Public kiosks have become ubiquitous in modern society, serving essential functions in retail environments, airports, hotels, government offices, libraries, and countless other venues. While these self-service systems offer considerable convenience and efficiency for both businesses and users, they simultaneously present significant security vulnerabilities that can expose sensitive personal and financial information to sophisticated cybercriminals. The intersection of encrypted login credentials, password management practices, and multi-factor authentication represents a critical defense against the evolving threats that users encounter when interacting with public kiosks. This comprehensive analysis examines the landscape of public kiosk security, identifies the most common traps and attack vectors that users and organizations should understand, and provides evidence-based strategies for protecting encrypted credentials and authentication mechanisms in these inherently risky environments. Understanding these vulnerabilities is not merely an academic exercise but rather an essential component of modern cybersecurity literacy for anyone who uses these systems or deploys them for organizational purposes.
The Complex Security Landscape of Public Kiosks and Self-Service Systems
Physical and Digital Infrastructure Vulnerabilities
Public kiosks represent a unique convergence of physical and digital security challenges that distinguish them from traditional computing environments in fundamental ways. These machines exist at the intersection of public access and data processing, creating inherent tensions between user convenience and security implementation. Unlike personal computers or mobile devices that an individual controls and can secure through personal practices, public kiosks are shared resources that may be used by hundreds or even thousands of different individuals daily. This shared nature creates a cascade of security complications that go beyond the typical cybersecurity concerns associated with personal computing.
The physical architecture of public kiosks makes them particularly vulnerable to hardware-based attacks that would be difficult to execute against personal devices. Since kiosks are permanently installed in public locations, attackers have unrestricted opportunity to examine the physical device, identify vulnerable access points, and install malicious hardware components without triggering suspicion. The external ports and physical interfaces of kiosks that are necessary for normal operation—USB ports, connection points for payment terminals, external network connections, and even the space between the keyboard and the device itself—become potential installation points for surveillance devices. In 2017, the Department of Homeland Security and U.S. Secret Service issued a joint advisory specifically warning the hospitality industry about keyloggers being physically installed on hotel computers, demonstrating that this is not a theoretical threat but rather an established attack vector that government agencies consider significant enough to warrant official warnings.
The digital infrastructure of public kiosks compounds these physical vulnerabilities in dangerous ways. These systems typically operate on outdated operating systems or specialized kiosk-specific platforms that may not receive regular security updates. While this design choice is often made to provide stability and controlled functionality, it creates an environment where known security vulnerabilities persist indefinitely. A major cybersecurity breach in 2024 revealed that 60% of kiosk breaches in the preceding two years occurred specifically because the kiosk software and firmware were outdated and unpatched. This statistic highlights a fundamental disconnect between security best practices and real-world deployment practices for public kiosks. Organizations deploying kiosks often prioritize operational continuity and cost minimization over security maintenance, creating an environment where vulnerabilities that could be easily patched remain exploitable for extended periods.
Network Architecture and Backend System Risks
The network connectivity requirements of modern public kiosks introduce additional layers of vulnerability that extend beyond the physical device itself. Most kiosks must maintain constant connectivity to backend systems to process transactions, validate information, or transmit data collected from users. This requirement means that compromising a kiosk is not merely a matter of affecting that individual device but rather potentially gaining access to an entire organization’s network infrastructure. Several documented cases demonstrate the reality of this lateral threat. In one notable incident affecting a major airport in the United States, switching to a Linux-based kiosk operating system with restricted user permissions resulted in zero successful breaches over an eighteen-month period, while the previous system had experienced multiple compromise attempts. This case illustrates how architectural design choices fundamentally affect security outcomes.
The payment processing systems integrated into self-service kiosks present particularly acute risks because they necessarily handle sensitive financial information. Payment card data, even when properly encrypted during transmission, may be vulnerable at the point where it is processed or stored on the kiosk itself. The 2017 Avanti Markets incident, in which malware compromised approximately 1,900 self-service kiosks nationwide and affected 2.5 million customers, occurred through an infected workstation at a third-party vendor who had administrative access to the kiosk management systems. This breach highlights how even indirect connections to kiosk systems through third-party service providers can become vectors for widespread compromise. The attackers successfully installed software designed to capture payment card information at the precise moment customers were entering this data, causing massive exposure of financial information that subsequent investigations determined remained safe only because biometric data collection was not implemented on those particular systems.
