Most Small Businesses Make You Vulnerable to Credit Card Fraud, ID Theft – Study

 

A study discloses a disturbing trend – nearly four out of five small companies are storing unsecured data about their customers. That’s an indictment of such businesses, and is alarming news for consumers about their vulnerability to credit card fraud and identity theft.

The 2011 study was conducted by the National Cyber Security Alliance (NCSA).

“How can this be,” you ask?

Nationally known security expert Dr. Stan Stahl, of Citadel Information Group in Los Angeles, knows why.

“Citadel works with small business leaders every day and – based on our experience – the reason small businesses don’t take cybercrime seriously is that they see it primarily as something their IT people are managing, not yet realizing the critical importance of their own leadership,” says Dr. Stahl.

“This includes establishing clear policies and standards for information use, explicitly assigning cyber security management responsibility to a member of the senior management team, providing cyber security awareness training and education to all information users, and ensuring that IT personnel are effectively managing the security of the IT infrastructure,” he adds.

The alarming results in the study first came to my attention after reading Small Businesses Don’t Take Cybersecurity Seriously, which was mentioned in Dr. Stahl’s security blog.

Hopefully, your business is not one of the businesses cited in the study. Cybercrime has become a global nightmare. My question for companies about Cyber Security: Is Your Business Prepared with Precautions and Response Philosophy? 

For NCSA’s tips for small business security, read this post. 

“Seventy-nine percent of businesses are storing consumer information when they don’t need it. It’s not protected. It’s not secure,” Verizon spokesperson Andrea Woroch was quoted in a published report.

For consumers, Verizon offers these tips:

Watch the people swiping your credit or debit card.

“You don’t want to blame or suspect everyone’s trying to steal your information, but there are people who will and are trying to copy your credit card information with extra swipes,” says Ms. Woroch.

Take extra care when you buy on the Internet.

“Don’t mark that little check box that says ‘to store for future purchases.’ you don’t want that organization, that business, that Internet website to hold any of that information,” explains Ms. Woroch.

Consider alternatives to using your credit card, such as gift cards.

Carefully study your billing statements.

“Lots of consumers overlook little charges that are being made on their statement and that’s how people are continually able to trick them and deceive them and steal them and take extra money out of their accounts,” adds Ms. Woroch.

Resource link: Dr. Stahl’s Web site.

(Note: Dr. Stahl is a fellow member of Consultants West, www.consultantswest.com, a roundtable of veteran consultants in the Los Angeles area.)

From the Coach’s Corner, here are additional cybersecurity tips:

Security Precautions to Take Following Citibank’s Second Reported Online Breach

Our Mobile-Banking Warnings about Security Prove Prophetic

“Being good is good business.”

-Anita Roddick

__________

Columnist Terry Corbell is also a business-performance consultant and profit professional. Click here to see his management services (many are available online). For a complimentary chat about your business situation or to schedule Terry Corbell as a speaker, why don’t you contact him today?

 

Using Starbucks’ WIFI? Security Pro Issues Warning and Security Checklist

 

June 27, 2010

At first glance, the free WIFI service at Starbucks seems like a great idea for mobile professionals. Starbucks’ free Internet service is a response to growing competition – McDonald’s upgraded coffee offerings and free WIFI, which have proved to be popular in the economic downturn.

Starbucks announced the service effective July 1, 2010.

But the WIFI offering by Starbucks has prompted a security warning and checklist from a go-to Internet security guru, Dr. Stan Stahl of Citadel Information Group in Los Angeles. His commentary is entitled, “Free WIFI at Starbucks – Reminder of Cybersecurity Risk.”

“While most of the common risk is eavesdropping, one cannot overlook the risk of computer compromise,” writes Dr. Stahl.

His five security recommendations:

1. No online banking or other eCommerce
2. No e-mail  containing sensitive information except via an approved encrypted link from PC to Mail Server
3. Keep anti-virus or host intrusion software up-to-date
4. Make sure software patches are up-to-date
5. Use VPN (virtual private network) for access to office

Respectively, here are Dr. Stahl’s Web site and blog addresses: www.citadel-information.com, www.citadelonsecurity.blogspot.com.

From the Coach’s Corner, Dr. Stahl’s expertise is also quoted in these Biz Coach columns:

• How to Protect Yourself from the Internet Crime Wave
• Strategic Planning: List of Informative Web Sites
• Web Security Checklist and Warning about Mobile Banking
• 5 Safety Measures to Thwart Mounting Social-Network Attacks
• How China-Google Controversy Might Affect Business, Government Security

Antivirus Company Names Most-Perilous Internet Cities

 

Updated March 23, 2010

In cyber-crime, Seattle has earned a distinction it’d rather not have – the No.1 riskiest online city. That’s according to Norton from Symantec. The antivirus company teamed up with research firm, Sperling’s BestPlaces, to determine the locales the deem the most-susceptible to Internet crime.

