If you’re talking about the internet, online transactions, and electronic payments, unfortunately, you don’t have to wait for winter for it to be “bug” season – there are always plenty of “viruses” and contagions to command your interest!
Among the lastest, are the Shellshock Bug, which we mentioned in last week’s newsletter, as it was breaking. As a Financial Express article sums it up: “Bash is the Bourne Again Shell (some programmers do pun) which runs on Unix and Unix-like systems. Think of it as the command line—the empty prompt where humans type commands. Bash’s command interpreter, which tells the machine what humans want it to do, is slightly broken. It keeps reading beyond the page. If, for instance, a script sets an environment variable and signals the end of the command, Bash wants to know more. And if a command to wipe the hard disk follows, Bash will silently execute it.”
Bad news indeed, but the same article says perhaps some calm is warranted, since the bug wasn’t announced publicly until patches had been devised. You can read it and decide on your own level of alarm. But even if traditional systems are safe for now, the so-called “Internet of Things” also runs on Unix programming, which the Bash Bug could exploit. This “Internet of Things is the new frontier for everything,” the article says, “including bugs. It will be interesting to see how its promoters deal with their first major bug. Internet servers and home routers are easy to patch remotely, since their owners and manufacturers know where they are and have an interest in protecting them. But swarms of objects like radio-tagged airline luggage, or clouds of chip-sized microsatellites that add up to giant remote sensing antennas, are somewhat autonomous.”
And speaking of “things,” Wired has a major piece about another security flaw we’d mentioned here, that affecting USB Data sticks. In some instances “the infected USB can impersonate a keyboard to type any keystrokes the attacker chooses on the victim’s machine. Because it affects the firmware of the USB’s microcontroller, that attack program would be stored in the rewritable code that controls the USB’s basic functions, not in its flash memory—even deleting the entire contents of its storage wouldn’t catch the malware.”
As with the Bash exploit, a “bugged” USB stick could be used to take over whole systems and devices. And the problem is so many USB drives are already out there — it may be years and years before their use can be deemed reasonably “safe” again.
However, even bugs can be made vulnerable themselves in the face of a little prevention. But we’re not talking about getting enough exercise or taking your vitamins, in case. Rather, how you can protect the digital assets of your business, and your customers, from malware and infection.
Toward that end, MasterCard has issued tips on how to protect yourself from “phishing” attacks — the same kind of techniques used for the unfortunately infamous Target, Home Depot, and other consumer breaches.
We’ll be presenting MasterCard’s tips over the next couple of blog posts. This week, we focus on some advice about protecting basic ID information — including the MIDs, or Manufacturer’s Identification Number, found on the devices that create the very same electronic network your customers rely on. Among their tips:
*Never disclose MID numbers, terminal ID numbers, acquirer’s bank identification number (BINs), or anything else. After all, payment brands, like MasterCard and others, have this information already, and wouldn’t need it. If you get suspicious calls requesting such info, that’s the hallmark of a “phishing” expedition. What you might do instead is call your acquirer, or your processor (which would be us, here at AVPS), and report the call.
*Beware suspicious emails, or “surprise” technician visits, in addition to phone calls, that just don’t seem “kosher.” Once again, you should immediately contact your acquirer or us, at AVPS, to verify the request, or the visit. Tip-offs include any “unscheduled” terminal repair visits, requesting access to the point-of-sale (POS) equipment. There are times in life where surprises are welcome — POS equipment repair is not one of them.
*Limit employee access to numbers, like MID numbers, terminal IDs, or the acquirer’s BIN to help prevent the accidental leaking of such information. And of course, don’t physically post such information on registers, computers, terminals, other equipment, desks, etc. It’s not just a “handy reminder” — it may be a hand-off of the very keys to the kingdom, for someone who should never have them.
We’ll have more tips next week — tricks for you, to keep the “treats” out of the bad guy’s hands. As ever, contact AVPS with any questions or concerns.