Network segmentation represents one of the most effective mitigation strategies for containing the damage from a compromised kiosk, yet many organizations implement kiosks directly on their primary networks without proper isolation. Businesses that implemented network segmentation, creating a separate firewalled network for kiosk traffic rather than allowing kiosks to communicate directly with core business systems, saw a 45% reduction in lateral attacks originating from compromised kiosks. This finding suggests that many organizations are currently operating without this basic protective architecture, leaving their entire network infrastructure vulnerable to compromise through a single compromised kiosk.
Common Traps and Attack Vectors: Understanding the Threat Landscape
Credential Compromise Through Multiple Attack Vectors
The most insidious threats to users of public kiosks involve the compromise of login credentials and authentication information, as these represent the keys to both the kiosk itself and to personal accounts and financial systems that users may attempt to access through it. Users contemplating the use of public kiosks face a fundamental dilemma: the more critical and sensitive their business with the kiosk, the more likely they are to need to authenticate with usernames, passwords, or other credentials. This creates a scenario where the moments of highest vulnerability—when users are entering sensitive authentication information—are precisely the moments when they are exposed to the greatest risks.
Keylogging represents perhaps the most comprehensively documented attack vector against public kiosks, and it operates through both hardware and software mechanisms. Hardware keyloggers are physical devices that can be installed between a keyboard and a computer, within the keyboard itself, or attached to USB ports where they silently record every keystroke. Unlike software-based attacks, hardware keyloggers do not require any manipulation of the kiosk’s operating system or pre-existing vulnerabilities; they operate at a purely physical level and can capture information before it is ever encrypted or transmitted over any network. Software keyloggers, by contrast, are programs installed on the kiosk that record keystroke patterns and can employ sophisticated algorithms to identify sensitive information like passwords by recognizing contextual patterns such as the presence of an email address symbol or the distinctive rhythm of password entry.
The DarkHotel malware campaign represents a particularly noteworthy example of coordinated keylogging attacks against public computing environments. Hackers deployed this malware through compromised Wi-Fi networks in hotels, targeting traveling executives. Once downloaded, DarkHotel functioned as a keylogger, recording every keystroke and reporting this data back to the attackers. To avoid detection, DarkHotel was designed to delete itself after collecting a certain volume of keystroke data, making it difficult for victims or security personnel to identify the compromise even after the attack had already captured and exfiltrated sensitive information. The sophistication of this attack lay not merely in the technical implementation but in the targeting strategy; rather than attempting broad compromises, the attackers specifically targeted high-value individuals such as executives who would likely be accessing sensitive business systems, credentials for financial accounts, and confidential communications.
Man-in-the-middle (MITM) attacks represent another critical vector for credential compromise that operates through interception rather than direct capture. In a man-in-the-middle attack, an attacker positions themselves between a user and the legitimate system they are attempting to access, intercepting communications in both directions. This interception may occur at the network level, through compromised Wi-Fi networks or compromised network infrastructure, or through phishing attacks that redirect users to malicious proxy servers that mimic legitimate services. The 2.5 million customers who experienced compromise through MITM attacks on kiosk systems represents concrete evidence that this is not merely a theoretical threat but rather a significant practical vulnerability affecting real people at scale.
The Credential Stuffing and Account Takeover Problem
Once attackers successfully capture login credentials from one system—whether through keylogging, phishing, or data breaches—they immediately attempt to leverage those credentials across multiple platforms through a technique known as credential stuffing. Users who recycle passwords across multiple accounts, a practice that security professionals consistently identify as dangerous but that the vast majority of users engage in due to the cognitive burden of remembering unique passwords, dramatically increase their vulnerability to this attack vector. If a user’s password for one service is compromised, attackers can use that same password to attempt access to their email account, banking services, social media profiles, and any other service where they reused the credential.
This threat is not abstract. The 2020 Twitter account takeover, where attackers compromised high-profile accounts and used them to perpetrate Bitcoin fraud, netting over $100,000 from victims, demonstrates how account takeover can be weaponized for financial gain and reputational damage. If the same attack occurred to an individual or small business rather than to a massive social media platform with crisis management resources, the reputational and financial consequences could be catastrophic. The Zoom credential stuffing attacks that compromised around half a million accounts during the pandemic occurred not necessarily through sophisticated hacking of Zoom’s systems but rather through attackers using previously compromised credentials from other breaches and attempting them against Zoom accounts. This illustrates how a single compromise at one public kiosk or website could potentially cascade into compromise across multiple critical services.
