Category Archives: PCI Compliance

06.22.17
by

Scam E-Mails: How To Tell

 

Recently PCMDX received a call from a business who’s bank account had been compromised.  Someone, using legitimate information, was able to gain access to the account and make transfers from the account to another account, and also made wire transfers to a third party.

The business had been told by the bank that their network had been hacked and that they should seek some help in securing their network, which is why they contacted PCMDX.  We focus providing network support for small businesses that have less than 15 computers, and one of our specialties is cybersecurity and compliance.

Although how the actors (the term used for the “bad guys” since they are “acting” as a legitimate party) were able to get the necessary information is still under investigation, it’s likely that it was given to them by one of the company officers via e-mail.

 

We recently received a scam e-mail and we’d like to share it with you so that you can learn how to determine if it’s a legitimate e-mail or not.  Please note:  If you’re not sure if the e-mail is legitimate, call the sender and ask them if they sent it, even if it passes all of the tests.  It’s better to be safe and verify authenticity than take a chance.

Here’s a screenshot of the e-mail we received, along with some notes (Click on the image for a full size view).  We blurred out information that is not relevant.

 

Let’s begin at the top.  The subject line “Please Read! (Final Warning) | 06/05/2017” sounds pretty threatening and will get your attention right away.  But it doesn’t indicate who it’s from or what it’s about.

If you look at Blue Arrow 1, you’ll see that it’s from “ACME account team”, followed by the e-mail address of “admin@MAIL.HAMILTONTN.GOV”.  (We’re going to use ACME as the alias for the name of the company).  So here you have two major clues that this is a scam.  First, the words ACME account team.  Any legitimate company will list themselves as ACME Account Team, with all words capitalized.  This is a major clue that this e-mail did not originate in the US (most scam e-mails are from overseas, where grammar is poor).

Our next clue is the e-mail address.  Although “admin” is legitimate, MAIL.HAMILTONTN.GOV is not.  That’s an e-mail server for the city of Hamilton, Tennessee.  It has a .gov domain ending, which can only be assigned to government entities, such as cities, counties, states and the federal government.  Why would ACME have this domain?  If it were a legitimate e-mail from ACME, it would end with something like ACME.com or ACME.net, not a .gov domain.

The body of the e-mail is actually very good, at least when it comes to scam e-mails.  It’s convincing, it has information in it that the typical person would consider to be legitimate.  However, as we get to the bottom, some red flags appear.

When you hover over a link (and the Blue Arrow 2 is pointing to two links, “Visit Help and Support” and “Login to My Account”), the bottom part of your browser, known as the status bar, will display the link that it’s pointing to, which we’re using the red arrow to point to.  In other words, when you click on the link, it’s taking you to the web site that is showing in the status bar.

This particular link is pointing to baltoo.com/ACME/index.php .   This should immediately sound an alarm with the person reading the e-mail.  The company that is sending this is ACME, but the domain it’s pointing to (the first part of the web address is always the domain) is baltoo.com .  Anything after the domain name is irrelevant, since that’s just the directory and folder inside the server it’s pointing to, and you can name that anything you want.  When you hover over the link, it should point to the company you’re trying to go to.  So it should read acme.com/Acme/index.php.

Once you click on the link, one of two things will happen.  Either you will be shown a very convincing site that is asking for your user name and password, or you will end up on poisoned site that will infect your computer with malware, such as a virus, a Trojan, or ransomware.  If it’s the former, you’ll enter the user name and password, and within minutes the actors will have gained access to your site (as they wanted to in this case), or perhaps gained information such as name, address, social security number, date of birth, etc. (under the guise of “verifying your identity”).

Recent studies have shown that firewalls, anti-virus programs, and other security software and hardware, although still crucial in preventing attacks, need to be supplemented by training of staff so they know what they should look for.  (That page also has a quiz you can take to see how much you know about phishing attacks – we scored 10/10.  How’s your score?).

