PCI, Passwords & Aggravation
With June 30th creeping up on us we are rushing to upgrade websites, upgrade servers, secure mail, block port access, require password strength and rotation and of course block hackers from websites. PCI/DSS compliance is a daunting thing, it looms over our heads as a potential to be heavily fined for not obeying its standards. Some shop owners, like ourselves, have been obeying these standards for many years already. Others are just getting started or are still in denial.
Interestingly, not all of our clients are thrilled that we are and will continue to be delivering the safest, PCI compliant hosting that we can. We update clients as we continue down the road to maintain our server's PCI/DSS compliance. In response to these updates about new password strength requirements, requiring clients keep their software up to date, etc we have received a mixed bag of mostly aggravated feedback. We have been yelled at, complained about publicly and some clients have even moved their websites to avoid PCI.
I do wonder what these folks will think when June 30th passes and their merchant bank fines them, suspends their account or many other of the power plays the merchant banks will posses to force PCI/DSS compliance among their account holders. I also wholeheartedly hope that this will create an opportunity for the PCI ready and already compliant merchants in the marketplace. Historically speaking, it will create financial opportunities for the PCI compliant vendors who will be still able to process credit card transactions..... while the "non believers" use PayPal while they scramble to attain compliance so they can again accept credit cards.
So starting today with this post, we are going to cover the PCI/DSS basics in detail for shop owners to make better choices and start/continue down the road to compliance. Today's topic is your own computer's security.
Why does it matter that I have secured my PC, it's not hosting my website you know?
Ahhh, this one is such a fun question! I could point to over 50 cases in the last 2 years where a client's failure to maintain their own personal security has allowed their websites to be hacked, but I would prefer to cover some basic security techniques to prevent it instead. By the way, if you use a MAC and think you are exempt, you are dead wrong, no matter what the "Apple Guy" tells you. In checking the numbers, about 20% of the hacks originating from the website owner we using a MAC. Given that only a small percentage of people use MACs, this is really quite high! I think that Apple has gone out of their way to create a false sense of security among its users... But, in the end, it is you.... who owns the computer who is at fault, not Apple.
There are several areas you need to observe to manage your own personal security. I will break these down in a simple format and hope to help you be more secure and protect your shoppers better.
I am still in complete AWE when clients, whom we don't even know, shoot us access information in an email! Worse yet, we get the email from a Hotmail or other free account and the username is admin and the password is password01..... Really scary! This post How I’d Hack Your Weak Passwords is a MUST read.... it will scare the crap out of you... as it should.
Really Simple Password Rules to Live By:
- Never use real words, use made up ones if you must use a word. Using names and known words makes hacking your password a piece of cake!
- Always use numbers, letters (mixed case) and punctuation when possible.
- Always make your passwords a bare minimum of 8 characters... 12 is much better.
- Change all passwords every 60-90 days.
- Never create mass account login with the same passwords for users.... All users need their own unique login.
- Passwords must not be transmitted over the Internet by e-mail or any other form of communication, without being encrypted.
- Passwords should never be written down or shared with anyone.
- Use different passwords for each website or application.... at the very least DO NOT use your hosting access passwords ANYWHERE else, ever.
- You must log the dates of password changes and who has access to anything coming in contact with your website.
I had to post this chart to demonstrate how quickly simple password are cracked, it is rather eye opening.
|Password Length||All Characters||Only Lowercase|
SECURING YOUR COMPUTER
This one can be quite challenging, there are so many things to do. The list I am about to provide you is really a short list of the things you really must do.
- Keep ALL software on your computer up to date, especially Adobe products. The Secunia Online Software Inspector (OSI) will check them for you, for free.
- Use a great virus scanner, I highly recommend McAfee. Trend Micro has a decent product, but there have been countless times when we are cleaning up a hacked website and scanned the local files with Trend Micro on the intake computer and then McAfee found viruses in them after.
- Virus scanning isn't enough, you need a firewall... again, McAfee's firewall and real time scanning is really superb.
- Some infections are not viruses and will not be caught by a virus scanner. Malware, BHOs and other dangerous scripts can infect your computer just from browsing the Internet. We suggest Malwarebytes to scan for these dangerous items. It's also free.
- Change your network passwords including router, modem, login etc every 60 to 90 days and make them also strong passwords.
- Turn OFF WiFi on your work computers... at the very least secure your wireless network. PC World has a simple post to step you through securing your WiFi here.
- Remove unnecessary software from your computer, especially ones that reach out to the Internet.
- Clear your browsing history, cache, cookies etc everyday. We use CCleaner to do so, it's also free. If someone accessed to your machine, some of your juiciest information is stored in your Web browsers cache. There is enough in almost every browser on earth to engineer a social breach. In other words a hacker could gain access to your personal data and then use it to pose as you.
Another thing to keep in mind is that some of the passwords you think matter least actually matter most. For example, some people think that the password to their e-mail box isn’t important because “I don’t get anything sensitive there.” Well, that e-mail box is probably connected to your online banking account. If I can compromise it then I can log into the Bank’s Web site and tell it I’ve forgotten my password to have it e-mailed to me. Now, what were you saying about it not being important?
It is your duty to secure your devices, restrict access and manage your own personal security to protect your customers.