Franchise Update Media
Franchise Update Media Digital
Publications
Conferences Education Videos Subscribe
Advertise

Keeping Hackers Out: Simple Steps For Safeguarding Customer Data

Network systems attackers, as well as less-dangerous (though still nefarious) hackers, never rest in their ongoing quest to compromise franchise computer systems and capture a share of the billion-dollar bounty of stolen credit card data. When the final 2010 figures are tallied, the FBI expects that organized crime worldwide will net more illicit money from Internet fraud than from illegal narcotics trafficking.

Attackers' methodologies continue to evolve and grow more sophisticated. Franchises must do likewise to stay a step ahead and protect customers' personal information and their own hard-earned business reputations, indeed their very livelihoods.

Some quick definitions: "Attackers" break into franchise computer systems with specific criminal intent to steal and defraud, whereas "hackers" often do so for the challenge, the notoriety, or the thrill of the chase. Hackers can inflict costly system damage and inconvenience, as serious as system shutdowns, but this can pale in comparison to the damage from system attackers. An attacker's intrusion, if undetected, can inflict irreparable damage to franchise operations.

Their current "best practice" and number-one method to gain access to a franchise system (and ultimately to customer credit card data) is to compromise a vulnerable remote access application, such as one that allows owners and managers to log into a work computer from home or elsewhere.

Attackers increasingly target franchises that use remote access because, if they are successful, it allows them to completely bypass firewalls. The foremost vulnerability with remote access is not the itself, but rather how the remote access is configured. Merely requiring a user name and password allows an attacker to enter your network by breaking only a single level of and there are a plethora of available to help him. His job is made even easier when system administrators choose weak passwords (like "password"). Once he's gained network access, the attacker has the "keys to the kingdom," and is free to install a suite of malware designed to harvest customer credit card data and export it to his system.

Attackers' tools of the trade

Once inside a franchise network, attackers employ a variety of Keyloggers, originally created for such legitimate purposes as helping employers and parents track workers' or children's correspondence and Internet usage, are a perfect attacker used to capture all keystrokes and credit cards as they are swiped at a terminal. Antivirus software developers only recently began to flag keyloggers as potentially malicious, so the attackers' honeymoon with keyloggers may be nearing its end.

Not so with another of their favorites, memory scrapers (or memory dumpers). These pose grave danger not only because they typically go undetected by antivirus programs, but also because they can capture customer credit card data before it reaches the encrypting protection of a secure credit card payment application.

Attackers will stop at nothing to gain access to customer credit card information. As IT personnel become more adept at detecting traditional attack methods, attacker techniques morph. Recently attackers of POS systems have employed strategies typically reserved for web-based attacks (injecting malicious code into a system's kernel32.dll and user32.dll files, enabling it to seek out credit card data and funnel this information directly to attackers' systems). Not only are antivirus programs ineffective against this approach, locating and removing such malicious code requires above-average IT skills.

Apart from inconveniencing and potentially damaging customers' credit (not to mention business reputations and goodwill), the consequences of insufficient or lax system also hit franchises squarely in the pocketbook.

How to avoid the high costs of lax security

For starters, Payment Card Industry (PCI) forensic investigations into suspected breaches average around $15,000 per franchise location. Credit card companies may hold merchants responsible beginning at $5,000 per location breached, and card issuers similarly seek reimbursement. In one instance, a small franchisee was charged $110,000 in reimbursement for fraud costs. Add to these the not-so-"soft" costs of damaged reputations from media reports stemming from consumer complaints, and the impact on franchises can be staggering, even fatal.

While there is no "silver bullet" that insulates a franchise from all attacks, adherence to the mandatory Payment Card Industry Data Security Standard (PCI DSS) is the best place to start. Strict compliance with this framework will help plug security holes that allow criminals to pocket your customers' card data. A good place to begin is by examining the security of your remote access. Remote access should always require "two-factor authentication." In addition a user name and password, two-factor authentication requires an additional step, such as physically calling a manager on-site to be granted remote system access. This is among the best "second factors." Another good second factor could require matching of Media Access Control (MAC) addresses between the remote and onsite systems.

Another simple, yet important security tip is to close Virtual Private Network (VPN) tunnels when they're not in use. Attackers can try to hack into the VPN only when it is open, so reduce their potential window by closing the VPN when not in use.

The use of wireless technology for payment applications presents another possible vulnerability that just isn't worth the risk. Even wireless encryption that is considered secure by today's standards may be compromised tomorrow.

These suggestions are far from a security panacea. Rather, they are simple starting points. Franchises do what they do best, whether operating restaurants, hotels, or stores. They're usually not IT security experts, but IT security must be on their radar screen. Being PCI DSS-compliant and taking relatively simple steps can go a long way toward successfully fending off Internet attackers.

David Ellis, CISSP, QSA, PFI, is director of forensic investigations for SecurityMetrics, a leading provider of Payment Card Industry Data Security Standard security solutions. Contact him at 801-724-9600 or visit www.securitymetrics.com.

Social Reach:

Viewer Response:

comments powered by Disqus
 

Hot Opportunities

Papa Murphy's Take 'N' Bake Pizza Franchise Opportunity

Papa Murphy's Take 'N' Bake Pizza
The world's largest, fastest growing Take 'N' Bake pizza franchise is...

Add
Jimmy John's Gourmet Sandwich Shops Franchise Opportunity

Jimmy John's Gourmet Sandwich Shops
Jimmy John's franchise success is built upon an unyielding commitment to...

Add
Bricks 4 Kidz Franchise Opportunity

Bricks 4 Kidz
Bricks 4 Kidz provides project-based programs designed to teach principles...

Add
Doc Popcorn Franchise Opportunity

Doc Popcorn
Doc Popcorn is revolutionizing the way people snack in high-traffic...

Add
Oxi Fresh Franchise Opportunity

Oxi Fresh
OXI FRESH is a GREEN Carpet Cleaning Franchise and one of Entrepreneur's...

Add
Outdoor Lighting Perspectives Franchise Opportunity

Outdoor Lighting Perspectives
Build an exciting future making your community a more beautiful, safer...

Request Information
Denny's Franchise Opportunity

Denny's
Denny's is America's largest full-service family restaurant chain,...

Add
Pizza Hut Franchise Opportunity

Pizza Hut
This is your opportunity to invest in Pizza Hut and other big, category...

Add


The Franchise Buzz:


A Franchise Update Media Group Production Franchise Update Media Group | P.O. Box 20547 // San Jose, CA 95160 // PH. (408) 402-5681
Copyright © 2001 - 2014. All Rights Reserved. Site Hosting Provided By: wishVPS on FUMG3
0
Your Request List:
No Opportunities Saved