It was business as usual as the restaurant’s small staff prepared for the lunchtime crowd.
The kitchen was scrubbed, the floor immaculate, and the equipment and fresh ingredients ready. Just the same as every day since the restaurant’s opening seven years earlier in East Oahu.
Then the call came. “A man from a credit card company told me that my business computer had probably been breached,” recalls the owner. “I practically hung up on him thinking it was a prank.”
He dropped everything and contacted “the computer guy” – an outside IT specialist who worked on the restaurant’s computer once in a blue moon. “I wanted him to investigate and was confident that this was some sort of mistake. I was wrong.”
Hackers had infiltrated the restaurant’s computer. Over about a month, they stole hundreds of customers’ credit card numbers, which were then sold to criminals on underground websites. The buyers then created fake credit cards using the stolen numbers and made fraudulent purchases as far away as Canada.
The restaurant was a victim of carding, a complex scheme that can scorch businesses in multiple ways, from back-office security data breaches to front-store fraudulent purchases.
If not for the call, the abuse of the restaurant’s credit card numbers would have gone on indefinitely, says the restaurant owner, who spoke on condition of anonymity out of fear of being targeted again.
“I still can’t believe that this happened. We are a small shop, why would a hacker want anything to do with us? How did they even detect us?”
“It was a false sense of security,” says Edward Arias, supervisory special agent for the FBI in Honolulu. The reality is that every business – from small mom-and-pop stores to multibillion-dollar retail behemoths – has a bull’s-eye on its back. “Unfortunately, there are a lot of local businesses who don’t think this can happen to them, until it does,” he says. Small businesses are often targeted because they are less likely to reduce their risk with enhanced IT security, strongly written and enforced digital policies, and employee training, says Sheri Sakamoto, president of the Retail Merchants of Hawaii. “They have limited resources and are not as aware of these issues,” she says.
Sakamoto says there are more than 17,000 retail entities in Hawaii – 80 percent of them small. “Too many of them are not taking this threat seriously,” she notes.
The fallout from carding crimes can be catastrophic. Data security breaches, for example, will cost a business $188,000 on average, according to Beau Monday, information security officer at Hawaiian Telecom. That’s enough to put many companies out of business.
In retailing, business owners pay an average of $78 in penalties for each stolen record. The costs are even higher on average for healthcare and financial companies: $233 and $215 per stolen record, respectively. And those figures only cover the sanctions and fees imposed by banks and credit card companies – not the actual losses from fraudulent acquisitions. The restaurant owner described above would not reveal the losses he suffered from his breach, but the restaurant is still in business.
Target, which had some 40 million credit card numbers and 70 million pieces of sensitive costumer information stolen, including addresses and phone numbers, could be hit with billions of dollars in sanctions.
“We are talking about some serious financial damages,” Monday says. “Big businesses have insurance and other means to cope, but many small businesses work on a limited cash basis and could find themselves in real trouble.”
Some 60 percent of businesses hit by data breaches file for bankruptcy within six months, he says.
Hawaii is no stranger to these crimes. The local victims include Target, Neiman Marcus, Chanel, Louis Vuitton, Roy’s Restaurant and many others.
Instead of being paralyzed by fear, businesses should take action, the FBI’s Arias says. “What they need to do is be aware and to proactively manage their risk because sticking their heads in the sand is not going to make them safe,” he says.
On March 17, Bob Stout, president of Times Supermarkets, flew to California to drum up funding from his parent company to buy new payment terminals that handle chip and pin credit cards – “smart cards” that are less susceptible to fraud.
He anticipates the ballpark tab will be in six figures, but he’s willing to pay that price. “Security is one of the most important aspects of running our business,” he says. “We see it as an investment.”
Stout carves out time in his busy schedule to engage in all aspects of security. He subscribes to several trade newsletters and reads blogs to stay on top of the latest security news. “When I read about what happened to Target, the first thing I did was call the head of IT,” he says. “I asked: ‘Can this happen to us?’ I always ask: ‘Can this happen to us?’ ”
Engaged leaders are fundamental to keeping businesses safe, says John Buzzard, product manager at FICO Card Alert Service, a fraud-monitoring vendor in Annandale, Virginia. “If the top brass takes security seriously, so will everybody else at the company,” he says.
Proprietors of smaller shops, however, tend to focus almost exclusively on marketing or operations. “Thinking about security can be overwhelming for some businesses,” Buzzard says. “It paralyses them from even getting started.”
