Last week’s bust of a gang of credit card thieves by the Australian Federal Police was a warning to businesses on the need to take computer security seriously.
In Australia, a Romanian crime gang targeted small retail businesses’ computer systems and stole customers’ credit card details. They then used the data to create fake credit cards.
A year ago, US authorities broke up a similar gang who had targeted Subway computer franchises. The gang had netted over $10 million before they were caught.
In both cases, the gangs used remote access software that was included with their victim’s Point Of Sale (POS) equipment. Once logged into the target’s computers, the bad guys were able to install key logging and monitoring software so they could steal credit card details as they were entered into the system.
There are a number of lessons from both the Australian and US experiences for business on securing systems safely:
Use secure passwords
It’s almost boring to say this, but you need strong passwords for your systems and networks. Make sure you change all default passwords on the systems so they aren’t easily guessed or broken into.
Secure your systems
The Subway hack happened because of sloppy security. You can harden your systems by following good practices such as updating your systems, having malware protection and proper access policies.
Both the Australian and US incidents happened on Windows computers. The crooks were able to get into the computers and then install software because the victims were running in administrator mode, which allows anybody on the computer to control the system.
Daily use should be in limited user mode, which stops people from installing software or changing system settings. Administrator accounts should only be used for system maintenance. Administrator accounts should also have very strong passwords, which are different to the normal limited user profile.
Turn off remote access
Another common factor in the US and Australian incidents is the use of remote access software, which allows technicians and managers to login in remotely.
Unless these are properly set up, they pose a serious security risk. Unless you or your supplier knows exactly what they are doing, these can open a door from the public Internet straight into your system.
Do not use them unless you are 100% confident in your (or your suppliers’) ability to run these properly.
Comply with standards
Another factor in these incidents is that systems haven’t complied with the PCI-DSS security standards for card payments. Again, if you don’t understand these – and they are complex – find a POS vendor or payments processor who does.
Basically, the standard requires that customers’ card details are not stored on your systems and that devices for processing payments are kept separate from other equipment in your shop or office. Following these basic rules would avoid many of the problems.
Consider cloud services
Many of the problems businesses confront with security is because they don’t have the skills or resources to deal with the ever evolving security threats.
Moving POS systems and other business critical functions onto cloud services addresses many of these issues. It is worthwhile considering ditching expensive, unreliable and sometimes insecure server- or desktop-based systems, in order to move to cloud services that use tablet computers or smartphones.
Whichever choice you make, it’s important to be engaging suppliers and consultants you can trust because if your customers can’t trust you with their details, then you are out of business.