Hacking and identity theft are ubiquitous in the digital-driven age of retail.
In the last 25 months or so alone, at least 15 major retailers that are supposed to have outstanding cyber security in place have been breached, and their customers’ data such as credit card numbers and info has been placed in dire jeopardy. The core problem is “co-evolution”: as security measures and systems become better informed, so do hackers and their ability to thwart or breach systems. The game gets played over and over again.
We’ve written here before about how merchants can protect themselves and their customers against social engineers, who use “low-tech” methods for stealing highly sensitive customer information. With reports of successful, malevolent hackings continuing to make headlines at an alarming frequency, we thought that we’d like to look again and take a deeper dive into some best practices for how merchants can keep their websites and employee computers safer from the ever-vigilant cyber-eyes of criminal hackers out to steal customer information.
Astoundingly enough, research finds that the most egregious abdication of best online security practices might well be the creation of passwords by employees. Ben Laurie, who studies security compliance at Google Research in London, UK, has said, “Most people’s goal is not to be secure, but to get the job done. And if they have to jump through too many hoops, they will say, ‘To hell with it.’”
What Laurie means is that employees feel that they have too much else to think about and do than to have to worry about following a lot of security protocols that they might not personally understand. For all the finger-wagging advice that security departments and company officers give to employees about the importance of a “secure” password, too many employees (just like too many individuals) don’t care enough to figure out the very best. Maybe they’re afraid they’ll lose or forget a complicated password, or perhaps they just can’t be troubled, but a great many employees’ passwords are nothing but a joke to skilled hackers.
Don’t believe us? Here are the top 25 most often used passwords from 2017:
If you’re a hacker, you know all about this list, and if you’re targeting an employees’ computer these are the first 25 passwords you try out. It only takes a matter of seconds to run a script until you get the right one, and you’re going to be right a lot of times…because, hey, these are the most popular passwords that people use!
Not only are these passwords popular, they’re not hard to figure out just by wild guessing. They take no creativity and no individuality. They’re not at all complex and follow easy to decipher patterns (just start typing in “1q2w3e4r” or “zxcvbnm”, for example, to see the easy pattern).
Passwords must be better, a whole lot better, than those on this list, and security departments and the highest-ranking officers at companies must instill this sense in employees, while also having a policy in place for employees to follow. But, what should it be like?
Lorrie Cranor, director of the CyLab Usable Privacy and Security Laboratory at Carnegie Mellon University in Pittsburgh, Pennsylvania, says, “It’s easier for users to deal with password length than password complexity.” This goes against some “conventional wisdom” doled out to employees to just make up a long chain of randomized nonsense as a password. Employees do know that it’s more secure to have a password memorized than written down somewhere, and a long chain of randomized nonsense is excessively hard to memorize.
So, some truly good password creation advice would be to come up with a long password that makes sense to the individual, thus making it “memorizable” in spite of its length. Something like “Ecomplishrocksthehouse2018!” That’s a 27-character password which uses at least one capital letter, some numerals, and a punctuation mark. Its personalized, non-generic nature makes it that much harder to guess, too. Yet, it’s easy to memorize.
Make it a company policy to have all employees come up with that kind of password. Another part of your company’s policy could be mandatory password changes every 60 days (or some other reasonable period of time). Software could be installed on employee computers forcing them to come up with a new password or remain locked out of their own computers.
Besides a strong password policy, your company should look into the use of tokenization rather than just using encryption alone for electronic payments.
What’s the tokenization process? It means that sensitive information gets replaced by a “token”, which is just a randomly generated series of characters. Encryption alone involves some kind of ultimately logical mathematical encoding, but tokens comprise purely random numbers and characters. Tokens don’t have any mathematically decryptable algorithm or logic.
After getting tokenized, the data then gets stored in a token vault maintained by a third-party cyber security service provider. The vault contains not only the token but also the original payment data — which is itself encrypted. No one but the cyber security service provider can get entry into the token vault, which means that once created, a token can be kept and securely reused over and over again, such as for recurring billing. Whatever information a clever hacker may pilfer from in-transit data, it’s only going to be a totally random token of no value to him.
Finally, install specially designed business-grade anti-spyware and anti-malware software on all company PCs and devices. Spend the extra money here for the best software, not the stuff that’s got limited features or just designed for everyday individuals in their homes. Keep this software constantly updated.
Alright, follow these three “deep best practices” in your office, and don’t forget to check out how to keep those low-tech social engineering hackers sleepless at night.