Maybe they are and maybe they’re not. A leading cyber-security expert, Dr. Stan Stahl, questions the data.

“While some of the factors used in assessing ‘risk’ would seem to appropriate, my bottom line was expressed best by G.K. Chesterton: ‘It’s not that they don’t know the answer. It’s that they don’t even know the question’,” says Dr. Stahl, a noted Internet security expert in Los Angeles (www.citadel-information.com).

A Norton press release states its list of cities was developed as a result of the cyber-attack data compiled by Norton and other factors. The top five: Seattle, Boston, Washington, D.C., San Francisco, and Raleigh.

The Norton data criterion includes these six categories:

1. The cyber-crimes data from Symantec Security Response:

• Number of malicious attacks
• Number of potential malware infections
• Number of spam zombies
• Number of bot infected computers
• Level of Internet access

2. Expenditures on computer hardware and software

3. Wireless hotspots

4. Broadband connectivity

5. Internet usage

6. Online purchases

Missing from this list, Dr. Stahl says, are things that would serve to mitigate risk, such as:

• Number of information systems security professionals in the city
• Average number of information security professionals per 1,000 computers and per company
• Percentage of computers who connect to hotspots using a VPN (virtual private network).
• Percentage of companies ISO27001 certified (ISO refers to international organization standardization)
• Numbers of CISSPs (certified information systems security professionals), CISMs (Certified Information Security Managers), etc.
• Percentage of businesses/homes with professionally managed firewalls

“By itself, expenditures may mean little or nothing since one large supercomputer can cost the same as zillions of P and actually lower risk,” explains Dr. Stahl. “There’s also the question of what ‘risk’ means when applied to a city, as opposed to an individual or an organization.”

So, it’s a question of what he calls “meaningful mathematics,” – everything is relative.

“My risk goes up or down as the total number of bot infected or spam zombie computers goes up or down; it doesn’t really matter if they happen to be in my own town or somewhere else [more or less true, but not quite since a bot net or spam zombie in Africa poses less of a risk than a bot net in America],” he adds. “In this situation, my risk is my risk; it doesn’t meaningfully transfer to my city.”

Norton’s list of the alleged most-vulnerable cities:

1. Seattle

2. Boston

3. Washington, D.C  

4. San Francisco

5. Raleigh

6. Atlanta

7. Minneapolis

8. Denver

9. Austin

10. Portland

11. Honolulu

12. Charlotte

13. Las Vegas

14. San Diego

15. Colorado Springs

16. Sacramento 

17. Pittsburg

18. Oakland

19. Nashville-Davidson

20. San Jose

21. Columbus

22. Dallas

23. Kansas City

24. New York

25. Indianapolis

26. Albuquerque

27. Miami

28. Omaha

29. Virginia Beach

30. Los Angeles

31. Cincinnati

32. Houston

33. St. Louis

34. Phoenix

35. Chicago

36. Baltimore

37. Oklahoma City

38. Philadelphia

39. Jacksonville

40. Tulsa

41. San Antonio

42. Milwaukee

43. Cleveland

44. Tucson

45. Long Beach

46. Fort Worth

47. Fresno

48. Memphis

49. El Paso

50. Detroit

Again, based on the expertise of Dr. Stahl, if you live in one of the listed cities, you don’t necessarily have to worry. My thanks to him – he’s been very gracious with his analysis for many years.

From the Coach’s Corner, here are recent Biz Coach columns featuring his expert opinions:

• How to Protect Yourself from the Internet Crime Wave
• Strategic Planning: List of Informative Web Sites
• Web Security Checklist and Warning about Mobile Banking
• 5 Safety Measures to Thwart Mounting Social-Network Attacks

His security blog: http://citadelonsecurity.blogspot.com/

How to Protect Yourself from the Internet Crime Wave

Jan. 22, 2010

 

For Citibank customers and millions of other consumers who enjoy the convenience of online banking, a headline was alarming.

The Wall Street Journal headline: “FBI Probes Hack at Citibank – Russian Cyber Gang Suspected of Stealing Tens of Millions; Bank Denies Breach.”

The article on December 22, 2009 was the last we’ve seen about the Citibank situation. The reported multimillion dollar loss – a public relations nightmare for Citibank – has been hushed up.

