Multi-Unit Franchisee Magazine Issue III, 2011 | Page 67
Security
By David Ellis
Keeping Hackers Out
Simple steps for safeguarding customer data
N
etwork systems attackers, as well as lessdangerous (though still nefarious) hackers, never
rest in their ongoing quest to compromise franchise computer systems and capture a share of the
billion-dollar bounty of stolen credit card data. When the final
2010 figures are tallied, the FBI expects that organized crime
worldwide will net more illicit money from Internet fraud than
from illegal narcotics trafficking.
Attackers’ methodologies continue to evolve and grow more
sophisticated. Franchisees must do likewise to stay a step ahead
and protect customers’ personal information and their own
hard-earned business reputations, indeed their very livelihoods.
Some quick definitions: “Attackers” break into franchise computer
systems with specific criminal intent to steal and defraud, whereas
“hackers” often do so for the challenge, the notoriety, or the thrill
of the chase. Hackers can inflict costly system damage and inconvenience, as serious as system shutdowns, but this can pale in comparison to the damage from system attackers. An attacker’s intrusion, if
undetected, can inflict irreparable damage to franchise operations.
Their current “best practice” and number-one method to gain
access to a franchise system (and ultimately to customer credit
card data) is to compromise a vulnerable remote access application, such as one that allows owners and managers to log into a
work computer from home or elsewhere.
Attackers increasingly target franchises that use remote access because, if they are successful, it allows them to completely
bypass firewalls. The foremost vulnerability with remote access
is not the tool itself, but rather how the remote access is configured. Merely requiring a user name and password allows an
attacker to enter your network by breaking only a single level of
security, and there are a plethora of available tools to help him.
His job is made even easier when system administrators choose
weak passwords (like “password”). Once he’s gained network
access, the attacker has the “keys to the kingdom,” and is free
to install a suite of malware designed to harvest customer credit
card data and export it to his system.
Once inside a franchise network, attackers employ a variety of
tools. Keyloggers, originally created for such legitimate purposes
as helping employers and parents track workers’ or children’s
correspondence and Internet usage, are a perfect attacker tool,
used to capture all keystrokes and credit cards as they are swiped
at a terminal. Antivirus software developers only recently began
to flag keyloggers as potentially malicious, so the attackers’ honeymoon with keyloggers may be nearing its end.
Not so with another of their favorites, memory scrapers (or
memory dumpers). These pose grave danger not only because they
typically go undetected by antivirus programs, but also because
they can capture customer credit card data before it reaches the
encrypting protection of a secure credit card payment application.
How to avoid the high costs of lax security
Apart from inconveniencing and potentially damaging customers’ credit (not to mention business reputations and goodwill),
the consequences of insufficient or lax system security also hit
franchisees squarely in the pocketbook.
For starters, Payment Card Industry (PCI) forensic investigations into suspected breaches average around $15,000 per
franchise location. Credit card companies may hold merchants
responsible beginning at $5,000 per location breached, and
card issuers similarly seek reimbursement. In one instance,
a small restaurant franchisee was charged $110,000 in reimbursement for fraud costs. Add to these the not-so-“soft” costs
of damaged reputations from media reports stemming from
consumer complaints, and the impact on franchises can be
staggering, even fatal.
While there is no “silver bullet” that insulates a franchise
from all attacks, adherence to the mandatory Payment Card
Industry Data Security Standard (PCI DSS) is the best place
to start. Strict compliance with this framework will help plug
security holes that allow criminals to pocket your customers’
card data. A good place to begin is by examining the security
of your remote access. Remote access should always require
“two-factor authentication.” In addition to a user name and
password, two-factor authentication requires an additional
step, such as physically calling a manager onsite to be granted
remote system access. This is among the best “second factors.” Another good second factor could require matching of
Media Access Control (MAC) addresses between the remote
and onsite systems.
Another simple, yet important security tip is to close Virtual
Private Network (VPN) tunnels when they’re not in use. Attackers can try to hack into the VPN only when it is open, so reduce
their potential window by closing the VPN when not in use.
The use of wireless technology for payment applications
presents another possible vulnerability that just isn’t worth the
risk. Even wireless encryption that is considered secure by today’s
standards may be compromised tomorrow.
These suggestions are far from a security panacea, they are
simple starting points. Franchises do what they do best: operate
their business. They’re usually not IT security experts, but IT
security must be on their radar. Being PCI DSS–compliant and
taking relatively simple steps can go a long way toward successfully fending off Internet attackers.
David Ellis, CISSP, QSA, PFI, is director of forensic investigations for SecurityMetrics, a leading provider of Payment Card Industry Data Security Standard security solutions. Contact him at 801-724-9600
or visit www.securitymetrics.com.
Multi-Unit Franchisee Issu e III, 2011
65