Depending on which version of the TJX kiosk story that you believe, hackers either replaced an encrypted PIN pad, inserted hardware keystroke loggers, used USB key drives to inject malicious software, or some combination of the three. This brings to mind a couple of guidelines that should always be remembered when placing computers in places where unauthorized people can get to them:
- Lock 'em down. If you're putting a self-service kiosk on the sales floor and expect your customers to interact with it, you'd better be sure that any cables are securely fastened, unused ports are closed off (both physically and in software), and any access doors or panels are secured with a key or combination lock. In one version of the TJX story, phony tech staff physically tinkered with the kiosks, but in every version it should not have been physically possible to even install the device (USB key drive, fake PIN pad or keystroke logger). To prevent this, secure and cover all cables and openings. Even better, use an all-in-one appliance like IBM's Anyplace Kiosk with an on-screen keyboard for data entry. This eliminates the need for most external peripherals, and the ports seal up nicely, too.
- Out of sight, out of mind. Taking item #1 a step further, if you don't need to have your computers sitting out where anybody can get at them, lock them up somewhere else. For a kiosk application, that might mean putting the CPU in a locked cabinet or closet (though the IBM Anyplace Kiosk obviates the need for this, provided you've bolted the thing down, of course). For digital signage applications, make sure your players are either sitting in a locked enclosure if they're kept behind each screen, or even better, put all of the media players in a secure room or closet, and use video distribution equipment to carry the signal to screens elsewhere in the store. One quick anecdote here: not too long ago we won a digital signage deal away from a competitor who, in addition to not having the best product for the customer's needs, also used laptops as the media players driving each screen. Unsecured laptops. Laptops that were simply cable-tied to a mounting bracket behind each screen. Let's just say that after a month-long trial period, many of the customer's "media players" had mysteriously gone missing.
- Batten down the hatches. Visa, MasterCard, and other payment groups started catching flack for a lot of the more serious retailer data breaches a few years ago, and they responded with a new program called the PCI DSS (Payment Card Industry Data Security Standard). This applies to retailers as well as other parties, and outlines specific guidelines for handling cardholder data. For POS software and other payment-oriented applications, a special certification called PABP (Payment Application Best Practices) applies. Getting certified for PABP is an expensive and time-consuming endeavor. However, PABP certification is absolutely essential for kiosks that use credit cards for payment or identity verification, and it's also a very good idea for any computer-like device or service that comes within striking distance of a retailer's payment processing and data storage systems. Installing a spiffy new kiosk platform, or maybe a digital media network? Find out from your vendor if their software is up to snuff. Remember, even if your device doesn't actually accept credit cards, it could still be used as an attack vector to get to POS systems or other devices on the store's network that do house this data. Taking a point from the TJX story, it's also a good idea to disable any unused ports and peripherals in the computer's operating system and password-protect the BIOS, which further reduces the risk of tampering.
- Don't forget to lock the gate! I think the most amazing and hard-to-believe version of the story came from Information Week, who suggested that USB key drives were used to install rogue programs on the kiosks. (What? The kiosk software allowed new programs to be installed?) This gave the attackers unfettered access to TJX's corporate network, as the kiosks were not separated from the rest of the network by a firewall! If this was 1991 and the Internet was still a cool toy for academics and scientists I might have let that slide. But seriously, this is 2007 and the attack in question happened quite recently. Whether you're using kiosks or not, anybody who doesn't believe that an extra Ethernet jack in the wall is a potential attack vector is deluding himself: important data should always be protected with a firewall. Forget about locking the gate. If this story is true, TJX's IT staff didn't even bother installing it.
There is some good news, though. All of the involved parties -- retailers, vendors and consumers -- have a vested interest in seeing things improve. Vendors must continue to improve their products, designing new systems and updating existing ones to make security features a high-priority. Likewise, retailers need to make sure that security plays a significant role in their policies and practices, taking advantage of new vendor-supplied solutions as they become practical and verifying that any new hardware and software purchases are compliant with the latest security mandates and standards (like PCI and PABP). And customers (that's all of us) have the most important job of all: telling retailers and vendors exactly how we feel when they slip up.