What Mashable Missed: Fraud Isn’t the Only Risk for Small Businesses Accepting Mobile Payments
Last week, BusinessNewsDaily (a publishing partner of the web-renowned Mashable), ran a story outlining the increased risk that small businesses face over large businesses in the area of mobile payment acceptance. The post references a study by LexisNexis and Javelin Strategy & Research that found that small businesses using mobile apps, browsers, or mobile POS systems experience more fraud than larger businesses because they don’t invest in the same fraud-prevention solutions. But fraud prevention isn’t the only thing that small businesses tend to forgo; they’re also more likely to skip cyber-protection because they don’t think they’ll be targeted. However the unfortunate truth is that small businesses tend to be a favored target for hackers because they tend to lack security.
It’s pretty common knowledge that retail is the most popular target for hackers, and with businesses embracing new mobile payment technology they have multiple employees that essentially have cash registers in their pockets. More registers mean more points of attack, and if you’ve followed the Target breach you know that POS systems are becoming a favored target. Mobile POS systems are simply another (potentially more vulnerable) form.
According to a 2012 case study by CardConnect partner, Trustwave’s SpiderLabs, points of weakness in mobile POS systems include:
- Bad authentication
Some POS applications allow employees to login using just their employee ID rather than a secure password. This can allow an intruder to login without even using a hacking tool—and since most IDs are four digits, there are a totally manageable number of combinations hackers can attempt to force their way in.
The solution:
Use proper username and passwords for login and encrypt all device databases and files
- Bad transaction handling
These devices allow both positive and negative transactions. The problem occurs when business owners assume that only their employees will ever have access to these devices and that every negative purchase is always a return. It can be quite simple for a skilled hacker to infiltrate this system and, for example, apply an arbitrary discount of $10 to a $7 purchase, giving them $3.
The solution:
Require a digital signature to prevent hackers from altering data in transit.
- Bad credit card handling
Some cheaper mobile card reading devices do not encrypt at the point of entry, leaving unencrypted card data residing somewhere within the software, vulnerable to attack.
The solution:
Never accept manually entered card information unless you are certain it doesn’t store unencrypted card data, and never use a card reader that does not encrypt data in the hardware.
The best thing small businesses using a mobile POS system can do for the security of their customers is to operate under an assumption that they will be compromised and to make every element as secure as possible. Businesses that receive payment through mobile applications aren’t off the hook either, as a 2012 study revealed that 92% of the top 230 iOS mobile apps and 100% of those apps on Android have experienced a breach. But with the right security in place, there’s no reason you have to suffer the same fate.
If your business is looking for a secure mobile POS or mobile app solution, contact us here.