Kiosks enable financial institutions to engage customers in novel ways, improve brand recognition, and increase add-on sales. However, security needs to be a primary concern, rather than an afterthought.

Kiosks are becoming more sophisticated and presenting more information to customers while capturing more information from them. They're also becoming more commonplace.

"With the widespread acceptance of the Internet, banks understand that face-to-face is not the only way to market services to existing and potential customers," says Francie Mendelsohn, president of Summit Research Associates. The market research firm found that the number of kiosks installed worldwide increased from 1.82 million in 2008 to 2 million at the end of 2011.

As financial companies expand their use of these systems, they need to ensure sufficient security functions. And one potential problem stems from the system's design.

Kiosk applications are special-purpose PCs that bypass the embedded login mechanisms designed to protect sensitive information. In some cases, crooks may leverage this feature to access desktop and file systems -- where personal information is stored.

To secure its system, a financial institution has to close the potential holes. Banks or kiosk vendors need to turn off any printing or email default functions, so they are not potential access points for intruders. If the kiosk includes a keyboard, the financial organization must also disable potentially problematic keystroke sequences that burrow into the operating system, such as Control-Alt-Delete.

Hacker conference
The ability to use such shortcomings to break kiosk security functions have been already documented. During the Defcon hacker conference in August, the New Zealand security specialist Paul Craig detailed how criminals could hack into a kiosk.

 

In addition, companies have found that their kiosk security checks were insufficient. In March, UMass Memorial Healthcare acknowledged a gaping security hole. For the previous five months, a kiosk had made individuals' personal data for 13,500 employees (names, bank name, bank transit number, and bank account number) available to the next person accessing the system.

What happens when the next person accesses the kiosk has been an ongoing challenge for banks. "Individuals often forget to log off once they finish using the system," Mendelsohn says.

To prevent problems, a kiosk can be configured to log a user off automatically if no information is entered in a defined period.

Other security checks can thwart hackers. "If a customer decides to move a lot of money to a new account, then a second authorization mechanism could be put in place to ensure that the person is who they say they are," says Carol Hamilton, a marketing manager at NCR.

There are security holes in virtually any system. When it comes to kiosks, banks can take steps to close them and ensure that customer information is protected.