According to a report by the Sydney Morning Herald yesterday, an organized crime gang has been arrested for allegedly hacking into the POS, or Point of Sales, terminals of dozens of small businesses in the country. The syndicate apparently made away with a staggering half a million credit card details, some of which were subsequently used to conduct $30 million worth of unauthorized transactions around the world.
Described as the biggest data theft investigation in the country’s history, the digital fraud revolves around the cybercriminals exploiting the remote access software installed on the POS machines to gain unauthorized access. As far as I could tell, the remote access software was installed for legitimate remote maintenance, but was instead used to introduce a malware that silently siphoned off credit card info to a remote location.
There are two lessons SMBs can learn from this case.
Cybercriminals target everyone
One of the most common fallacies about security is the belief that cybercriminals will not bother with smaller businesses given their comparatively meager resources from which to steal from. This can’t be further from the truth, however, as most cybercriminals do not discriminate between large enterprises and SMBs — they simply attack whomever presents themselves as a target.
Indeed, I wrote last year about how some hackers were actually targeting smaller companies due to their comparatively lower awareness of good security practices. With this in mind, SMBs would do well to stay alert and observe safe computing practices. On this front, you may want to read about the FCC’s cybersecurity tips for small businesses for a start.
Simple passwords a weak link
Though the reports did not offer details of how the gang was able to gain access to the POS systems, the most likely reason would be the use of easily guessable passwords in the remote access software. This is hardly the fault of these small businesses of course, though it is a somber reminder that something as simple as a weak password can result in a world of grief.
Aside from the use of a suitably complex password, the biggest mistake here is probably the reuse of passwords. As it is, the sheer number of different accounts that we deal with each day necessitates the use of a good password management tool. If you are not already using one yet, “Three Tools for Proper Password Management” offers some recommendations for those looking for a password management utility.