To take the edge off, he recommends starting with a low-tech exercise: Write down the items within your business that would be of value to criminals. These would include customers’ credit card numbers, social security numbers, addresses and other personal information. “You have to start with identifying what the criminals would want so that you know what you have to protect,” Buzzard explains.
If financially feasible, small businesses should outsource IT security to a vetted expert, he says. If this is not within the budget, he recommends buying a separate computer to store sensitive information offline. Having a dedicated computer that is not hooked up to the Internet will keep information relatively safe from intrusions. “Whenever a computer is connected to the Internet, the possibility of a breach is always there,” Buzzard says.
Businesses with WiFi connectivity are most at risk as hackers can infiltrate their systems in many ways, including wardriving, where criminals drive around while trying to penetrate networks using anything from a laptop computer to a smartphone.
“We avoid being part of the cloud,” says Gaeton Cavarocchi, CIO at Times Supermarkets. Whenever the company collects information from a customer, the data gets encrypted and then transmitted to a third-party provider – also in encrypted form – to house it in a secure databank offsite.
Cavarocchi is a big believer in knowing where his network stands. There are routine tests for vulnerabilities and grueling inspections by an independent auditing firm. “You can never let your guard down,” he says.
Part of this intense vigilance is because Times is Payment Card Industry compliant. PCI compliant means the company is required to follow rigorous security measures. Cavarocchi says it’s not easy and can cost more than a lot of small businesses can afford.
Businesses that can’t afford the cost of PCI compliance can go online to get the free PCI self-assessment questionnaire, says Cavarocchi. This tool can provide clues about where security weaknesses lie. “Don’t take any gambles with this stuff,” Cavarocchi says. “It will eventually catch up to you and your customers.”
Some years back, Lieutenant John McCarthy of the Honolulu Police Department was working on a case in which thousands of dollars in electronics were fraudulently acquired from a local retailer using a stolen credit card. The clerk accepted the card from a local male – even though it was in the name of a female with a Japanese name.
“The employee should have noticed that there was something fishy going on because the name on the card could not have belonged to the purchaser,” McCarthy notes. “But he didn’t have the training and guidance to help him act on the red flags.”
He has seen countless times in which businesses were easy prey because they failed to create effective written policies or train employees to use them. A well-trained workforce is a powerful defense against carding and every other type of crime.
“These are the people on the frontlines,” McCarthy says. “If your business is going to have a fighting chance, you are going to have to give them the right equipment.”
The first step is to draft a policy framework, so that there is a written protocol on security matters, he says. Then communicate the policies to employees.
Whenever possible, McCarthy says, hire private security contractors to train employees. Businesses can also use free workshops on Oahu offered by both HPD and the U.S. Secret Service. Both agencies will conduct general on-site training if a business owner asks. Email McCarthy at email@example.com with questions for either agency.
“Some signs of fraud are quite evident, like when the stripe of a credit card looks worn down or when the card’s embossment is flawed,” McCarthy says. “But if the employees do not have the right training, they will never be able to spot them.”
Data breaches, however, are notoriously difficult to detect, which is why prevention is critical, says Jay Jacobs, co-author of Verizon’s 2013 Data Breach Investigations Report, which analyzed some 47,000 reported incidents.
His research indicates that easy-to-guess passwords such as administrator, 1234 or password are a big culprit in successful breaches. “It is like opening up the gates to the hackers,” he says. Some experts say passwords should be at least seven characters and have a combination of upper and lower case letters; special symbols, such as @ or # bolster the complexity of the password and make it more secure. Other experts say long phrases – even up to 30 characters that can easily be remembered by the user – provide an even bigger challenge to hackers.
Another problem is USB drives. Some are riddled with malware, which can discretely hop on a computer and begin stealing sensitive data. The best solution is not to use USB drives, period. But if you must use a thumb drive, always use up-to-date anti-virus software to check it immediately, even though this is not foolproof as hackers are always creating new malware.
Unsafe email usage is another pitfall, Jacob notes. Employees who click onto infected links in their emails are inadvertently installing malware on their computers. One safeguard is to avoid emails from unfamiliar sources.
Everybody who uses a workplace computer – from the CEO on down – needs to take precautions, according to McCarthy. For instance, download software updates and security patches as soon as they are available. Users of Windows XP should consider new software because Microsoft has ended free support and further security patches and bug fixes to its 12-year-old operating system for PCs.