Our companion site, Don’t Become Another Target lists dozens of examples of how companies, some billion dollar plus companies, were compromised not by technology, but by social engineering.  In other words, a con job either via e-mail or via phone.  Adequate training would have prevented many of the attacks.

If you’re a small business that doesn’t have an IT department, but would like IT level support, contact PCMDX today.  We’ll take care of your computer network and cybersecurity needs so you can take care of your business.  And don’t wait until you’ve been compromised.  The cleanup is much costlier than the prevention.

12.15.16
by

How the Massive Yahoo Breach Could Affect You.

On December 14, 2016 Yahoo revealed that 1,000,000,000 (that’s 1 billion) user accounts had been compromised in 2013, a year before they reported another breach that affected 500 million user accounts.

That’s 1.5 billion accounts that were hacked.  A company that employs 13,600 people in their IT department was hacked and user accounts from enough people to equal the population of North America, South America, Central America, Australia, Russia, Germany, and a few smaller nations, were compromised.

Yahoo engineer in server farm.

Why would hackers be so interested in the e-mail accounts of all these people?  They’re not.  Just like they are not interested in the Chicken Stamp accounts that were breached recently at KFC.

So what are they after?  Lax password security by those Yahoo and KFC account users.  If you’re like many people, you’ll use your e-mail account as a user name for most, if not all, of the web sites you frequent.  And if you’re like most users, you also use the same password for most of these sites.

By the way, Yahoo and KFC aren’t the only companies that have been hacked.  Our sister site, DontBecomeAnotherTarget.com keeps track of all major breaches.

So suddenly those Chicken Stamp accounts and those e-mail accounts begin to have more value, especially if those same user names and passwords are used at financial sites.

Some security sites are recommending that if you have a Yahoo account, it’s time to close it, including if you have an account that Yahoo administers (@att.net, @bellsouth.net).  You also need to change all of your passwords that are similar to your Yahoo/.att.net/.bellsouth.net. Now.  And you need to begin to practice safe online behavior.

What’s safe online behavior?  It’s

  • not using the same password at all web sites
  • using complex passwords that include upper and lower case characters, numbers and symbols
  • changing your password a few times per year (it’s recommended every six weeks, but a few times per year is better than not at all)
  • not writing your passwords down on a Post-It and sticking it to your monitor.  Use a password manager, like LastPass, Dashlane, eWallet
  • not clicking the little box that says “stay logged in” at sensitive sites
  • not going to dangerous web sites (adult content, gaming sites)
  • not opening attachments from people you don’t know
  • making sure your computer is patched with the latest updates
  • making sure you have a good anti-virus program.  And keep it current.

If you own a business and you’re doing your own IT support and security, you’re doing a disservice to not only your clients, but also your clients security, and your own security.  Studies show that 61% of people will not go back to shop at any business that’s been breached.  Contact us today to see how affordable expert IT support can be.

If you take credit cards, you’re required to be PCI Compliant, and that doesn’t mean checking all of the Yes boxes on the Self Assessment Questionnaire (SAQ), even if the answer is No.  It’s actually being compliant by making sure all of the items meet requirements.  Most businesses we visit to do our free PCI Compliance assessment are not even close to being compliant.  Most fail in every one of the 12 PCI DSS categories.  Contact us today if you would like to see if you’re compliant.  It costs you nothing to find out.

Regardless of whether you’re a business or a home user, this Yahoo breach should not be taken lightly.  You need to act on it today.

Contact us today if you need help.  Our engineers are the some of the most experienced in the Southeast when it comes to not only cybersecurity and SMB (Small Medium Business) IT support – it’s what we specialize in.  And PCMDX is one of the top PCI Compliance firms in the country.  If you’re a home user, we can help you as well by making sure your network is protected (yes, if you have a broadband router and multiple devices, you have a network), and all of your devices are protected.

Updated 12/15/16 10:56am CST to update link.

