Hackers up the ante for small-business data security
By Elaine Pofeldt | Published: March 14, 2013
It's getting a lot trickier for small-business owners to keep customers' credit card information safe from criminals. Still, there are steps you can take. They're not free, but if you consider the damage a security breach can inflict on your business, they're usually a worthwhile investment.
You need look no further than the headlines to see how widespread data security problems have become. In the autumn of 2012, thieves reportedly hacked the point-of-sale systems at 63 Barnes & Noble stores in nine states, leading to an FBI investigation. The bookseller turned off all 7,000 keypads in its stores and found that only one keypad in each store had been hacked. Nevertheless, the company removed all 7,000 of them.
Not long after that, the Israel-based firm Seculert identified a type of malware called Dexter, which steals customer data from retailers' POS systems. It hit checkouts in 40 countries, with hotels, shops, restaurants and parking providers all affected, according to Seculert.
Small business =
Although big business might seem like the most lucrative target for fraudsters, small companies are particularly vulnerable, say experts. Often, owners are so busy running day-to-day operations that they skimp on security measures -- until it's too late.
"They tend to think security and data breaches are not their problem, because they're too small," says Julie Conroy, director of research at Aite Group, a Boston-based research and advisory firm. "What we've seen is that the organized criminal rings are focused very heavily on the smaller merchants," she says.
Verizon's 2012 Data Breach Investigations Report, which covered 2011, found that there were 174 million compromised records around the globe, the second highest total since the report was launched in 2004 -- after hitting a record low of just 4 million in 2010. Verizon bases the report on the results of paid forensic investigations it has done into various types of hacking, including attacks involving POS systems.
The report attributed the increase in data theft to civil unrest in the US and abroad, which has led to "hacktivism" aimed at embarrassing corporate victims. Another reason for the increase has also been a tendency of criminals to automate high-volume attacks against weaker targets, according to the report.
Cost of crime
The price of being victimized can be high. LexisNexis Risk Solutions found in its 2012 "True Cost of Fraud" study that one-third of consumers will change where they shop if they have been victimized in a fraudulent retail transaction. Merchants now pay $2.70 in lost and stolen merchandise for every $1 of fraud -- up from $2.30 in 2011. For small merchants, the costs are steeper: $3.10 for every $1, up from $2.70 in 2011.
Typically, says Conroy, card-issuing banks spot fraud after noticing a pattern of consumers calling about charges they did not make and detecting that they had all patronized a particular business. However, spotting such a fraud can take a while at a small business that doesn't do a high volume of credit card transactions -- a reality that criminals recognize and exploit by racking up fraudulent charges quickly. "They will hit hard and they will hit fast," says Conroy.
If the bank ultimately traces a breach to a merchant's failure to comply with the Payment Card Industry Data Security Standard -- a set of industry rules to avoid fraud -- the merchant can be fined as issuers pass along their losses, she says.
"Sometimes, these fines can put them out of business," says Conroy. "For a small breach, it will be in the hundreds of thousands of dollars. For a big breach, it will be in the millions." Some larger breaches have resulted in criminals penetrating the POS system of multiple stores with the same ownership, magnifying the losses, she notes.
Fortunately, there is a lot merchants can do to protect themselves from common types of fraud, such as theft of customer information through POS malware. Verizon's report notes that most of the breaches it covered were preventable.
At the most basic level, retailers should make sure that when they hire an integrator to install their POS system, that the installer changes the default password. It should be something unique, not the stock password that the installer uses with all of his customers, says Chris Pogue, director of incident response at Trustwave's SpiderLabs, a Chicago-based ethical hacking firm that helps clients avoid criminal attacks. "The easiest way to do that is change your password," he says.
Other key steps are changing the port for remote administration tools such as LogMeIn that are used by the vendor who services the network -- and using a firewall to restrict access to the network, according to a white paper from Trustwave. Disabling access and requiring a vendor to get permission to use it when needed can also prevent breaches that might occur if access were open all the time, says Trustwave.
Security as deterrent
Determined hackers may be able to get around passwords, but many won't bother. "The attackers are smart," says Pogue. "They have quotas just like anyone else does. They have to compromise a certain number of systems. If they've got to fiddle and futz around with yours and the guy next door isn't doing anything, they're going to leave you alone and go to the guy next door."
For many merchants, the most cost-effective preventive measure is using the POS security system that their card issuer offers, says Conroy. Some, like Visa, offer end-to-end encryption, which encrypts customers' data during a swipe and decrypts it at its destination. It's often possible to pay a small monthly fee to add this service to an account, says Conroy.
It's also important for merchants to keep their POS software up to date, says Jerry Irvine, chief information officer of Schaumberg, Ill.-based consultancy Prescient Solutions, and member of the National Cyber Security Task Force. "[Updates and patches] are things that companies put out to keep viruses and hacking from occurring," he says. While many retailers like the convenience of wireless networks, it's best to avoid using them to connect a POS system if you can, Irvine advises.
Retailers who use a PC-based terminal should avoid using it for email, which can carry malware. Likewise, make sure that employees do not use it to surf the web, say experts. "Separate it from the computers used in the store," says Walter Pearce, principal security researcher at the cyber security firm Casaba in Redmond, Wash. He says it should be secured 24/7.
It's also important to make sure that devices haven't been inserted into card readers to steal customer information. You can feel for the devices yourself or have a trusted worker do it. "Have your employees put their hand in the part you put your credit card in," advises Irvine. "Does it have any extra plastic?" Often, it's a good idea to sign up for a service contract from your POS system vendor so that someone who is knowledgeable about swiping devices can inspect them regularly, says Pearce.
Stores with self-checkout stations can be especially vulnerable because cashiers may not be keeping an eye on them. In 2011, more than 20 Lucky stores in California were victimized in a skimming scheme in which devices were inserted into self-checkout stations. At the time, the chain announced that the devices grabbed information from both customers and employees and that money had been stolen from some of their accounts, according to published reports.
The enemy within
The most basic security begins with the people you think you know. Make sure that cashiers scan cards in the presence of customers, so that rogue employees can't surreptitiously scan cards on their own devices and steal the data, Irvine adds. "Internal theft and hacking is always the most prevalent," he says.
To prevent breaches, Pearce recommends using security cameras to monitor computers and other devices in a POS system -- particularly after hours. An unscrupulous janitor who has access to the premises when no one is around might otherwise be able to add a device to a credit card terminal undetected, he notes.
Some criminals have gotten so bold that they have impersonated computer service teams to enter stores in broad daylight. It's important to ask questions if repair personnel you don't know make an unexpected visit, notes Conroy. "Employees need to be aware of people who come into their store to service their machines," she says. "They need to be asking for credentials." That may seem extreme but given the potential cost of fraud, experts say steps like this are well worth it.See related: Convenience fees: When is it OK to charge extra to use a credit card?, Credit card surcharges now allowed
- Yes, merchants can get new card info on recurring charges – Updater services allow merchants to know when your credit card information changes, and to alter their records accordingly. If you don't want to continue the subscription, you'll need to cancel it directly ...
- EMV holdouts: Why merchants are slow to make chip-card switch – With the EMV liability switch coming in October, many merchants are still in the dark on what is required of them ...
- Is it time to negotiate a new merchant account? – Some business owners stick with a merchant services account they secured as a startup, but that now costs them more than they should be paying ...