If you’ve ever used food-dispenser kiosks at your workplace or in restaurants, chances are high that the machine was made by Avanti Markets, a major player in the field.
The chances are also high the kiosk you used has been subject to a recent security breach, happening on July 4.
The Avanti self-service kiosks can be found in hundreds of locations across the United States, most commonly in large offices and in the backrooms of companies.
It is a facility provided to the employees to buy snacks and drinks and pay directly using their credit or debit cards.
The security breach that occurred on some of these kiosks has definitely compromised the data sitting on these machines. The hackers seem to have used a sophisticated malware.
More critically, the breach has occurred in the customer personal information module.
Many of these kiosks accept payments using customers’ fingerprints, and the security breach has compromised the biometric data of these individuals as well.
Company Acknowledges the Hack
The vendor supplying these self-service food kiosks, Avanti Markets, confirmed in a statement that the security breach had indeed occurred.
The company apologized to those whose personal information would have been stolen by the hackers.
It is clear that the particular malware deployed for hacking the systems on these kiosks was programmed to extract personal information in the form of names, credit/debit card numbers and card expiration dates.
The company has gone on to block most of these machines and has announced that it has hired the best brains available to get to the bottom of the incident and initiate steps to provide foolproof protection so that such security breaches do not happen again.
Serious Concerns and Some Questions Raised
The July 4 breach was not the first and may not even be the last such cyber-attack on vending machines and stand-alone kiosks.
There are some larger issues involved here. One relates to the new technology of using fingerprints to authorize payments.
If one were to take this particular security breach incident, the customers who suspect that their data might have been compromised can go back to their bank and have the card blocked and get replacement cards issued.
It can give them a certain amount of security that they may not possibly suffer any further losses.
But those who lost their biometric data have to be worried. There is no way a person can replace his or her fingerprints.
The other concern for the organizations where the food kiosks were located is they often link the kiosk’s ecosystem within their own intranet network.
And if during the security breach, the cyber criminals manage to pierce the firewall and enter the network, the organization’s data could be vulnerable to having a ransom demand placed on it to release stolen files.
Solution Already Available and Should Be Implemented
The next obvious question would be how such a security breach can be avoided in future. According to experts, a solution in the form of what is called P2Pe already exists.
This acronym stands for “point to point encryption.” If this technology is installed on any POS machine that is designed to accept digital payments, there is a provision to encrypt the data at every stage of each transaction.
It is therefore virtually impossible for any malware to corrupt the data, even if a security breach occurs and the hacker leaves malware on the system.
Some Practical Issues
Having considered all these aspects, there are still some practical issues in assuring the customer or the end user that these kiosks are safe from any security breach.
The reason for this is that there are many small, local operators who install the machines and take the responsibility for maintaining them.
These people may not have the access to the latest technology, so the machines might always remain vulnerable to security breach of the kind witnessed with the Avanti Markets machines.
The machines might still be supplied by the company, but they may not be responsible for the last-mile operation and data security.
The moral of the story is that people need to be very cautious while agreeing to part with biometric identification in unverified locations.