Online Fraud

by Robert Imhoff-Dousharm

   Helping your merchants protect themselves from fraud is no accident. Too often we see merchants using new technologies and not taking correct security measures to protect themselves. Some merchants have already experienced hacker attacks against their PC-based credit card software, and lost.
   With new software packages being offered by ePayment gateways every day, the odds of a hacker finding a vulnerable site increase. Merchants large and small, from 45-store retail chains, to 20 bedroom hotels, are currently taking advantage of PC-based terminals. These packages offer the benefit of faster transaction times and better discount rates. They also provide a lot of flexibility, but also raise concerns for card security. So the question 'how' comes to mind. Merchants use PC-based terminals to connect to F.E.P.'s for authorization via dial-up modems, leased lines or even the Internet. POS devices connect to the terminal via their in-house network, leaving plenty of room for error. Usually these networks are "trusted" which, simply put, means that only people who are supposed to have access to these networks do. This is not always true though. In my experience with many clients, I have seen some who cannot justify the funds to help protect these networks. This means that credit card numbers and swipe data, are being propagated across "un-trusted" networks.
   Working day in and day out fixing and upgrading merchants PC software, I have seen many questionable setups that any network administrator would call unsecured. This includes merchant hotels that install high speed Internet in guest rooms and connect these ports to their internal network. Also, when hotels want to increase "business trip" clients, they will add WAP (Wireless Access Point) devices to their lobbies, then plug them right into their internal networks. This leaves room for rouge attacks from just about anybody, not just professional hackers. Think about it, all it takes is free download software from the Internet, a laptop, and a network/WAP card. With "packet sniffing" software, similar to the FBI's Carnivore program, hackers can probe your network, and find credit card data zooming across to the PC-based credit card terminal. This information is not just card numbers, but also full names, expiration dates, AVS info and even the magnet data off the card! Another problem I have seen out in the field, user auditing. Why would anyone want to use the vendor default password? Or provide every employee with the same login name? What if Joe "mad dogg" Smith is fired or leaves the company, then makes sure to tell everyone he knows the global user passwords in the company. It's interesting to see how some hotels care about who has access to their broom closet, than who uses their computers.
   So what do you do, tell your clients to stay away from PC- based credit card software? Definitely not. Remember, quick authorization times and complying with more regulation is what your clients want. These software packages also have a higher profit margin then most stand-alone terminals do, as they are "new technology". What can merchants do to protect themselves? Be prepared. If your merchant cannot afford a complex "user rights" network, limit devices connected to their PC terminal software's hub or switch. Offer a stand-alone machine package to smaller clients, where their PMS/POS software share the same PC as the ePayment software. You don't have to be a computer expert to apply these simple safeguards, nor do you have to be, to explain this to your potential clients.
   Here are some more basic steps to insure prevention of fraud through hacking attempts:

  • Use a business class firewall
  • Limit access to these computer systems
  • Have unique users ID's
  • Have virus protection implemented.

   There are, of course, other important security measures, but this is a good place to start. Do the research, find out what steps the card associations recommend, and a detail of what they expect of these type of merchants. Don't forget that this is adjacent to the receipt card-masking mandate that went into effect July 1, 2003. Being compliant will also help prevent charge-backs, and reduce basis points when computing discount rates for your clients. This, obviously, gives you a better edge in the market.
   Protecting merchants against Internet and internal attacks is everyone's concern. Remember, merchants will ask you how your software failed, because you sold it to them. Even if it was not the package that failed, but the merchant's inability to protect their site against computer fraud. This is a business to make money moving other peoples' money, and we need to remember this point. Would you put your own money on the Internet without securing it? Could you buy food at a client's site, and be assured that your card information will not stolen on the way to the bank?