The Digital Signage Insider

Improving kiosk security: PCI, PABP and 4 lessons from the TJX fiasco

Published on: 2007-08-16

By now, you've probably heard about last year's massive security breach at TJX (the parent company of TJ Maxx, Marshalls and a few other), which resulted in the theft of millions of credit card numbers and other pieces of personally identifiable information. As the different versions of the story have come and gone, the culprits were either hackers sitting in a nearby parking lot who infiltrated an unsecured wireless network, fake kiosk repair men who installed phony keypads to steal credit card numbers and PIN codes, or ex-employees who had access to key records and resources. But a new twist covered by Information Week and StorefrontBacktalk suggests that problems with TJX's in-store security practices (or lack thereof) allowed the attackers to use job application kiosks as a vector into the corporate network. Regardless of what the actual method of attack turns out to be, you never want to leave those doors open. And since virtually every digital signage and kiosk network relies on having networked devices somewhere in the store, now seems like a good time to review some dos and dont's for in-store computer security.

Depending on which version of the TJX kiosk story that you believe, hackers either replaced an encrypted PIN pad, inserted hardware keystroke loggers, used USB key drives to inject malicious software, or some combination of the three. This brings to mind a couple of guidelines that should always be remembered when placing computers in places where unauthorized people can get to them:
  1. Lock 'em down. If you're putting a self-service kiosk on the sales floor and expect your customers to interact with it, you'd better be sure that any cables are securely fastened, unused ports are closed off (both physically and in software), and any access doors or panels are secured with a key or combination lock. In one version of the TJX story, phony tech staff physically tinkered with the kiosks, but in every version it should not have been physically possible to even install the device (USB key drive, fake PIN pad or keystroke logger). To prevent this, secure and cover all cables and openings. Even better, use an all-in-one appliance like IBM's Anyplace Kiosk with an on-screen keyboard for data entry. This eliminates the need for most external peripherals, and the ports seal up nicely, too.

  2. Out of sight, out of mind. Taking item #1 a step further, if you don't need to have your computers sitting out where anybody can get at them, lock them up somewhere else. For a kiosk application, that might mean putting the CPU in a locked cabinet or closet (though the IBM Anyplace Kiosk obviates the need for this, provided you've bolted the thing down, of course). For digital signage applications, make sure your players are either sitting in a locked enclosure if they're kept behind each screen, or even better, put all of the media players in a secure room or closet, and use video distribution equipment to carry the signal to screens elsewhere in the store. One quick anecdote here: not too long ago we won a digital signage deal away from a competitor who, in addition to not having the best product for the customer's needs, also used laptops as the media players driving each screen. Unsecured laptops. Laptops that were simply cable-tied to a mounting bracket behind each screen. Let's just say that after a month-long trial period, many of the customer's "media players" had mysteriously gone missing.

  3. Batten down the hatches. Visa, MasterCard, and other payment groups started catching flack for a lot of the more serious retailer data breaches a few years ago, and they responded with a new program called the PCI DSS (Payment Card Industry Data Security Standard). This applies to retailers as well as other parties, and outlines specific guidelines for handling cardholder data. For POS software and other payment-oriented applications, a special certification called PABP (Payment Application Best Practices) applies. Getting certified for PABP is an expensive and time-consuming endeavor. However, PABP certification is absolutely essential for kiosks that use credit cards for payment or identity verification, and it's also a very good idea for any computer-like device or service that comes within striking distance of a retailer's payment processing and data storage systems. Installing a spiffy new kiosk platform, or maybe a digital media network? Find out from your vendor if their software is up to snuff. Remember, even if your device doesn't actually accept credit cards, it could still be used as an attack vector to get to POS systems or other devices on the store's network that do house this data. Taking a point from the TJX story, it's also a good idea to disable any unused ports and peripherals in the computer's operating system and password-protect the BIOS, which further reduces the risk of tampering.

  4. Don't forget to lock the gate! I think the most amazing and hard-to-believe version of the story came from Information Week, who suggested that USB key drives were used to install rogue programs on the kiosks. (What? The kiosk software allowed new programs to be installed?) This gave the attackers unfettered access to TJX's corporate network, as the kiosks were not separated from the rest of the network by a firewall! If this was 1991 and the Internet was still a cool toy for academics and scientists I might have let that slide. But seriously, this is 2007 and the attack in question happened quite recently. Whether you're using kiosks or not, anybody who doesn't believe that an extra Ethernet jack in the wall is a potential attack vector is deluding himself: important data should always be protected with a firewall. Forget about locking the gate. If this story is true, TJX's IT staff didn't even bother installing it.
This story just goes to show that no matter how many best practices guidelines and review meetings an organization has, it's all worthless without proper execution. While TJX only expects to take a modest financial hit from this breach (the $17 billion-a-year retailer is allocating less than $200M to cover all of the damages), a lot of customers and other businesses are upset over the exposure of their personal information. Worse, it stands to reason that there are other retailers out there with similar security practices, which are in desperate need of review and updating. And while security is certainly becoming an ever more important part of an IT staff's job, the proliferation of in-store computers for self-service kiosks, digital signage, Bluetooth/SMS beaconing, traffic monitoring, and security applications suggests that the problem will continue to grow.

There is some good news, though. All of the involved parties -- retailers, vendors and consumers -- have a vested interest in seeing things improve. Vendors must continue to improve their products, designing new systems and updating existing ones to make security features a high-priority. Likewise, retailers need to make sure that security plays a significant role in their policies and practices, taking advantage of new vendor-supplied solutions as they become practical and verifying that any new hardware and software purchases are compliant with the latest security mandates and standards (like PCI and PABP). And customers (that's all of us) have the most important job of all: telling retailers and vendors exactly how we feel when they slip up.

Subscribe to the Digital Signage Insider RSS feed

Looking for more articles and research? Our newest articles can always be found at Digital Signage Insider, but there are hundreds of additional research articles in our historical articles archive.

You may also be interested in M2M Insider: our blog about M2M and the Internet of Things.