager for Versatile Systems.

“Windows is one of the most common OS platforms around, so of course, it is one of the most commonly targeted platforms out there,” he said. “If you don’t keep the OS up to date and have a well-defined and executed patching strategy, you are putting yourself at risk.”

Deployers need to ensure that they have a well-defined policy that clearly outlines how they are going to manage and keep their system up to date, Steiner said. Even so, there are additional issues to consider.

Deployers need to disable all non-essential processes and services, as well as any remote log-in accounts. In addition, they need to disable file system auto-mount services.

In addition, deployers might consider leveraging a Linux-based operating system, Steiner said, as Linux has proven to be much more stable and secure than Windows.

The kiosk application

Although most kiosk applications offer a way to remotely access business intelligence, such as usage rates, deployers often forget to look for patterns that indicate someone is trying to gain access to the system.

“Deployers should regularly review the screen activity of their kiosks: which screens users are looking at, the order of screen presentation and the amount of time spent on each screen,” Steiner said. “If an activity report shows that a user is quickly flipping back and forth between screens or continuously hitting a specific button, it may be an indication that they are trying to force the system to crash so they can gain access to the application.”

The remote monitoring function should allow the deployer to override changes made locally and to completely disable the kiosk, if necessary. In addition, the application software should update automatically to ensure that the most recent version is in place.

Since many kiosks use Windows as the operating system for their computers, many also may have embedded commands that are unique to Windows and may expose the system’s software. All Windows or generic shortcut key combinations, no matter how minor, should be disabled completely before the self-service kiosk is deployed.

Disarming shortcut keys eliminates the ability of an experienced hacker to obtain access to applications, stored files and information while making it impossible for a user to inadvertently trigger a shut-down or similar event.

Deployers may opt to eliminate keyboards altogether with the use of touchscreens and virtual keyboards. Specialty keys and key combinations can be eliminated, along with the cost of maintaining a physical keyboard.

The network

One of the most important considerations when it comes to kiosk software security is the network transport.
“How is the kiosk communicating with back-end systems?” Steiner said. “Are you initiating connections from the kiosk, or are you allowing connections coming into the kiosk? Are you ensuring that all communication channels are properly encrypted?"

Any communication coming to and from the kiosk needs to utilize Secure Socket Layer/Transport Layer Security, Steiner said, and any wireless communication needs to utilize the latest encryption schemes. In addition, deployers need to use a firewall as well as the proper client-server certificates. A firewall ensures that whatever the kiosk is connecting to is what it is supposed to be and not someone spoofing an IP address.

And all communication should be initiated by the kiosk, with no remote access allowed, Steiner said.

Ultimately, the task of securing a kiosk is something that needs to be approached holistically as part of a regular routine.

“Security is an ongoing process,” Steiner said.

“Self-service exploits are constantly changing and evolving,” he said. “No matter how secure a system is today, there is a chance that it may not be secure tomorrow. You can never guarantee that a system will be 100 percent tomorrow, but you can make sure you are proactively evaluating the environment to keep up with new threats.”

Related Media

Blog
How Self-Service Kiosks Drive Customer Behavior and Increase Sales
Blog
Is Your Kiosk Network Missing Something? The Case for Kiosk Management
Blog
Measuring Kiosk Performance: Are Your Kiosks Meeting Customer Expectations?
White Paper
Simplifying Digital Signage Content Management
Presented by PROVISIO LLC
Recent Posts
USConnect granted US patent for Theft Detective technology
GameChanger Systems secures 2nd round of series A funding
IDEMIA launches enhanced kiosks for background checks
EcoATM names Matt Furlong as CEO
Convious Kiosks cut queues, boost sales at Zoo Osnabrück


©2025 Networld Media Group, LLC. All rights reserved.
b'S2-NEW'