Session Hijacking and Cached Credential Exploitation
Public kiosk users frequently leave their sessions active while walking away from the device, not realizing the security implications of this behavior. In the moments when a user is logged into their email, banking service, or other sensitive account but has stepped away from the kiosk—perhaps to collect a printed document or to answer a phone call—an attacker can approach the device and gain complete control of that active session. The attacker does not need the password because they are simply taking over an already-authenticated session; they can send emails, access contacts, modify account settings, or perform financial transactions as if they were the legitimate user.
Beyond the immediate threat of session hijacking during active sessions, cached credentials represent a persistent vulnerability on public kiosks that many users and administrators do not adequately appreciate. Modern operating systems and applications, including web browsers, typically cache authentication tokens and session cookies to reduce the friction of authentication for returning users. While this design choice improves user experience, it creates a security nightmare in public environments where the next user has access to these cached credentials. An attacker can extract these cached credentials using freely available tools like Mimikatz, which the Lapsus$ gang famously used to move laterally through organizations after gaining initial access to a single compromised computer. If a user has previously logged into their email account on a public kiosk, or if their operating system has cached their credentials for cloud services like Microsoft Teams or Slack, the next person to use that kiosk could potentially extract these credentials and gain access to multiple sensitive systems.
The sophistication of this attack is compounded by the fact that cached credentials often bypass multi-factor authentication protections that would normally protect an account. If a user’s credentials are cached in the form of authenticated session tokens or cookies, an attacker who steals these can use them to access the account without needing to provide the second authentication factor. This represents a critical gap in the multi-factor authentication model when applied to public computing environments; the authentication factor that protects account access becomes irrelevant if an attacker can simply steal the authenticated session that resulted from previous legitimate authentication.
Biometric Data Risks and Spoofing Attacks
As security professionals have increasingly recognized the vulnerabilities associated with password-based authentication, many organizations have turned to biometric authentication systems for public kiosks and other high-security applications. Facial recognition, fingerprint authentication, voice recognition, and iris scanning represent increasingly common authentication methods on modern kiosks. However, biometric authentication introduces a new category of risks that differs fundamentally from password-related threats.
The most critical risk associated with biometric data is that, unlike passwords or authentication codes, biometric data cannot be changed if compromised. When a hacker steals your password, you can reset it and regain security. When your credit card number is compromised, you can cancel the card and receive a replacement. But if your fingerprints, facial recognition data, or iris scan information is compromised, you cannot generate new fingerprints. This permanence creates an asymmetric risk where biometric compromise can result in permanent identity compromise. The prospect of identity theft increases exponentially when attackers possess biometric data; they can potentially impersonate you to any system that relies on the same biometric authentication method.
Recent research has identified a tenfold increase in deepfake detection from 2022 to 2023, with notable regional variations. These deepfakes can be used to circumvent biometric authentication systems that are not equipped with sophisticated liveness detection mechanisms. A high-quality video or 3D model of someone’s face, or a high-resolution photograph of their fingerprints, may be sufficient to fool biometric systems that do not employ advanced spoofing detection. Sophisticated attackers can create these deepfakes by combining publicly available photos and videos with artificial intelligence algorithms, then use them to gain unauthorized access to systems protected by biometric authentication.
The Critical Role of Encrypted Login Credentials and Password Managers
Understanding Password Vaults and Secure Credential Storage
The modern approach to managing the overwhelming number of login credentials required in contemporary digital life involves the use of dedicated password managers that employ sophisticated encryption to protect stored credentials. These specialized tools represent a fundamental departure from browser-based password storage or, worse, the practice of writing passwords down or reusing passwords across services. A properly implemented enterprise password vault creates a centralized repository where credentials are stored using encryption algorithms like AES-256-bit encryption, making the credentials unreadable to anyone without the decryption key.
