Misstep 27: Keys to the Kiosk

Kiosk with Exposed Wiring, Systems

Today, we’re going to take a look at a little piece of automation. Many folks see self checkouts in their grocery store, but my local hardware store uses these kiosks for something else.

These are near the customer service area, and allow people with returns to swipe their credit card, and enter a UPC to print a receipt. You may also choose to swipe the card and select a date you shopped with that card and print it that way as well.

I’ve talked about this a few weeks ago, where there was an ATM with its fiber optic line exposed. This is just another example of that, however this time the computer is exposed as well.

In order for the retail returns system to find your receipts, it must have your card number (or some portion of it) to look up what you’ve purchased at the store. So, swiping your card simply sends the card number to the computer to gather that information.

Some Speculation

I didn’t design these systems, and it would be illegal for me to carry out tests, however my knowledge of “point-of-sale” systems and general computer peripherals leads me to think that the mag stripe reader is a USB one — in fact, I own one myself. These devices read your card and “emulate” a keyboard, simply typing in the numbers and information as if you did it yourself.

The Misstep?

Since the rear of the computer is hanging out, and assuming whatever network connection it uses is secure, we can find whatever USB port the machine is using and attach a cheap piece of hardware inline with the USB cord. This will enable us to later on collect the hardware and view all of the credit card information that had been swiped previously — plenty enough to encode a clone card like we discuss here: Scamming Garage Sale Sites with Gift Cards

The Solution?

Hide the cables and any connections from being accessible to an attacker. It is unlikely that this will be leveraged since it is near the front of the store, however it would be easy to “drop a pen”, attach the device, and rinse/repeat a few days later to collect information.

About Author

Robert Lerner

Leave a Reply

Your email address will not be published. Required fields are marked *