Call credit union kiosks the equipment of the moment: vendorsand analysts seem buoyant about the market opportunity as financialinstitutions continue to cut staff to better control expenses and,at the same time, iPads and Kindle Fires and still other tabletshave trained a nation in how to use interactive screens.

Install lobby kiosks and, suddenly, members can easily checkaccount balances and apply for loans. Would-be employees can applyfor jobs. And just about anybody can get answers to commonquestions such as where branches are and what hours the creditunion is open.

What's not to like about that low-cost information delivery?

Well, there a dark side that just is not well understood bycredit union executives, say many experts. But it is increasinglyunderstood by cyber crooks.

The problems are two-fold: kiosks usually are networkedcomputers that are tied into the institution's systems and, in manycases, the kiosks are comparatively unprotected, say theexperts.

“Kiosks have great appeal – organizations are doing more andmore with them But what is the extent that security has a place atthe design table?“ asked Alan Brill, senior managing director forcyber security at Kroll Inc. He added, “We have found that there isa tendency to get kiosks deployed – and then we will come back andget it secure.”

There already has been significant security breaches associatedwith kiosks. None are known to involve credit unions. But thebreaches show the potential damage.

At UMass Memorial Healthcare in Massachusetts, for instance, 10payroll kiosks made available to employees were easily coaxed intorevealing pay stub data about other employees. It was not disclosedhow many employees were impacted, but the breach was believed tohave been in the system for five months before security learned ofit and took the kiosks out of use.

At retailer TJX, meantime, perhaps the most infamouskiosk-related security breach occurred when hackers used in-storeemployment kiosks (where job hunters apply for positions) as agateway into the company's IT systems. That led to pilferinginformation involving millions of credit cards.

Next stop, say some experts, may be financial institutionkiosks. Said Claire Shufflebotham, a security expert withNCR: “Fraudsters migrate to the weakest link – right now theyare busy compromising ATMs. But I think kiosks will become the weaklink.”

A frightening reality, said Jack Koziol, a director at InfoSecInstitute, is that many, many kiosks remain vulnerable to attackvia built-in USB ports, the route that undid the TJX kiosks. But itcould be much uglier still at a financial institution. “With a USBswitchblade” – a simple plug in device well understood by cybercrooks that lets them run unauthorized software – “hackers couldget access to user passwords and login credentials,” saidKoziol.

That is just the start of the troubles, however.

“Inside the vast majority of kiosks is a Windows devicethat has all the Windows vulnerabilities,” said Jeff McNaught, anexecutive with cloud computing expert Wyse. That indeed is theproblem with many kiosks, said the experts.

Many are simply Windows computers (occasionally AppleiPads) that have been lightly repurposed with a software front endthat is intended to limit the functionality on the device – butevery hacker knows ways to thwart those limits.

That does not mean it is time to unplug kiosks. What itdoes mean is that steps have to be taken to toughen kiosks againstcrooks, said John Viega, an executive at Perimeter E-Security. Heticked off two must-do's: step one is building in a white list ofpermitted websites – and denying access to any site not on thelist.

Step two: put limitations on what applications can run onthe device (if an app is not listed, it won't run – and that wouldprevent hacker tools such as key loggers from infecting thedevice), said Viega.

Step three, said Brill, is fully understanding how any kiosksinterface with the institution's network – and “taking steps todefend the network.”

Step four is acknowledging that kiosks are fast vaulting up thelist of temptations for cyber crooks and that means that securityneeds to be built in from the start. Do that, said Brill, andinstitutions just may continue to get the benefits they want fromkiosks while also containing the risks.