Guest Column
Social networking websites and their ability to connect, communicate and distribute information to the masses is unquestionably powerful. Groups with similar interests now connect with each other in the conference rooms of cyberspace in real time without the hindrances of schedules, settings, or time zones.
Customers can choose to "like" a page and in doing so may be regularly exposed to a brand's message and ethics. Social networking sites allow connections between potential employers and employees. Simply linking to another profile allows us to pass along resumes, detailed educational background, and work experiences.
With this windfall of free or otherwise inexpensive connectivity comes previously nonexistent security risks. Merchants, like consumers, are vulnerable to online social networking hackers. Even more disturbing is the excess of personal and business information that is highly attractive to cyber criminals.
"Trivial" Information Is Treasure
More than half a billion people use online social networks. Many may be merchants processing on your payment platforms. These merchants post large amounts of information about themselves online with the intent of sharing information with not only virtual connections but real-life friends and colleagues as well. To the untrained eye, much of this information seems superfluous and unimportant. To a company that collects and sells demographic data, this information is priceless. Even more alarming is the usefulness of data that appear to be of no value. A picture of your pet along with a caption that reads, "Sparky on the beach at Ft. Myers, August 2009", while trivial on the surface is an information treasure trove for hackers experienced in collecting financially redeemable data.
"When you sign up with a social networking site, you are assigned a unique identifier," Craig Wills, professor of computer science at Worchester Polytechnic Institute, notes in a press release from the Worcester, Mass.-based school. "This is a string of numbers or characters that points to your profile. We found that when social networking sites pass information to tracking sites about your activities, they often include this unique identifier. So now a tracking site not only has a profile of your Web browsing activities, it can link that profile to the personal information you post on the social networking site. Now your browsing profile is not just of somebody, it is of you."
It is imperative to proactively inform, educate and warn your merchants to prevent them from engaging in these dangerous behaviors. These detrimental behaviors may ultimately lead to a security breach of both merchants and your company. I've outlined the three major merchant behaviors to carefully consider.
Never Repeat Your Credentials
It is vital to use different login credentials on social networking sites than sites containing sensitive information. Merchants may use their virtual point-of-sale terminal or a processing platform using the same usernames and passwords as their social media accounts, leaving your platform vulnerable to hackers or information skimmers.
While visiting a group of risk professionals partnered with SecurityMetrics, one woman told an alarming story. She received a call from her issuing bank stating that close to $12,000 worth of purchases on her credit card were recently processed through a popular electronics e-commerce website. Each purchase was authenticated using the card brand's auto-authentication process. However, the shipping addresses of 15 separate items were different than the billing address.
As expected, she disputed each purchase and charge backs were issued on every item. I inquired if she'd recently received any e-mails asking her to 'confirm', 'authenticate', or otherwise request her login credentials to any website she frequents.
This type of phishing scam is quite common and aims to collect data in mass for future use. Without pause she informed me that a major social networking website recently asked her to "update" her login information. My next question was, "Do you use the same login name and password on the electronics e-commerce website as your social networking site?" Embarrassed, she answered yes. Incidentally, her credit card information and billing address were stored on the e-commerce website for "easy in-and-out shopping."
Private Isn't Private Anymore
Although it is true that social networking sites take great pains to ensure user privacy, the same concern for privacy can't be said for users themselves. Privacy settings often remain at default levels with users adding detail after detail about their private lives. This unknowingly allows that private information to be in public view. That "private" information is now available to "scrapers"-programs designed to search through thousands of profiles with the intent of harvesting specific details about individuals. Scrapers are common tools used to track and report consumer likes and dislikes-information specific to a user profile-on social networking sites, says Cary Snowden, president of Square Compass, a programming company in Utah.
Additionally, users that install applications, or "apps," are often unknowingly handing vast amounts of personal data to third-party app providers. Snowden explains that when you install an app, you are giving that app permission to share profile data to third parties. Further, many apps require supplemental information to access all the app's features. That data is provided outside the boundaries of the social networking website and thus not subject to the social networking site privacy rules. The data is then sold to whomever is willing to pay for it. These third party providers often receive highly sensitive data handed to them.
A Growing Threat
With the creation of social networking has come an increased awareness that this data exists and has great value. Kevin Mitnick, arguably one of the most famous hackers of the 20th century, was able to steal computer manuals from a Pacific Bell telephone-switching center in Los Angeles by duping the guard on duty into believing that Mitnick worked for Pacific Bell. He literally walked out with the instructions to the switching system, valuable information to someone who doesn't want to pay for long distance, not to mention priceless to one of Pacific Bell's competitors.
What about Sparky? Can you fathom the amount of destruction that may be dealt to one of your merchants if a criminal got hold of the data included in the posted photo about Sparky and his stay in Fort Meyers? The criminal knows your merchant's name, their dog's name, what the dog looks like, where they live, and where they went on vacation last year. How many layers of security can a crook remove by acting as a trusted friend, vendor or service provider? Now factor in all the other information a merchant might provide. Often, merchants social networking sites profiles share a business location, phone number, and e-mail address in an effort to be more available to anyone that might do business with them.
How To Stop Them
An educated merchant is a safer, more secure merchant. You may want to consider generating a brochure or newsletter to send to merchants educating them of these risks and potential dangers. Before writing the idea off as too expensive, too time consuming or too resource draining, consider the cost of a breach. Even a minor breach has the potential to financially devastate an organization. Audits, testing and remediation consume days, weeks and, most often, months. Organizational resources are taxed to their limits.
Education and prevention are a fraction of the cost of reactive action. Your merchants spend time on the same thing you spend time on: building a successful business. As professionals in your industries (as well as mine), we owe it to our customers to inform them of new risks that appear on the horizon before it's too late.
Sean Fuery is drector of business development at SecurityMetrics Inc., an Orem, Utah-based payments security firm. His e-mail address is sfuery@securitymetrics.com.