Many online security experts say online fraud is skyrocketing and there are FBI warnings about online fraud and related scams.

Such cybersecurity experts also cite another alarming trend – increasing sophistication in the methods used by cybercriminals.

About three weeks after the Citibank report, online-banking warnings were issued by the American Bankers Association and FBI (“Cybercrooks stalk small businesses that bank online”). The warnings followed a wave of cybercrime afflicting small businesses, public-sector agencies, churches, schools, and other non-profits.

Cybercrime methods

Many crooks are using what are called “banking Trojans.” Here’s a typical case: “New Trojan Intercepts Online Banking Information – PC World.”

A cybersecurity expert, Dr. Stan Stahl, recently developed a plot line in another cybercrime issue, which is applicable to the banking scams.

“The plot line isn’t with Citibank but related to the recent web attack on Twitter that redirected users to the ‘Iranian Cyber Army.’ This same type of attack – stealing the UserID/password of Twitter DNS administrator and then changing the DNS to point to the Iranian Cyber Army – could be used to create a “cybercriminal-in-the-middle” attack against an eCommerce site,” he said.

Dr. Stahl further explained the cybercriminal is then able to steal a consumer’s sensitive credit-card information and seize control of the victim’s computer.

He is a widely known pioneer in security and the prevention of identity theft. He is the expert on Federal Trade Commission rules under the Gramm Leach Bliley Act governing non-public personal information by financial institutions. He is also president of the Los Angeles chapter of the Information Systems Security Association, a nonprofit, international organization of information security professionals and practitioners.

“I feel the banks must bear a significant share of the responsibility because they have the knowledge of what’s happening yet, in my experience and based on what I’ve been told by people in law enforcement, they are not working the problem with their customers nor are they supporting law enforcement by sharing what they know,” said Dr. Stahl. “They strike me as wanting to pretend this isn’t a problem.”

It’s true insurance companies reimburse victims of cybercrime. But cybercrime is expensive.

A client once hired Dr. Stahl to investigate a $1 million loss from an online banking theft, and I reported the details in this column, “5 Safety Measures to Thwart Mounting Social-Network Attacks.” He says it resulted in an expensive legal struggle.

“The lawsuit I’m involved in, for example, is between two insurance companies; both will lose dollars regardless of how the suit turns out,” Dr. Stahl explained. “If the insurance companies made bank cooperation with law enforcement a policy requirement, we’d get a lot more cooperation and the insurance companies would have fewer claims to pay.”

He is also assertive in explaining his perspective on the Internet-security issue, Google vs. China.

“There is little in the Google story that the information security community didn’t already know except for the specific vulnerabilities that were exploited,” he said. “What is new – and important – is that now the world knows. For our business, it’s just one more example we can point to of how unsafe the internet is. Plus, because it’s Google, the cybercrime has been deconstructed more thoroughly than usual. Kudos to Google.”

Smartphone dangers

A published report, “BBC News – Cybercriminals revive old scams to target smartphones,” raises the specter about threats against mobile phones.

The BBC smartphone report prompts this question from Dr Stahl: “How long will it take until this type of malware is used to steal online bank credentials?”

Here are some of his tips to enhance your personal online security:

• Review all privacy and policy information.
• Use unique and hard to guess login information.
• Protect your computer.
• Check your account balance regularly.
• Pay using credit cards.
• Do not access your account from public locations.
• Verify email correspondence from bank.
• If your account is compromised, take swift action.

For your company’s management controls:

• Don’t allow your employees to use your computers in social networking.
• Establish a list of allowable web-sites.
• Closely monitor your bank account.
• Train employees in social engineering awareness.
• Change the mindset of your managers and employees – if something seems odd, say no and call for Internet security.
• Strengthen your defenses.

(Note: I know Dr. Stahl well as a trusted expert, and I’ve interviewed him on multiple occasions. He and I are members of a roundtable of veteran consultants, Consultants West, www.consultantswest.com.)

Resource links:

• Dr. Stahl’s Web site – www.citadel-information.com.
• His blog – www.citadelonsecurity.blogspot.com

From the Coach’s Corner, here are additional security tips:

• If you’re a cyber victim, contact a noted security expert and authorities (How to Report E-Scams and Hoaxes to the FBI).
• If you want to help the victims in Haiti: “Only donate through the Red Cross or other well-established charity organizations,” said Dr. Stahl. Ignore all email solicitations. They could be fake and prudence requires that one assume they are. There are lots of known safe groups through which one can contribute; no reason to take a risk here.”