 

10.09.16
by

PCI Compliance – An Ongoing Process

Recently Computer World published what’s most likely the very best article dealing with PCI Compliance.  Not so much what it entails to be compliant, but what it takes to remain compliant.

http://www.computerworld.com/article/3126187/retail-it/the-ultimate-unanswerable-question-are-we-pci-compliant.html

 

The issue with PCI compliance is that the business network and the business environment is constantly changing and evolving.  There are 12 requirements in the PCI DSS.  In order to be compliant, all of these must be current all of the time.  Some remain static, meaning they don’t change.

Let’s take requirement No. 1: Install and maintain a firewall configuration to protect cardholder data. firewall-156010_640 Your PCI specialist installs and configures a firewall.  Once it has been configured properly, you’ve met the first requirement, right?  Well, sort of.  Assuming the firmware is current, and nothing changes in the network environment, the answer would be Yes, you’ve met the requirement.

Let’s go down to requirement No. 11:  Regularly test security systems and processes.  Inside this requirement is 11.1, which requires that a hardware inventory be kept up to date of all devices on the “protected” or POS network.  This is the network that handles all credit card transactions (your guest wi-fi, or any other network should NEVER be on the same sub-net as your POS traffic).  You just replaced or added a POS terminal.  Did you log it in the inventory, including the model and serial number?  If the answer is No, then you’re not compliant.

On that very same replacement terminal, you need to make sure that you have met requirements 5 and 6: Use and regularly update antivirus software; Develop and maintain secure systems and applications.  If you’ve added a location on the network for this terminal, the network diagram also needs to be updated.

Now let’s move on the the human factor in being compliant.  Each individual who handles credit cards must be trained in the methods of handling cards safely and securely, which is part of requirement 12:  Maintain a policy that addresses information security.  If you’ve hired a new employee, they must first be trained and sign-off acknowledging that they’ve been trained.  A copy of the signature page must go in their employee file.

The article in Computer World makes some outstanding points.  First,  you’re only compliant on the date that you last checked and updated (successfully) the requirements:

The reason why compliance is tied to the date the assessment was wrapped is that, in theory, any change at all to anything on the network could make that merchant noncompliant. I get that. It makes sense. But what good is PCI compliance if a retailer never knows if it is compliant? 

This is where PCMDX comes in.  We take it off your shoulders and put it on ours.  We let you worry about the prime purpose of your business, and we take care of the things that we’re good at:  Keeping you compliant.

Further more, as the article states, it’s the human factor that makes you (and keeps you) compliant:

But it (software) can’t track PCI compliance — which is a human-dictated state — any more than it can declare a system “secure.” 

PCMDX is the only company in our service area (Alabama, Mississippi, Western Tennessee, Florida Panhandle) that creates a plan for your company to become, and remain, PCI Compliant.  We will visit your site, examine your existing network, create a plan to make your network compliant, implement the plan, and then keep it maintained on a regular schedule.

Contact us today for a free, no-obligation consultation.  You’ll be glad you did.

 

 

 

03.03.16
by

Wendy’s 4 for $4 may hit more than your waist line

wendys

In January 2016 Wendy’s restaurants reported that they had suffered a breach in their network that handles credit cards.  The report included the following: “As reported in the news media in late January, the Company has engaged cybersecurity experts to conduct a comprehensive investigation into unusual credit card activity related to certain Wendy’s restaurants. Out of the locations investigated to date, some have been found by the cybersecurity experts to have malware on their systems.”

What this basically means is that someone had installed software designed to harvest credit card data (“malware”) on Wendy’s network, which is the same thing that happened at other retailers and restaurants over the course of the last few years.  Our sister site, DontBecomeAnotherTarget.com has a list of many of these merchants.

Some credit unions, according to the article, have said that this breach has already exceeded the fraud that the Target breach caused in 2013.

The worst part?  According to the article, “the restaurant chain hasn’t yet said how long the breach lasted — or indeed if the breach is even fully contained yet.”  What does that mean?  That means you don’t use your credit or debit card at Wendy’s.  Period.

It’s unknown if Wendy’s had passed their latest PCI DSS (Payment Card Industry Data Security Standard) prior to the breach, however post breach they are not compliant, since the malware should have been discovered during the required scans.

