You might think CarriersEdge is strictly a company that provides driver-training tools and provides insight on HR best practices for trucking fleets. But, in reality, we’re first and foremost a technology company. We have to be, since our courses, our modules, and billing/payments need to be secure for our fleet customers. We can’t have data breaches; we can’t be a weak link for our customers when it comes to IT security.
So I pay close attention to what’s happening in the security world. Several weeks ago, we had another embarrassingly large and public breach of private information. This time it was Capital One, with 100 million people in the U.S. and 6 million in Canada affected. Earlier it was Target, LinkedIn and Equifax – just to name three others. CBC had a great story about the fact that at this point we’ve all been hacked and our data is out there, whether we like it or not.
Every time a data breach happens, people are shocked, wondering why it continues to happen. Yet those same people are often the ones perpetrating the behavior that makes this kind of breach not only possible, but easy.
All industries struggle with this, and transportation is no different.
Unfortunately, I was reminded of that several times, which is what's prompted this column. Over the course of a week, more than five different organizations – companies many of you have worked with – asked me to send credit card details through email. They weren’t all in the trucking industry – a bank and a “name” hotel chain were also culprits – but several were. This is a massively insecure practice that's also a direct violation of the Payment Card Industry Data Security Standards (PCI DSS).
The PCI DSS outlines all the things that an organization accepting credit cards has to do to keep those cards safe. If an organization is set up to receive payments by credit card, they're required to follow these standards, which change regularly as business and technology evolves. One part of the standard that's been consistent since the beginning is the basic rule that you never send (or ask customers to send) card information through unsecured networks. Email sent over the public internet is pretty much the epitome of an "unsecured network."
In other words, every one of these organizations asking me – and no doubt many of you – to send credit card data by email is violating the terms of their card processing agreements. When this happens, I get on the phone. I point out to them that they're not supposed to be asking for this information, but it seems I always get the same answers from the front line staff I'm dealing with: “This is how we’ve always done it." “No one else has complained." Or “What other options are there?”
Those responses demonstrate a huge gap between what the organizations are supposed to be doing (and what they're probably telling the card processors they are doing) and what's actually happening in their daily operations. That gap, and the giant lack of knowledge that it represents, helps explain why these hacks keep happening.
A "Hack" That Isn't A Hack
I think that even calling them hacks is unfair. So far, data thieves haven’t had to work very hard to break into the networks and collect the data that's lying around. If you look at what actually happened with all of the public debacles, you’d see that it hasn't been secure, encrypted data that’s been compromised. It’s always been bad data management, private info stored in plain text, and terrible internal processes. It's not like a movie where hackers have to crack some complex secret code to decrypt massively secure systems. They're just exploiting known bugs in existing software (that weren't patched as they should have been) then grabbing unencrypted information and leaving. That barely qualifies as "hacking." After all, if you knew there were thieves in your neighborhood and still left your bike on the front lawn, you wouldn’t call the inevitable robbery a break in or home invasion, you'd call it stupidity.
Sending sensitive info through unencrypted email is just as careless. Internet email travels through a variety of systems en route from sender to receiver, and since you can’t control those intermediary systems, you have to assume they’re not safe.
There are some organizations where the staff is so poorly trained that they don't know they shouldn't be asking for card info by email. The data handling processes are so bad that they don't have a better option readily available, and their internal controls are so weak that the presence of card data collected through email hasn't raised any red flags. That really makes me wonder what they're going to do with my card info once they get it.
I can call in and give the details directly to a company rep, but there's a good chance they’re writing it down on paper somewhere and leaving it lying around. Even if they enter it directly into their system, it may not be much better. If the data is stored unencrypted, it's no safer in their database. Having everything stored in a badly designed database might actually increase the risk. If it's all in one place – an unencrypted, easy to copy file – it's ripe for someone to steal and sell on the dark web.
As an organization that stores credit card data, and spends a lot of time making sure it’s handled securely at all times, this drives me crazy. We've invested significant effort in designing encryption processes, we go through regular third party reviews, have monthly vulnerability scans, and train front-line staff on the rules and best practices of secure data management. So when I see all these other companies being so lax with their processes, it's highly infuriating.
Staying Positive – How to Protect Yourself
Now that I have you justifiably rattled, are there things you can do to protect yourself and your company?
Here are three simple things to remember, and it would be wise to share them with anyone in your organization that makes purchases on your company’s behalf:
1. Never send any sensitive info through external email. Sending from one user to another within your company may be okay, but don’t send it to an outside user, or vice versa. (Sensitive info includes credit card details and any other data that could be used for identity theft, like driver’s license and SSN/SIN). If someone asks you to send card info through email, DON’T DO IT. Pay through some kind of secure payment processing system, direct deposit (ACH or EFT for corporate, email money transfer for personal), or call them and provide the card info over the phone (which, as noted above, may only be marginally better). Some credit cards allow you to create a temporary card number for a specific purpose, and that’s great as well.
2. Don’t save your credit card details on a site that isn’t trustworthy. Entering card info when making a secure purchase is pretty common, but it's not always a good idea to save the card info into your account for later use. Everyone offers that option, but it's rarely a good idea to use it. If the vendor is in a space not known for internet security (e.g. hotels, brick and mortar retailers) it's particularly risky. Vendors in the cloud hosting business, like Amazon, Microsoft, and similar companies that are highly focused on encrypting and securing data, are less likely to be sloppy with it, so they're generally safer. That's a small group, though, so you have to be very careful.
3. Don’t even enter any private info into an unsecure web form. That’s a simple one. Watch for the little lock icon in the browser address bar and don't enter anything sensitive if you don't see that. On today's web, however, even the lock icon indicating a secure connection is just barely sufficient. Any serious ecommerce site should have the green lock icon, indicating enhanced protection and security. Of course, if your browser warns you about the site, or says there's a problem with the certificate, then definitely avoid entering private info.
And of course, if you’re part of a company or organization with people who routinely requests card data to be sent via email, here are three words to tell your staff. STOP DOING THAT! We’ll all be better off when security is top of mind, and Data Security Standards are followed.
Mark Murrell is co-founder of CarriersEdge, a leading provider of online driver training for the trucking industry, and co-creator of Best Fleets to Drive For, an annual evaluation of the best workplaces in the North American trucking industry produced in partnership with the Truckload Carriers Association.