This article is a re-print from the April 1, 2015 edition of Silicon India.
Security threats are evolving quickly, making it difficult to pinpoint just one threat that is currently affecting small and mid-size businesses.
From the threats we have observed in the past and the ones we anticipate for the future, we have learned that while malware can be damaging to businesses, so can human decisions. This makes it vital for small and mid-size business owners to discuss possible threats with their employees and share basic IT guidelines with them, but more importantly, to implement a strong security solution that holds up dangers before they become a real threat.
Taking Advantage of Human Nature: Social Engineering
Hackers understand that it is human nature to make mistakes, which is why they often turn to social engineering. Social engineering is a tactic that tricks people into revealing their personal information, like log in details, or into performing actions, like downloading malware disguised as an attachment or link.
Phishing emails are a popular form of social engineering that can easily sneak their way into your employees’ inboxes, disguising themselves as yet another offer, promotion, or even customer, if you do not have anti-phishing protection. Phishing campaigns come in many forms; they can either use scare tactics to make people believe they are in trouble or that they have won a prize.
In the last few months we have seen Trojans like Pony Stealer and Tinba make their rounds. Both Pony Stealer and Tinba attempted to convince people they owed money and to download an invoice, which was of course not an actual invoice, but a Trojan.
Falling for phishing scams can have devastating effects on businesses; they could not only steal personal information, but also attack Point of Sale (PoS) systems to steal customers’ financial information, thus not only affecting the business itself, but its clients as well.
Lack of security awareness: Beneficial for hackers, bad for your business
Not taking proper security precautions, like choosing weak passwords or ignoring security updates, is another human flaw cybercriminals like to abuse to access accounts and networks. To gain control of a system, hackers can enter common or weak passwords or simply look up hardware’s default administrative log in credentials.
One of the most dangerous places in America is your local retailer. Before you leave the building with your purchases, you run the risk of having your identity stolen.
No doubt you recall the 2013 security breaches at Target, Michael’s, and Neiman Marcus where millions of records were compromised by Point-of-Sale (PoS) attacks. PoS occurs when the customer makes a payment to the merchant. That last exchange is the most vulnerable.
Large retail merchants lead the list by 50% of organizations where consumers’ data was compromised in 2013, followed by credit card issuers and consumer banks, according to the #DataInsecurity Report done by the National Consumers League, in cooperation with Javelin Strategy & Research. The #DataInsecurity Report also revealed that 61% of data breach victims reported the breached information was used to commit fraud against them.
This should not come as a surprise. According to the Nilson Report, approximately $4 trillion dollars was paid with credit, debit, and prepaid cards in the U.S. last year. Add to that the ready availability of code to execute PoS attacks available on underground forums and you have the perfect storm of a large victim pool for cybercriminals. The U.S. is an easy target since EMV cards (cards with chips embedded) have not been widely adopted. EMV, conceived between Europay, MasterCard and Visa, is a standard securing payments in other countries.
Cybercriminals don’t care about the size of your business
Although most of the PoS attacks highlighted in the media were against large retailers, cybercrooks don’t care how large or small your business is. You would think they would, but cybercriminals are more interested in raking in the money rather than caring about the fame they could possibly receive from attacking a large and popular business. Regardless of its size, if your business has a PoS system to charge customers for products or services, you should be protecting your system to save yourself from a possible attack. PoS attacks not only steal valuable customer information, they can damage your business’s reputation.
The #DataInsecurity Report shows that only 10% of retail fraud victims are confident that retailers can protect their information in the future.
How PoS attacks work
The biggest PoS Trojans, like Dexter, BlackPOS, Minerva, and vSkimmer, have targeted systems and networks running Windows. Read more…