If you’re a merchant that takes credit cards, you’re required to be PCI compliant.  We’ve encountered so many merchants who don’t have their own IT department who are under the false impression that they are compliant because they’ve signed (or “attested” online) a form from their credit card processing company indicating that they are compliant.

The credit card processing companies, like every other portion of the credit card chain (Merchant>Processor>Bank) have to be compliant, but each entity is required to do their own PCI Self-Assessment Questionnaire (SAQ).  The credit card processors will have the merchant sign/attest a form that indicates that the merchant knows they have to be PCI Compliant, even if the merchant has no clue what that is.  Once the merchant attests to this, the credit card processor has fulfilled their obligation.  If a breach occurs with the merchant, all the credit card processor has to say is “But you signed that you were PCI compliant” and they’re off the hook.

PC Medics of Alabama (PCMDX) specializes in SMB (Small to Medium Businesses) PCI Compliance.  If you process under 6,000,000 transactions per year, PCMDX can make sure you’re compliant.  If you’re not compliant, we’ll take the necessary steps to make sure you become compliant.  We then take care of your SAQ, and we make sure you remain compliant.

Our client base includes restaurants, dentists, doctors, and various other merchants, so our experienced staff can handle any merchant that takes credit cards.  Call us today for a free visit and estimate on how you Don’t Become Another Target. And if you don’t have a dedicated IT department, we can handle that for your as well, which let’s you concentrate on your business, while we take care of your IT needs.

01.23.16
by

Your credit card got hacked…how did it happen?

We read every day stories about people’s credit cards that were “hacked”.  We put the word hacked in quotes because it’s really not the correct term.  The better word is breached.

Regardless of the what you call it, the bad guys got your credit card number and now you have to jump through a bunch of hoops in order to fix it, from calling the credit card provider, to looking over your statements to see where all the bad guys used your card.

But how did you get here?  Where did the bad guys get your card?  When did it happen?  What method did they use?

First thing’s first.  It most likely didn’t happen recently.  Unless you lost your card, chances are your card was compromised weeks, if not months ago.  So don’t blame the last place that you used your card.  Not only did they probably not have anything to do with it, but you’re also making possibly a slanderous statement against that company and could find yourself in legal trouble.

The card may have been compromised at a merchant who was not PCI Compliant, a requirement for any merchant who takes credit cards.  Unfortunately, many merchants don’t have a clue that they need to be compliant, or under the assumption that they already are, based on wrong information they are receiving from their credit card processor.  Here’s some simple facts:

  •   No breach has ever occurred at a merchant who was 100% PCI Compliant.
  •  All breaches that have occurred were at merchants who were not PCI Compliant.  

The card may have been breached at a gas station or ATM that had a skimmer installed.   This method collects card information for a period of weeks or months.  The bad guys (and girls) then take the numbers and encode them on pre-paid credit cards they purchase at a drug store, and go on shopping sprees.  The length of time between the skimmed cards and the using of the accounts could be a few months.

Banks have become smarter when it comes to compromised accounts.  Many years ago when a card was compromised, the victim would find charges that were made in other states or even other countries.  Today, if there’s suspicious activity on an account, often times the bank will call the account holder and ask them if they are in another state.  If they are not, they will not authorize the transaction.

Because the banks are now monitoring accounts, the bad guys are adapting.  Usually, if a card holder is based in a particular ZIP code, the bad guys will harvest all of the account numbers for that area, then descend on that area and begin to use the compromised accounts in that area.  That raises less suspicion with the banks.  However, the time between the breach and the using of the account can be weeks or months.

Here’s a great article that gives you a very detailed view on credit card breaches.

If you’re a merchant who takes credit cards and are not sure if you’re PCI Compliant, contact PC Medics of Alabama today at 205-201-0389 or via e-mail a info@pcmdx.net for a free consultation.  Our PCI Compliance experts will go over your network and give you recommendations on how to become compliant.