This morning I grabbed a new laptop and took a trip to a few dealerships in my area to check out security. As a former coder I’m not up to speed with the latest hacking techniques but I thought it would be interesting to see how much data I could get from these stores. Now before the privacy advocates go crazy here let it be known that this was a controlled experiment with a hard drive in the laptop that was wiped clean by our security team immediately following the test. No data from any customers of these dealerships were reviewed, looked at beyond a cursory glance and no staff member at iMagicLab had any access to anything. I went to 5 stores at random that did not use iMagicLab software and that I had no relationship whatsoever. Each store in the test did not know me, did not actively participate and probably would be really pissed off that I was doing this. At no time did I break any laws or use any devices or programs to enter into a network without authorization. With all the appropriate caveats in place, let’s look at the methodology and test results:
The Method
I decided before I started this that I would try the same techniques on each store. To make it fair I did them in the same order and in the same way. I was going to wear a lab coat as well but I thought that might stand out. Here’s what I did:
· I scanned for a wireless network and if it existed I tried to connect to it
· I went into each dealership and asked if I could use their internet connection to check my email
· I used a freeware packet sniffer to detect and record network traffic
· I used a printer reverse decryption program to read documents intended for a printer
· I spent zero money on software products beyond the Vista software on the machine
· I used the built-in Windows networking features to check out anything I could that was freely available without a password. If the file, directory or computer had security on it I made no attempt to open it or download it.
The Results
If you have a seatbelt on your office chair now would be a good time to buckle up: The results are really unbelievable. I’m chomping at the bit here to write the conclusions section here but I won’t if you promise that you will read to the end:
· 5 out of 5 dealers had wireless networks at the dealership. 4 out of the 5 actually had multiple wireless access points and in ALL cases I was able to access the dealership network by simply hitting the “connect” button. It’s important to note that some of these networks were ‘ad-hoc’ networks and were obviously created for the use of one or two people using a $60 usb instant wireless network product (the kind used by many consultants and trainers to run their laptops)
· Every store let me hook up my laptop to their network without objection. Two stores actually instructed staff to get me a private room and a network cable.
· Packet sniffing each of the networks was like being in a Harrison Ford movie. Social Security numbers, credit results and huge amounts of personal information just started streaming into my machine. All of the dealerships I sampled offered a huge amount of data available for the asking.
· Printer page interception was more difficult but offered far more data than the packet sniffing. Where the packet sniffing needed to be assembled after the data was downloaded, the printer was always sent a complete page of information. It was very easy to get a nice package of info on every customer who was penciled or bought a car.
· File downloads from unsecure directories included reams of pornography, staff reviews, customer spreadsheets and just about everything you can imagine. Several computers had text files or Excel spreadsheets including passwords for store systems etc. There was virtually no security anywhere once on the network.
What You Can Do
It’s really very simple; hire a security consultant and adopt a Security Strategy like this:
Layer 1 - A dedicated, private Internet connection.
A dedicated Internet connection like a T1 service will reduce the amount of unwanted attacks by about half.
Layer 2 – Only use Internet-based software that is truly secure
You know that little lock in the browser that says you are secure? Did you know that companies can buy that “security” for $199 without any background checks or technology? Scary but true, those certificates do nothing to help you tell that the company you are dealing with has done anything to secure your data. Only the new EV certification or higher can really be trusted to make sure your data is safe and that the Company you are dealing with is real. Login to eBay or PayPal and look at the address line in Internet Explorer (7 or above). See the green address bar? Green means go, anything else is a deal stopper.
Layer 3 – Make sure your DMS is secure
I could write here for hours but the Readers Digest version is that most of the technology nearly all stores use to safeguard their customers information is woefully outdated and has more holes than Swiss cheese. Call your vendor, conduct an INDEPENDENT security audit and make whatever changes you need to. Almost 50% of the data I was able to get came directly from the DMS systems in those stores. It’s just frightening.
Layer 4 - Securing the LAN with a reliable firewall capable of handling today's "Blended Threats"
A firewall that analyses data in real-time and monitors all traffic coming in and out of the dealership's Internet connection will help in protecting sensitive data. Intrusion methods change with technology. Dealership firewalls must be able to identify the traffic going through the firewall and be able to determine if this data is wanted, safe, and secure enough to deliver to the end user. Moreover, a managed firewall with timely updates will keep the dealership up-to-date with the newest technologies and threats.
Layer 5 - Securing the LAN through a repeating process of monitoring and adjusting
A security program is only as good as the party that monitors the attacks and adjusts the security policy appropriately. Without this continual process of monitoring and adjusting, a dealership will become further and further behind putting themselves at a high risk.
Layer 6 - Securing PCs with reliable anti-virus/spy ware protection.
Security starts from within the dealership. Since a network will be compromised at its weakest link. each PC must have up-to-date anti-virus protection. A corporate anti-virus solution is the best fit for dealerships of all sizes. Many of today's current corporate anti-virus solutions also include spy ware protection and key logger protection.
Layer 7 - Employee background checks, monitoring and education
Most theft occurrences start from the inside out. Usually this can be prevented by properly educating employees on ways in which they can help to protect the companies privacy and their customer's privacy. Examples include social engineering, proper passwords and storage of passwords, remembering to logout and locking their workstation when they leave. Background checks are absolutely necessary as our industry tends to employ folks that need money. Did you know that mortgage companies buy credit applications from salespeople for $10 per app? It gets worse and you need a real plan to make sure your staff is not working against you on the side.
While no dealership can be "completely" safe, securing each layer of the dealership is the best way to reduce their risk against threats from within and outside the dealership and mitigate any liability acts committed by attackers. Turning to experts in security, technology, and dealership infrastructure is the best way to make sure the dealership is better protected.
The Conclusion
Do I even need to write this now? While the results of this security audit were expected the depth of negligence was startling. Privacy and data safeguards are buzz words that every dealer talks or hears almost monthly but few actually take seriously. I know I don’t need to write this but the implications to the business and its customers are enormous. All the manufacturers have programs dealing with store security but here in Northern California, where you’d expect security to be up to speed, it’s obvious that dealerships just don’t get it. Make it your business to be secure and then make sure your customers know they are secure. In all the horror stories about car dealers the last thing we need is massive identity theft that can be traced to our stores.
It’s not too late: Call me, call someone, call anyone and get your dealership secure.
