Your Company is a Target for Hackers

In fact, small stores and companies are low-hanging fruit that cyber criminals and credit-card thieves love to target

(page 1 of 3)

Illustration: thinkstock.com

It was business as usual as the restaurant’s small staff prepared for the lunchtime crowd.

The kitchen was scrubbed, the floor immaculate, and the equipment and fresh ingredients ready. Just the same as every day since the restaurant’s opening seven years earlier in East Oahu.

Then the call came. “A man from a credit card company told me that my business computer had probably been breached,” recalls the owner. “I practically hung up on him thinking it was a prank.”  

He dropped everything and contacted “the computer guy” – an outside IT specialist who worked on the restaurant’s computer once in a blue moon. “I wanted him to investigate and was confident that this was some sort of mistake. I was wrong.”

Hackers had infiltrated the restaurant’s computer. Over about a month, they stole hundreds of customers’ credit card numbers, which were then sold to criminals on underground websites. The buyers then created fake credit cards using the stolen numbers and made fraudulent purchases as far away as Canada.  

The restaurant was a victim of carding, a complex scheme that can scorch businesses in multiple ways, from back-office security data breaches to front-store fraudulent purchases.  

If not for the call, the abuse of the restaurant’s credit card numbers would have gone on indefinitely, says the restaurant owner, who spoke on condition of anonymity out of fear of being targeted again.  

“I still can’t believe that this happened. We are a small shop, why would a hacker want anything to do with us? How did they even detect us?”  

“It was a false sense of security,” says Edward Arias, supervisory special agent for the FBI in Honolulu. The reality is that every business – from small mom-and-pop stores to multibillion-dollar retail behemoths – has a bull’s-eye on its back. “Unfortunately, there are a lot of local businesses who don’t think this can happen to them, until it does,” he says. Small businesses are often targeted because they are less likely to reduce their risk with enhanced IT security, strongly written and enforced digital policies, and employee training, says Sheri Sakamoto, president of the Retail Merchants of Hawaii. “They have limited resources and are not as aware of these issues,” she says.  

Sakamoto says there are more than 17,000 retail entities in Hawaii – 80 percent of them small. “Too many of them are not taking this threat seriously,” she notes.

The fallout from carding crimes can be catastrophic. Data security breaches, for example, will cost a business $188,000 on average, according to Beau Monday, information security officer at Hawaiian Telecom. That’s enough to put many companies out of business.

In retailing, business owners pay an average of $78 in penalties for each stolen record. The costs are even higher on average for healthcare and financial companies: $233 and $215 per stolen record, respectively.  And those figures only cover the sanctions and fees imposed by banks and credit card companies – not the actual losses from fraudulent acquisitions. The restaurant owner described above would not reveal the losses he suffered from his breach, but the restaurant is still in business.

Target, which had some 40 million credit card numbers and 70 million pieces of sensitive costumer information stolen, including addresses and phone numbers, could be hit with billions of dollars in sanctions.

“We are talking about some serious financial damages,” Monday says. “Big businesses have insurance and other means to cope, but many small businesses work on a limited cash basis and could find themselves in real trouble.”  

Some 60 percent of businesses hit by data breaches file for bankruptcy within six months, he says.

Hawaii is no stranger to these crimes. The local victims include Target, Neiman Marcus, Chanel, Louis Vuitton, Roy’s Restaurant and many others.   

Instead of being paralyzed by fear, businesses should take action, the FBI’s Arias says. “What they need to do is be aware and to proactively manage their risk because sticking their heads in the sand is not going to make them safe,” he says.

Taking Stock

Honolulu Police Department‘s Lieutenant John McCarthy anticipates a spike in carding crimes if businesses continue to use outdated Windows XP software.

Photo: David Croxford

On March 17, Bob Stout, president of Times Supermarkets, flew to California to drum up funding from his parent company to buy new payment terminals that handle chip and pin credit cards – “smart cards” that are less susceptible to fraud.

He anticipates the ballpark tab will be in six figures, but he’s willing to pay that price. “Security is one of the most important aspects of running our business,” he says. “We see it as an investment.”  

Stout carves out time in his busy schedule to engage in all aspects of security. He subscribes to several trade newsletters and reads blogs to stay on top of the latest security news. “When I read about what happened to Target, the first thing I did was call the head of IT,” he says. “I asked: ‘Can this happen to us?’ I always ask: ‘Can this happen to us?’ ”

Engaged leaders are fundamental to keeping businesses safe, says John Buzzard, product manager at FICO Card Alert Service, a fraud-monitoring vendor in Annandale, Virginia. “If the top brass takes security seriously, so will everybody else at the company,” he says.  

Proprietors of smaller shops, however, tend to focus almost exclusively on marketing or operations. “Thinking about security can be overwhelming for some businesses,” Buzzard says. “It paralyses them from even getting started.”

To take the edge off, he recommends starting with a low-tech exercise: Write down the items within your business that would be of value to criminals. These would include customers’ credit card numbers, social security numbers, addresses and other personal information. “You have to start with identifying what the criminals would want so that you know what you have to protect,” Buzzard explains.

If financially feasible, small businesses should outsource IT security to a vetted expert, he says. If this is not within the budget, he recommends buying a separate computer to store sensitive information offline. Having a dedicated computer that is not hooked up to the Internet will keep information relatively safe from intrusions. “Whenever a computer is connected to the Internet, the possibility of a breach is always there,” Buzzard says.  

Businesses with WiFi connectivity are most at risk as hackers can infiltrate their systems in many ways, including wardriving, where criminals drive around while trying to penetrate networks using anything from a laptop computer to a smartphone.  

“We avoid being part of the cloud,” says Gaeton Cavarocchi, CIO at Times Supermarkets. Whenever the company collects information from a customer, the data gets encrypted and then transmitted to a third-party provider – also in encrypted form – to house it in a secure databank offsite.

Cavarocchi is a big believer in knowing where his network stands. There are routine tests for vulnerabilities and grueling inspections by an independent auditing firm. “You can never let your guard down,” he says.  

Part of this intense vigilance is because Times is Payment Card Industry compliant. PCI compliant means the company is required to follow rigorous security measures. Cavarocchi says it’s not easy and can cost more than a lot of small businesses can afford.  

Businesses that can’t afford the cost of PCI compliance can go online to get the free PCI self-assessment questionnaire, says Cavarocchi. This tool can provide clues about where security weaknesses lie. “Don’t take any gambles with this stuff,” Cavarocchi says. “It will eventually catch up to you and your customers.”

 

Don't Miss an Issue!
Hawaii Business,June