CrossCheck Blog

CrossCheck Blog

Check Processing & Payments Information

Data Security Threats: Learning from Big Box Retailers - Part 2

Posted by Tom Lombardo | Wed, Oct 08, 2014 @ 10:00 AM

Data Security Check GuaranteeWhen two Canadian teenagers surfing the Internet found the manual for the ATM machine their bank stationed at their local mall they decided to see if they could hack into it. Following the manual’s instructions while standing at the ATM in the mall (on their lunch break from school, no less) they were able to launch the login for “operator mode” and promptly discovered that the bank had never changed the default password, which was conveniently included in the manual.

After gaining access the boys realized, fortunately, that they were in dangerous territory so rather than steal anything they logged out and reported their discovery to the bank’s management. Who laughed at them and dismissed their claim as impossible.

So the boys logged into the ATM again and changed its welcome message: “Go away. This ATM has been hacked.”

That got the bank’s attention.

And that explains the main reason why cybercrime costs U.S. businesses as much as $575 billion a year: despite overwhelming evidence and a few spectacular instances of proof, most businesses cling to a deep state of denial regarding the threat.

Because of recent changes in the world of cybercrime – changes that experts expect to gain force in the coming years – small and midsize business owners and managers who neglect to actively protect themselves stand to lose the most.

Corporate Speed vs. Hacker Speed

After the breach of Target’s POS payment systems discussed in Part I, Home Depot, the fourth largest retailer in the nation, leaped into action to learn from what had happened to the second largest.

Target fired their CEO and their CTO after their breach, and certainly Home Depot’s executives wanted to take a speedy and competent course of action to protect themselves as well as their business, their stockholders and their customers.

The Target breach became public knowledge in December of 2013 and by January 2014 Home Depot had a plan to protect itself. By April they had hired a security company to implement the plan and by September they had installed it at almost one quarter of their stores.

But it didn’t matter. The hackers were ahead of them, and a specially modified version of the same malware that breached Target hit Home Depot at some point over the summer. So rather than regale their stockholders with third quarter braggadocio about their swift response to a cyber threat, they had to report that credit card data from 1,700 of their 2,200 stores in the U.S., and 112 in Canada, had been compromised.

"You are always responding," one expert lamented, "You never can catch up…”

How to Worry Too Much

In our hyper-litigious society many business people often jump from the crime to the liability in order to evaluate risk. And most businesses reach the dangerous and erroneous conclusion that their risk is mitigated because they are not liable in the case of a breach.

check guarantee securityIn fact most general insurance policies, including errors & omissions, do not cover cyber attacks. Cyber security policies exist but they don’t come cheap – a million dollar policy for an auto dealer might cost $33,000 a year. Dealing with a breach can cost a lot more than a million dollars, however, because as soon as you’re hit you’re also ensnared in a complex legal and regulatory quagmire.

You’ll need to hire specialty law firms, forensic accountants and white-hat cyber security experts in order to comply with a labyrinth of Federal and State requirements for alerting the people who were impacted and proving that you have patched your system.

The entire time you’re doing that you probably won’t be able to accept credit cards, because the processing companies won’t approve you again until after you’re finished. According to an IBM-sponsored study, companies with 100 employees or fewer generally lose $3.5 million when dealing with a hacker attack.

The worst ones are caused by insiders, but you’ll only know it was an inside job if the perpetrator is caught. As you recall the biggest challenge for the Target and Home Depot hackers was to get their malware into the POS system in the first place, since each company’s internal networks were already hyper-secure. When employees install malware on purpose and then try to extort money from the owners, it’s called “ransomware,” and it’s a serious problem.

Now It’s Your Turn

The IBM report described a frightening trend in cybercrime: attacking smaller businesses, settling for fewer records per crime, and aggregating them together for sale.

If you’re in the crosshairs, there are a number of things you can do to protect yourself, and as always the simplest and most straightforward protections have the biggest impact.

Cybercriminals will study Target, Home Depot or JPMorgan Chase for however long it takes to find weaknesses because they can obtain so many records all at one time. But since large targets like those continue to become harder and harder to breach, hackers now look for softer targets which are also, inevitably, smaller.

You can use that to your advantage. In order for criminals to obtain a salable number of records, they need to attack a large number of smaller companies. In order to do that in a timely fashion, they find the businesses that are easiest to hack and hit them.

How to Dodge a Virtual Bullet

If that’s their modus operandi, which bank do you think will be faster to steal from: the one that changed the default password on its ATM machines, or the one still using the password printed in the manual?

dodge a bulletSometimes it’s that simple. Which corporate network will be easier to hack: the one where remote workers follow strict procedures to prevent phishing, where they are required to reset their passwords often and where their connection times-out after a short interval of inactivity; or the one where the IT department (colloquially known as “the guy with a ponytail”) isn’t really sure if the vacationing CEO is logged in or not? You can see the cost-effectiveness of simply using features that are probably already built into your network’s operating system.

And you can confront internal threats with simple, no-cost policies as well. Set up your servers to automatically email complete server logs to your own personal, non-corporate account at least once a day. You don’t need to know what they mean – your IT department needs only know that you have them, because with them law enforcement will be able to learn a great deal about any cyber crime committed against you, perhaps even enough to convict a would-be ransomware criminal.

For the foreseeable future there will be plenty of companies in that 100 to 250-employee range with lax or non-existent security precautions, and hackers will focus on them. Their product – stolen credit card data that has not yet been reported stolen – has a short shelf-life, so if you demonstrate that hacking your company will take time and effort, then most hackers will skip over you and move on to an easier target.

What’s Next Now

Longer term solutions are on the way. Europe and Asia have already adopted “chip and pin” cards, which have a small computer chip embedded in them. The chip sends encrypted information to the POS terminal, eliminating the moment of vulnerability BlackPOS targeted, and a human-entered PIN (encrypted as it is entered) authorizes the payment. Apple’s new Apple Pay wallet works only if your thumb print is on the start button and it doesn’t even give the POS terminal payment information; it transmits an encrypted code unique to that single transaction, so stealing it is pointless.

Since solutions such as these won’t be implemented in significant numbers for years, you still face a catastrophe like the one hitting Niemen Marcus, Supervalu and others right now. Keep in mind that those companies, as well as Home Depot and Target, all passed compliance checks required by their credit card processors, so being in compliance may not be enough to protect you.

No payment method can be foolproof as long as criminal nature is part of human nature. Even checks, which are one of the most secure forms of payment a business can accept, invite fraud. The signature is what makes them so secure – there’s no question that the customer intends to make the payment he wrote down and signed – and modifying the routing and account number printed along the bottom is what makes them interesting to criminals.

If credit card payment security breaches continue to hamstring major U.S. businesses, and if American’s unease with the collection of their personal financial information continues to grow, you may find more and more people pulling out their checkbook.

In fact, accepting checks may be the only way you can capture business from people who are worried about cyber crime.  When a couple of kids can compromise a bank and when multinational corporations can’t keep their payment processes secure, checks make plenty of sense. Find out how to make sure every one you accept becomes a guaranteed part of your cash flow.

Check Guarantee Insider's Guide
Data Security Threats: Learning from Big Box Retailers - Part 1 - See more at: http://preview.hs-sites.com/_hcms/preview/content/2832685038?_preview=true&__hstc=20629287.a7f57fb5d9d66938d12a23f40c91dc5f.1397597039381.1432049398973.1432060559116.274&__hssc=20629287.5.1432060559116&preview_key=LtFMin6m&success=true&portalId=138250&__hsfp=3139799830#sthash.FYJdvGwT.dpuf

Topics: Retail

Written by Tom Lombardo