Automated Teller Machines (ATM) are publicly believed to be relatively secure devices since they handle consumer financial transactions. However, ATMs are susceptible to malware, viruses, and eavesdropping just like any other device having memory and processor capabilities.
In addition, other types of Self-Service Terminals (SSTs), which may be believed to be less secure than ATMs), such as: kiosks, Self-Service Checkouts (SSCOs), and publicly-accessible computing devices (e.g., restaurants, hotels, public library, etc.) also experience substantial security threats. In fact, eavesdropping or Man-In-The-Middle (MITM) attacks on SSCOs can result in compromising any consumer credit/debit card information. A single SSCO in a store can handle tens of thousands of customers in a given week and the store can have many SSCOs.
Most publicly-accessible terminals, allow users to operate a subset of operations restricting access to other more sensitive operations. Typically, the allowed operations execute with the security privileges of an initial user that logged into the Operating System (OS) of the terminal. However, even when the initial user has minimal OS privileges, some known security risks cannot be fully mitigated, such as changes made to: logs, configuration files, and dynamic information generated in memory when processing programs within the context of the OS.
Furthermore, even with the strictest permissions level set in the OS, an eavesdropping process is still able to read sensitive information from memory during runtime. Thus, a potential hacker is still able to steal sensitive data (e.g., private consumer information, such as credit/debit card information, names, addresses, etc.).