The encryption standard used in modern password managers represents a critical security feature that distinguishes them from insecure password storage methods. AES-256-bit encryption, which is the standard used by serious enterprise-grade password managers, employs a 256-bit key that would require an astronomical amount of computational power to brute force, making such attacks practically impossible with any conceivable computing resources. When users store their credentials in such a vault, the credentials themselves exist in encrypted form throughout their lifetime in the system. The password manager does not know the actual passwords; it only stores encrypted representations of them. Only the legitimate user, who possesses the master password or the decryption key, can access the actual plaintext credentials.
This architectural approach addresses several critical vulnerabilities associated with storing passwords in unencrypted form or in locations where they might be accessed by unauthorized parties. If a password manager’s database is compromised through a breach of the service provider’s infrastructure, the attackers would gain access only to encrypted credentials that they cannot decrypt without the master password. This represents a dramatic improvement over browser-based password storage, where compromising the browser could potentially expose plaintext credentials without the need for additional decryption steps. Furthermore, password managers eliminate the need for users to remember complex passwords, which enables users to implement truly unique passwords for each service. This single-service isolation means that if one password is compromised, only that individual service is affected rather than the user’s entire digital identity.
Master Password Security and Multi-Factor Protection
The security of any password manager system is fundamentally dependent on the security of the master password, which serves as the single key to the entire credential vault. This creates a critical design challenge: how to make the master password strong enough to resist brute force attacks while remaining memorable enough for users to recall without writing it down. Security experts recommend that master passwords employ passphrases consisting of random words interspersed with numbers and symbols, creating passwords that are simultaneously complex enough to resist computational attacks while maintaining memorability through their semantic structure.
Recognizing the fundamental vulnerability of master password-only security, modern password managers typically layer additional protection mechanisms on top of the master password through multi-factor authentication. Even if an attacker successfully discovers or guesses the master password, they still cannot access the vault without providing additional authentication factors such as biometric verification, time-based one-time passwords, or hardware security keys. This multi-factor approach to protecting the password manager itself reflects the understanding that the vault is a high-value target that demands the strongest possible protection.
The implications of this architecture for public kiosk use are significant. A user should never store their password manager credentials on a public kiosk or attempt to authenticate into their password manager from a public computing environment. The kiosk cannot be trusted to handle the master password securely, and the keyboard itself might be subject to keylogging. If an attacker captures the master password through a keylogger on a public kiosk, they gain access to the entire vault and all stored credentials, negating all of the security benefits that the password manager provides. This represents one of the most critical “common traps” that users should avoid: never authenticate into your password manager on a public or untrusted computer.
Credential Rotation and Automated Updates
One of the significant advantages that enterprise password managers provide over manual password management is the ability to implement systematic credential rotation and automated updates. Rather than relying on users to remember to change passwords periodically or to immediately reset compromised credentials, modern password management systems can automatically force password changes across multiple systems when a compromise is detected. This automation is particularly important in the context of public kiosk usage because users frequently may not realize that their credentials have been compromised until long after the compromise has occurred.
Integration with dark web monitoring services enables password managers to proactively detect when credentials stored in the vault have been compromised and leaked to the criminal underground. When such a compromise is detected, the system can automatically force password resets across affected accounts, preventing attackers from using stolen credentials to gain access. For organizations deploying public kiosks, this capability represents a crucial component of incident response; if a kiosk is compromised and credentials are exfiltrated, organizations that have implemented dark web monitoring can detect the compromise rapidly and force resets before attackers have an opportunity to abuse the credentials.
This automated approach to credential management also addresses the problem of credential sharing, which represents a significant vulnerability in many organizational contexts. Rather than sharing passwords through insecure channels like email or messaging applications, organizations can implement credential sharing through their password manager, which provides a secure vault where multiple authorized users can access shared credentials without any individual user needing to know or remember the actual password. The password manager logs all access to shared credentials, creating an audit trail that allows organizations to track who accessed which credentials and when. If an employee leaves the organization, the administrator can simply remove their access to the shared credential vault rather than requiring all users of shared credentials to simultaneously change passwords as would be necessary with manual credential sharing.
Authentication Methods and Their Limitations at Public Kiosks
Multi-Factor Authentication as a Defense Against Compromise
Multi-factor authentication represents one of the most significant advances in practical security technology, as it addresses the fundamental vulnerability that passwords alone—even strong, unique passwords managed by a password manager—can be compromised through various attack vectors. When a user authenticates to a critical system using only a password, successfully stealing that password is sufficient for an attacker to gain access to the account. Multi-factor authentication breaks this equivalence by requiring that access to an account or system depend on at least two independent factors that are difficult to compromise simultaneously.