“Online criminals will simply park themselves on the Internet and look for loops to penetrate internal systems,” he says. “I know a lot of small businesses who are completely unaware that this change in software is happening. They are like sitting ducks.”
When It Happens
Breaches in security are to be expected, which is why having an Internet response plan is essential for companies of all shapes and sizes, says Michael Collat, lead associate at Booz Allen Hamilton in Honolulu. “When the breach comes, you will want to just be able to pull out the document and get to work without having to figure things out as you go along,” he says.
More often than not, however, companies do not have a response plan, which means they have to react to security breaches on the fly. The first rule is not to panic. Collat recommends reaching out to an IT forensics specialist and to the appropriate law enforcement agencies.
The forensics work will hopefully uncover where the breach happened and what means were used to break in. “The knee-jerk reaction for a lot of businesses is to unplug the computer and erase everything so that they can get back to work,” he says. “This is understandable, but by doing this they will never know what truly happened and how to protect themselves in the future.”
Collat believes transparency with affected parties is also critical. “You don’t want to hide things,” he says.
Target leveraged tools like social media, email and press releases to communicate with customers after its breach. One of the main messages the retailer wanted to transmit was that customers have zero liability for any fraudulent charges, says company spokeswoman Molly Snyder. To further provide peace of mind, the company also offered one year of credit monitoring and identity theft protection to all of its clients.
Collat says carding can cripple a business, not just financially, but also erode customer loyalty and damage a brand.
“It will be painful, but it doesn’t have to be the kiss of death,” Collat says. “First, though, business owners will have to be realistic about the kind of interconnected world that we live in and realize that their companies are not operating in a protective bubble.”
Beware of Friends and Allies
Your vendors can do you in, even if they don’t intend to.
The hackers in the Target breach did not attack its strong security system head on. Instead, they came in through the retailer’s heating and cooling systems maintenance provider.
“Hackers are savvy,” says Edward Arias, supervisory special agent for the FBI. “If they think that a network is too secure to access directly, they will turn to the low-hanging fruit around it.”
Almost 25 percent of cyber breaches can be attributed to third-party negligence, according to a study from the Ponemon Institute, a security research company which surveyed more than 3,500 IT and cybersecurity experts in 2013.
One way to protect yourself is to limit a vendor’s access to your network, Arias says. “Try to keep everything separate. Don’t give external companies the keys to the entire shop,” he says.
Don’t hire vendors randomly. Instead, ask people you trust for recommendations. If possible, conduct a background check before hiring a vendor.
Small businesses that don’t have the budget for deep vetting can get additional information by contacting trade organizations or asking for letters of recommendation, and calling on those sources for verification.
There are free tools as well, such as the FBI’s InfraGard partnership – a network of experts across multiple industries who have passed through extensive vetting. Go to www.infragard.org.
Percentage of American adults who have had personal information stolen including:
- Credit card numbers
- Social Security data
This is up from 11 percent in 2013.
Source: Nationwide survey of 1,002 adults in January 2014 by Pew Research Center
Shift in Liability
October 2015 could catch many local businesses flatfooted.
That’s the deadline set by the credit card industry for U.S. businesses to upgrade their payment terminals, says Sheri Sakamoto, president of the Retail Merchants of Hawaii. If they don’t upgrade, merchants could be liable for fraudulent charges currently covered by the credit card companies.
The stakes are enormous, considering that credit card fraud in the U.S. is estimated at $5.3 billion a year, according to the Nilson Report, a respected newsletter and research organization in the field.
The new technology is chip and pin credit cards, which industry experts say are less susceptible to security breaches than the conventional swipe-and-sign cards. Much of the world has already made the switch to chip and pin cards, which have tiny computer chips embedded in the card and have reduced in-store credit card fraud. The cards can encrypt data that is specific to an individual transaction, whereas the traditional swipe cards repeat a single number.
Visa set Oct. 1, 2015 as the U.S. deadline for adoption. After that, if a customer uses a chip and pin credit card, but the merchant accepts the payment using an outdated terminal, the card issuer will not be responsible if there is fraud. The retailer will be.
Big stores can absorb these losses, but small companies will struggle. “I worry about the small shops,” Sakamoto says. “They usually don’t have deep reserves.”
Chip and pin cards will bolster security, but they are not a silver bullet. In Europe, smart card technology reduced in-store credit card fraud, so the hackers shifted more of their energy to online fraud, cyber-security experts say.