Are wardrivers zeroing in on your kiosk?

Are wardrivers zeroing in on your kiosk?
Tags: Security
August 12, 2008

Travis Kircher is the editor of SelfService.org, a sister Web site, and is a regular contributor to Self Service World. Kircher's most recent kiosk story explored the recent convergence of ATM and kiosk transactions. Click here to to read that story. Don't look now, but the short, bald guy reclining with a laptop in his beat-up white Oldsmobile may not be surfing for reviews of "The Dark Knight." He might be hacking into a nearby store's database of debit and credit card numbers — and if he's really high-tech, he doesn't even have to leave the parking lot to do it. TJX Companies Inc. — owner of popular apparel retailer T.J. Maxx — Barnes & Noble and seven other retailers found out the hard way how easy it is for the nefarious to peer into their point-of-sale systems. Last week, at least 11 suspects were indicted for allegedly accessing the stores' unsecured wireless wi-fi systems — via a technique known as "wardriving" — and stealing consumer card data.

story continues below...

SPECIAL REPORT...Order Now! The Customer Perspective on Self-Service Technology

We surveyed more than 500 consumers to learn how they really feel about kiosks, self-checkout and other types of self-service. Find out what works, what doesn't, and what makes the difference between a device that helps your business and one that just gathers dust.

Only: US$249

SSKA Member Price: only US$149 -- Save $100

More Info | Buy Now

Now, the question that should be on the minds of self-service deployers, say some experts, is this: Just how vulnerable are their deployments to attacks from wardrivers? What is wardriving, and if losers with laptops and too much time on their hands can hack into a POS system, what is the likelihood they could compromise the data stored on a self–service kiosk? Wireless sniffing The term "wardriving" refers to the act of searching for open or unsecured wi-fi networks to fraudulently access, says Nicholas Percoco, vice president of consulting for Trustwave, a global provider of information security and compliance. Wardriving can be as simple as someone in an apartment leeching off his neighbor's wireless Web access, or an expert hacker with high-tech equipment trying to gain access to the POS. "Basically, you can take a laptop or wireless device and put it in discovery mode," Percoco said. "You can drive around a strip mall in a car with a laptop and a high-gain antenna and see what networks are out there, and if you find one that's not secured, or secured using old technology or weak technology, you could potentially gain access to it." Points of vulnerability So just how concerned should self-service deployers be about wardriving? Very, according to some experts. They argue that vulnerable deployments fall into two groups: Deployments that transmit data over wireless networks and deployments that are integrated into a POS system connected to a wireless network. Alex Richardson, founder of Selling Machine Partners LLC and president of the Digital Technology Alliance — an amalgamation of deployers and vendors in the digital signage and self-service industries — says the number of kiosks that fall into the first group is small. "I've done 250 kiosk projects worldwide and I can say that 95 percent of my installations are wired," he said. "In the past three years, 100 percent of my installations have been wired. That's for two reasons — No. 1 is security. No. 2 is broadband speed." The real threat, according to security experts, is to transactional kiosks that fall into the second group. Transactional kiosks can be hard wired into the POS system, but if that POS system is in any way connected to an unsecured wireless network, hackers have an open gateway to the kiosk. "Let's take the perfect example," said Karim Hijazi, managing partner and chief technology officer for RBTI Information Security. "Let's say you're sitting in an environment with a photo kiosk. It's clearly not wireless in its own right, but it's sitting on a network that has a wireless access point and I want to get to something on that kiosk remotely. I would get in by way of the wireless, find my way to the network to find the address of that kiosk system, and then target it and go to it by way of wireless." Plenty of information improperly stored on a transactional kiosk can be of interest to criminals. They could use the unsecured wireless network to upload keyboard sniffers (software programs that record personal information typed into keyboards such as PINs or Social Security numbers) and memory dump software that collects latent card numbers. Later that data can be downloaded back through the unsecured wireless network. In extreme instances, wardrivers could, in theory, use a single wireless network to gain access to the POS and self-service deployments in an entire chain of stores around the world — all from the parking lot, assuming they're all linked on the same unsecure network. "In some cases that we've seen, once they get into a local store network, there are then connections back to corporate and to other stores as well," Percoco said. "If you think of it as sort of a spider web out there, once you land on one piece of the web, you can traverse the other links to get everywhere else within the environment." Time for action Both Hijazi and Percoco say they have yet to see a case of a wardriver accessing a wireless network specifically to compromise a kiosk. After all, they say, once the hacker has access to the data available in the POS, a kiosk can seem like small cheese. But they say it could happen, in theory. They say there are several things deployers can do to protect themselves. First, according to Hijazi, is to have someone keep track of every wireless network installed by the company. A system, no matter how secure, can be instantly laid bare to hackers by a single unprotected access point. "Sometimes the right hand doesn't know what the left hand is doing," Hijazi said. "I could lock down the network and then one day one of my colleagues could come in and very innocently put in a wireless network thinking it's no big deal. All of a sudden, my theoretically solid network is now open." Percoco said the deployer should understand that securing networks is a never-ending pursuit. Installing operating-system patches and anti-virus updates in a timely fashion is a must. When it comes to data encryption, he says deployers should be using recent encryption standards — WPA or WPA2. Many, he says, are still using the outdated WEP standards. "That version, if you're running it in your environment, is relatively easy for someone to crack," he said. Richardson said deployers should be careful not to demonize wireless in particular, but work instead to close all security loopholes. "I'm not sure the enemy is wireless," Richardson said. "Wireless can be as secure as Fort Knox. The enemy is not following standard security protocols — leaving the doors of your house unlocked and letting people walk in." Richardson recently headed up the Digital Technology Alliance's creation of the S3 Storefront Security Initiative, a certification program for digital technology deployments that take certain precautions to prevent identity theft, as well as protect consumer privacy and promote data security. He said he hopes that program can be expanded to include certification for retailers. "I'd like to see our association, along with the government, create a sort of UL certification that you put on the front door of retailers," he added. "It would be essentially like S3 — so that consumers know when they walk in the door that they're not going to have their identities stolen or their credit cards stolen based on a couple of technology terrorists sitting out front with a sniffer."