The most common formulation of multi-factor authentication combines something the user knows—typically a password—with something the user has, such as a mobile device capable of receiving time-based one-time passwords or push notifications. The theoretical security provided by this approach is substantial: even if an attacker steals the password through a keylogger on a public kiosk, they still cannot access the account unless they also possess the user’s mobile device to receive and confirm the second authentication factor. This represents a significant improvement over password-only authentication and explains why security professionals consistently recommend enabling multi-factor authentication on all critical accounts.
However, multi-factor authentication is not invulnerable to sophisticated attacks, and public kiosk environments present particular challenges for secure multi-factor authentication use. The most common bypass technique is known as MFA fatigue, which operates through social engineering rather than technical sophistication. If an attacker has compromised a user’s password, they can repeatedly attempt to log in to the compromised account, triggering repeated multi-factor authentication challenges to the user’s mobile device. Many users, especially when they are busy or not expecting authentication challenges, will eventually accept one of these challenges simply to stop the notifications. Once accepted, the attacker gains access to the account, bypassing the multi-factor authentication protection. This attack vector is particularly effective against users in public kiosk environments who may already be frustrated with the kiosk’s interface and interface delays.
Token Theft and Session Cookie Hijacking
Another critical vulnerability in multi-factor authentication systems involves the theft of session tokens or cookies rather than the theft of the authentication credentials themselves. Most multi-factor authentication systems, once they have verified both factors, create an authenticated session for the user, typically represented by a token or cookie that the client stores and transmits with subsequent requests. This design choice is necessary for usability; requiring users to provide multi-factor authentication with every single request would create an unusable experience. However, it creates a vulnerability: if an attacker can steal the authenticated session token or cookie, they can bypass the need to provide authentication factors again.
This vulnerability is particularly acute at public kiosks because various attack vectors can be used to steal session tokens without requiring the attacker to capture the original authentication credentials. Malware on a public kiosk can extract authentication cookies from the browser’s storage, session tokens from memory, or even intercept them as they are transmitted over the network. An attacker who successfully steals a session token can immediately begin using that token from their own computer to access the compromised account, and the original user may not realize their account is compromised until they attempt their next login.
Man-in-the-middle attacks can also be used to steal authentication tokens by positioning the attacker between the user and the legitimate server, allowing them to observe and capture tokens in transit. Phishing attacks that redirect users to malicious proxy servers can capture both credentials and tokens as users authenticate to what they believe to be legitimate services. These attacks are particularly effective at public kiosks where users may be less vigilant about security and where they may not carefully examine whether they are connected to legitimate services or malicious proxies.
SIM Jacking and Out-of-Band Authentication Vulnerabilities
Multi-factor authentication systems that rely on text messages or phone calls to deliver one-time passwords are vulnerable to a sophisticated attack known as SIM jacking, in which an attacker convinces a mobile phone provider to add the target’s phone number to a SIM card controlled by the attacker. This does not necessarily require the attacker to physically steal or replace the victim’s SIM card; rather, the attacker simply needs to convince the phone provider to transfer the number to a new SIM card through social engineering or exploitation of the provider’s processes. Once the attacker controls the phone number, they receive all text messages and calls intended for the victim, including one-time passwords sent as part of multi-factor authentication challenges.
This vulnerability creates a scenario where a user might employ multi-factor authentication that they believe is secure, unaware that an attacker has taken control of their phone number and is receiving their authentication codes. This threat is particularly relevant for public kiosk usage because users may not discover the compromise until after the attacker has already used the stolen authentication codes to access critical accounts. The compromise could remain undetected for days or weeks if the attacker is careful to limit their activities to avoid triggering fraud detection systems.
Biometric Authentication Security Limitations
As discussed previously, biometric authentication methods offer both significant security advantages and important vulnerabilities relative to password-based authentication. On public kiosks, the primary vulnerability of biometric authentication involves the difficulty of ensuring that biometric scanning devices have not been compromised by attackers. A compromised biometric scanner could potentially be replaced with an attacker-controlled device that captures biometric data while appearing to function normally. Attackers could collect biometric data from multiple users and then employ sophisticated spoofing techniques to create deepfakes or replicas that could fool other biometric authentication systems.
