We have written here and here about the dangers of not having more sophisticated or complex passwords for technical devices and online accounts. We are also strong proponents of fighting hackers with encryption. None of this should come as a surprise to knowledgeable online users. Yet, as the press enjoys pointing out, sometimes even self-professed tech geeks rely on easy-to-crack passwords, use the same passwords for multiple accounts or never bother to update the default passwords their devices and accounts came with in the first place. Whenever one of these articles is published or news stories air, you can virtually hear the echo of hands smacking on foreheads as people realize they’re guilty of the lazy practices hackers exploit. It stings to realize you’re the low-hanging fruit identity thieves love to target.
What gets less coverage, however, is how often small business owners are the weakest link in an identity theft chain. Certainly big businesses have been called out for serious data breaches, including misrepresenting whether or not their data was encrypted. But, as it turns out, personally taking pains to protect against hackers and identity thieves can all be for naught if thieves are accessing your digital data via the smaller businesses you frequent. This could include your favorite local restaurant, or the neighborhood Mom and Pop bookstore or boutique you proudly support. Take credit card terminals, for example: Small businesses are especially vulnerable to the plethora of ways hackers collect cardholder data via credit card terminals used to process credit card sales.
Here are some ways small businesses can protect their client’s data from credit card terminal breaches:
- Some credit card terminals are set with a default password and a default programming code that vendors are supposed to change to ensure their clients’ credit card information is secure. Needless to say, many don’t make the effort, or use an easy-to-guess password, leaving themselves vulnerable to hacks. Insert hand-smacking-forehead sound here.
- Some businesses scrimp on card terminals from reliable vendors with more sophisticated security measures. Of course, this isn’t to say that trusted vendors don’t make bad equipment, but in security, as in almost everything else, you get what you pay for. And better to pay for equipment from a vendor with a solid reputation and a good track record, and decrease the likelihood of getting hit with legal costs for data breaches.
- Brazen hackers will go into a store pretending to be a service person sent to update or replace card terminals and actually be granted access to the terminals. Devices are then doctored to leak cardholder data. This is akin to getting a phishing email that appears to be from your bank with a link to change the password on your online checking account. The take away is that no bank or processor is going to send out a service person without notifying the business first. If a technician claims otherwise, show him the door.
- Sometimes hacks leave clues that there is a security breach. For instance, credit card data may be hacked by linking a credit card terminal to an external network or an external device. Card holder data is then funneled via this link. Any indication of this sort of external activity is a massive red flag that cardholder data is being leaked. Vigilant business owners will diligently monitor their connections. That way, they can track the traffic their devices generate, including whether any data is being transmitted to terminals or devices outside their network. If a leak is suspected, all traffic should be immediately stopped and the local FBI office should be notified.