Last week’s bust of a gang of credit card thieves by the Australian Federal Police is a warning to businesses on the need to take computer security seriously.
In Australia a Romanian crime gang targeted small retail businesses’ computer system and stole customers’ credit card details. They would then use the data to create fake credit cards.
A year ago US Authorities broke up a similar gang who had targeted Subway computer franchises which netted the gang over $10 million before they were caught.
In both cases the gangs used remote access software that was included with their victim’s Point Of Sale (POS) equipment. Once logged into the target’s computers, the bad guys were able to install key logging and monitoring software so they could steal credit card details as they were entered into the system.
There’s a number of lessons in both the Australian and US experiences for big and small business on securing systems safely.
Use secure passwords
It’s almost boring to say this, but you need strong passwords for your systems and networks. Make sure you change all default passwords on the systems so they aren’t easily guessed or broken into.
Secure your systems
The Subway hack happened because of sloppy security, you can harden your systems by following good practices such as updating your systems, having malware protection and proper access policies.
Both the Australian and US incidents happened on Windows computers. The crooks were able to get into the computers and then install software because the victims were running in Administrator mode which allows anybody on the computer to control the system.
Daily use should be in limited user mode which stops people from installing software or changing system settings andAdministrator accounts should only be used for system maintenance and have very strong passwords which are different to the normal limited user profile.
Turn off remote access
Another common factor in the US and Australian incidents is the use of remote access software so technicians can check things and managers can login in from home and other sites.
Unless these are properly set up they are a serious security risk. Unless you or your supplier knows exactly what they are doing, these can open a door from the public Internet straight into your system.
Do not use them unless you are 100% confident in yours, or your suppliers’, ability to run these properly.
Comply with standards
Another factor in these incidents is that systems haven’t complied with the PCI-DSS security standards for card payments. Again if you don’t understand these – and they are complex – find a POS vendor or payments processor who does.
Basically, the standard requires that customers’ card details are not stored on your systems and that devices for processing payments are kept separate from other equipment in your shop or office. Following these basic rules would avoid many of the problems.
Consider cloud services
Many of the problems businesses confront with security is because they don’t have the skills or resources to deal with the ever evolving security threats.
Moving POS systems and other business critical functions onto cloud services addresses many of these issues so it is worthwhile considering ditching expensive, unreliable and sometimes insecure server or desktop based systems and move to cloud services that use tablet computers or smartphones.
Whichever choice you make, it’s important to be engaging suppliers and consultants you can trust because if your customers can’t trust you with their details, then you are out of business.