Furthermore, the permanence of biometric data creates an asymmetric risk at public kiosks that differs from password-based risks. If a password is compromised at a public kiosk, the user can change the password and regain security. If biometric data is captured at a public kiosk, the user cannot change their fingerprints or facial features, and every other system that relies on the same biometric authentication method becomes potentially vulnerable to attack. This makes biometric authentication at public kiosks a higher-stakes security decision than password-based authentication.
Best Practices for Organizations Deploying Public Kiosks
Implementing Defense-in-Depth Architecture
Organizations that deploy public kiosks in banking, retail, hospitality, government, and healthcare environments must recognize that a single-layer security approach will inevitably fail at some point and implement a defense-in-depth strategy that assumes compromise at multiple levels and contains the damage accordingly. The first and most fundamental layer involves operating system hardening; kiosks should run specialized, locked-down operating systems that only execute the necessary applications and block access to administrative functions, system settings, and external interfaces. Linux-based kiosk operating systems with restricted user permissions have demonstrated superior security records compared to more open operating systems that allow arbitrary software installation.
The second layer of defense involves network segmentation, which creates a separate network for kiosk traffic that is isolated from the organization’s core business systems through firewalls and access controls. This isolation means that even if a kiosk is compromised and an attacker gains complete control of the device, they cannot directly access backend business systems, databases, or other critical infrastructure. Organizations implementing this architecture have seen dramatic reductions in the impact of kiosk compromises. The benefits of network segmentation compound when combined with real-time monitoring systems that detect unusual network traffic patterns originating from kiosks and immediately trigger alerts.
The third layer involves endpoint detection and response capabilities that monitor kiosk activity for suspicious patterns such as repeated failed authentication attempts, unusual file access, or network connections to known malicious destinations. Ideally, these monitoring systems should employ behavioral analysis that understands normal kiosk usage patterns for that specific location and alerts on deviations from baseline behavior rather than requiring manually defined suspicious behavior rules. A bank using monitoring tools successfully detected and stopped a data exfiltration attempt within eight minutes of its initiation due to real-time alerting on unusual network traffic patterns.
Credential Management and Access Control
For organizational users who need to access administrative functions on public kiosks or perform account management activities, organizations should implement role-based access control that limits the permissions granted to different administrative users based on their specific responsibilities. This principle of least privilege ensures that a compromised administrative account causes minimal damage; the attacker can only perform the specific actions for which that account was authorized. Detailed audit logs of all administrative activities create accountability and enable detection of unauthorized access or malicious administrative behavior.
Organizations should also implement systematic password management for administrative credentials, with strong password complexity requirements enforced, regular password rotation required, and outdated or weak password protocols disabled. Administrative credentials should never be shared among multiple administrators; each administrator should have unique credentials that can be audited and revoked individually. Where credentials must be shared for legitimate operational reasons, they should be managed through a secure credential vault that tracks all access and automatically forces password changes when employees with access are terminated.
Physical Security and Tamper Detection
Organizations deploying public kiosks must implement comprehensive physical security measures that prevent or detect unauthorized modification of the hardware. This includes placing kiosks in monitored, well-lit areas where tampering would be observed, using tamper-resistant hardware and secure mounting that makes physical removal of components difficult, and implementing visual inspection protocols where staff periodically check kiosks for signs of external device attachment. Some advanced kiosks implement tamper detection sensors that alert administrators when physical access to internal components is attempted.
Physical input protection represents another critical element of this strategy, particularly for kiosks that collect payment information or sensitive personal data. Encrypted keypads that prevent side-channel observation of key presses, privacy screens that prevent shoulder surfing, and physical shielding of PIN entry areas all contribute to protecting sensitive input from casual observation. Some organizations employ biometric authentication for critical transactions while reserving password entry only for backup authentication, reducing the time window during which passwords are exposed to potential capture through keylogging or shoulder surfing.
Individual User Best Practices: Avoiding Common Traps
The Fundamental Rule: Avoid Sensitive Transactions on Public Kiosks
The most reliable strategy for avoiding common traps associated with public kiosk usage is, whenever possible, to refrain from using public kiosks for sensitive transactions at all. Financial institutions, security researchers, and government agencies all concur that accessing banking systems, retail payment processing, email accounts, or other sensitive services from public computers introduces risks that are difficult to mitigate completely. Users should defer any sensitive business to their own secure computing devices and avoid accessing confidential data from untrusted computers.
