Why You Don’t Surf the Web on Payment Workstations

Some clients have asked me why I’m such a pain in the ___ (insert your favorite body part here) about letting them use their workstations to enter card transactions. I’ll give you the answer: it is so you remain safe. Here’s an example why…

I was reading in the recent article in Dark Reading about a new Trojan called Clampi that is specifically targeted at businesses like yours. It is designed specifically to identify and steal financial information. The Trojan is incredibly sophisticated, seeking out and collecting administrator credentials and financial account data. It has already been used to execute successful thefts by transferring funds.

Want to know how good this thing is? The criminals behind it are not selling it to other less sophisticated bad guys as is the usual case. No; this thing is so good they are keeping it just for themselves. I don’t know about you, but that part particularly scares me.

How do you protect yourself? Anti-virus programs won’t be much help. This Trojan hides itself pretty well, plus it detects which AV product you use and takes steps to avoid being found. An intrusion protection system (IPS) can help, but they’ll probably find a way around that pretty soon.

Is this beginning to sound like swine flu meets Friday 13th in a train wreck???

The best way to avoid it is to assume the worst: do not use any computer you use for financial transactions to surf the web. And yes, I mean that even if you use a white list. An expert quoted in the article said: "Using Windows, it's too dangerous to do transactions on the same machine you do for Web surfing. You can't have any crossover between them."

That’s why I tell my clients – and I’m telling you – do not permit web surfing or email on any machine you use for card transactions. Period. That includes cashiers, finance staff who process exception items, development fund raisers, hotel front desk clerks…anybody. Somebody reminded me this week of the old line: just because you’re paranoid, that doesn’t mean they really aren’t out to get you. In this case “they” are the bad guys – criminals. And they really, really are out to get you. Don’t make it easier for them.