In situations where public kiosk usage cannot be avoided, users should minimize the sensitivity of transactions performed, limit the amount of personal information entered, and implement careful precautions to protect whatever information they do provide. The Department of Homeland Security and U.S. Secret Service advisory warning about keyloggers on public computers specifically recommended that users avoid accessing financial services from public computers due to the risk of keystroke capture. Users should never enter credit card information, bank account credentials, or social security numbers at public kiosks if any alternative is available.
Browser and Session Management
When public kiosk usage cannot be avoided, users should employ private browsing mode on all public computers to prevent the browser from storing search history, cached login information, or persistent cookies that could reveal their browsing patterns to subsequent users. Private browsing mode provides limited protection—it prevents locally cached information but does not protect against keyloggers, network monitoring, or other remote surveillance—but it does eliminate one category of information leakage.
Users must also take care to explicitly log out of all accounts before walking away from a public kiosk, recognizing that simply closing the browser does not terminate authenticated sessions. Many users fail to perform explicit logouts, instead just closing the browser window, which leaves them still logged into websites and services that the next user of the computer can then access with full privileges. The next user could read emails, perform transactions, modify account settings, or even reset passwords using the compromised session. Explicitly logging out and then clearing the browser cache, cookies, and history provides the best practical protection against this category of attack at public kiosks.
Credential Protection and Authentication Practices
Users should never enter usernames or passwords into public kiosks unless absolutely necessary, and when such entry is unavoidable, users should assume that keylogging is occurring and ensure that passwords entered at public kiosks are immediately changed on a secure personal computer. The password you enter at a public kiosk should be considered permanently compromised; you should reset it as soon as you return to a secure computing environment. Users should especially avoid accessing password managers at public kiosks; doing so exposes the master password to potential keylogging and gives attackers access to all stored credentials in the vault.
Users should disable browser-based password storage and autofill features, as these represent a vector for credential exposure at public kiosks. If the browser has saved passwords for multiple sites and autofill is enabled, an attacker can potentially extract these passwords or use them to log into accounts as if they were the legitimate user. Users should disable autofill on public kiosks or, better yet, ensure it is disabled in their personal browsers before they ever use a public computer.
When multi-factor authentication is available, users should enable it on all critical accounts and should be skeptical of multi-factor authentication requests they do not recognize, as these could represent MFA fatigue attacks or unauthorized login attempts. Users should never accept unsolicited multi-factor authentication challenges without confirming that they initiated the login attempt themselves. If a user receives unexpected multi-factor authentication challenges, they should assume their password has been compromised and immediately change the password on a secure device.
Network Security and USB Caution
Users connecting their personal devices to public kiosks via USB ports should exercise extreme caution due to the risk of malware transmission and the theoretical risk of “USB killers” that could damage devices. Users should not plug personal USB drives or mobile devices into public computers without specific need and should instead consider using their mobile phone as a wireless hotspot for their laptop if they need internet connectivity. This approach avoids physical connection to potentially compromised USB ports and provides both privacy and security advantages.
Public Wi-Fi networks present additional security challenges that users should understand and mitigate. Anyone connected to the same public Wi-Fi network can potentially observe unencrypted network traffic, capture session cookies, or perform man-in-the-middle attacks that intercept communications. Users should use a virtual private network (VPN) when accessing the internet over public Wi-Fi to encrypt their network traffic and prevent casual observation or interception by other network users. A VPN does not provide protection against malware or keyloggers on the kiosk itself, but it does prevent attackers on the public network from observing or intercepting communications.
Organizational and Regulatory Considerations
Compliance Requirements and Privacy Obligations
Organizations deploying public kiosks that collect personally identifiable information, payment card data, or health information face specific regulatory obligations regarding the protection and handling of this sensitive information. Payment Card Industry Data Security Standards impose specific requirements for systems that process or store credit card information, including encryption standards, access controls, monitoring, and regular security updates. Organizations failing to meet these requirements face substantial fines and potential liability for data breaches.
The General Data Protection Regulation in Europe and similar privacy regulations in other jurisdictions impose requirements for the protection of personal data collected by kiosks, including technical and organizational measures to protect data security, restrictions on data retention, and obligations to notify individuals when personal data is compromised. Libraries and educational institutions providing public access computers face additional obligations under intellectual property and acceptable use policies. The cumulative effect of these regulatory requirements is that organizations must prioritize security not merely as a best practice but as a legal obligation.
Third-Party Vendor Management and Supply Chain Security
Organizations frequently engage third-party vendors to provide, maintain, or manage kiosk systems, and these vendor relationships introduce significant security risks if not carefully managed. The Avanti Markets incident in which malware compromised 1,900 kiosks across the United States originated from a third-party vendor’s infected workstation, highlighting how vendor access can become a vector for widespread compromise. Organizations deploying kiosks should implement vendor security assessments, contractual security requirements, and ongoing monitoring of vendor access and activities.
Organizations should also carefully evaluate the security posture of third-party services integrated with kiosks, such as payment processors, chat bot services, or identity verification providers. Compromises at third-party service providers can directly impact the security of kiosk systems through compromised APIs, malicious software updates, or unauthorized data access. Organizations should conduct security assessments of critical third-party providers, establish contractual requirements for security practices and incident notification, and maintain visibility into the data these providers collect and process.
Emerging Threats and Future Considerations
Artificial Intelligence and Deepfake-Based Attacks
The increasing sophistication of artificial intelligence technologies and the growing prevalence of deepfakes present novel threats to public kiosk security that organizations are only beginning to address. Attackers can create deepfakes of legitimate users that could potentially fool facial recognition or other biometric authentication systems if those systems do not employ sophisticated liveness detection mechanisms. The tenfold increase in detected deepfakes from 2022 to 2023 suggests that this threat will only accelerate.
Beyond biometric authentication, artificial intelligence could potentially be used to create convincing phishing content, sophisticated social engineering attacks targeting public kiosk users, or improved malware that adapts its behavior to evade detection systems. Organizations deploying advanced kiosk technologies incorporating artificial intelligence should recognize that this also increases the sophistication of potential attacks and requires corresponding advancement in security measures.
Internet of Things Vulnerabilities and Smart Devices
Modern hotels and other hospitality environments increasingly deploy Internet of Things devices alongside public kiosks, creating an expanded attack surface where compromise of any single device could provide access to the broader network. Smart locks, smart thermostats, and other IoT devices typically have weaker security implementations than general-purpose computers and frequently cannot be updated with security patches. Organizations deploying IoT devices should implement network segmentation that isolates IoT devices from critical systems and employ monitoring systems that detect unusual behavior from IoT devices.
Your Kiosk: Set Up for Success, Not for Snares
Public kiosks represent essential infrastructure for modern organizations and beneficial conveniences for users, but they simultaneously represent significant security vulnerabilities that demand comprehensive attention to encrypted credentials, authentication methods, and security practices. The common traps that users encounter when using public kiosks—keyloggers, session hijacking, credential compromise, malware, and physical tampering—are not theoretical risks but rather documented threats that have resulted in millions of dollars in losses and compromises affecting millions of individuals.
Organizations deploying public kiosks must implement defense-in-depth strategies that combine hardened operating systems, network segmentation, monitoring capabilities, physical security measures, and strong credential management practices. No single security measure suffices to address the multifaceted risks associated with public kiosks; rather, overlapping security controls ensure that compromise at one level does not result in complete system failure. Users of public kiosks must understand the fundamental risks these devices pose and implement careful practices to limit the sensitivity of information they handle and the credentials they provide at these systems.
The integration of encrypted credential management, multi-factor authentication, and behavioral monitoring represents the current state of practice for securing public kiosks against the most sophisticated attacks. However, as attack methods continue to evolve and technologies like artificial intelligence and deepfakes create new threat vectors, organizations and users must maintain vigilance and continue to update their security practices in response to emerging threats. The organizations that successfully navigate this challenging security landscape will be those that treat public kiosk security not as an afterthought but as an integral component of their overall security strategy, implementing comprehensive controls and fostering a security-conscious culture among both employees and users.
Protect Your Digital Life with Activate Security
Get 14 powerful security tools in one comprehensive suite. VPN, antivirus, password manager, dark web monitoring, and more.
Get Protected Now
