Combating Electronic Threats: Don't Get Burned With Just A Firewall

It’s probably fair to say that most dealers, by now, understand that they are required to protect their customers’ non-public personal information (NPI). This requirement, flowing from the Gramm-Leach-Bliley Act, is contained in the FTC Safeguards Rule (16 CFR 314) and became the law of the land May 23, 2003.

The FTC Safeguards Rule applies to “all financial institutions over which the Federal Trade Commission has jurisdiction.” Car dealerships that originate loans (which is to say, most car dealers) are under FTC jurisdiction, and therefore must comply with the Safeguards Rule. Any dealer who hasn’t been living under a rock for the past three years knows this much. What is less well known, however, is how to comply. And the greatest area of uncertainty seems to relate to computer security.

“Paper” security is almost self-explanatory: Keep documents containing NPI away from unauthorized personnel, third parties and customers. Lock file cabinets and office doors. Place document shredders in F&I offices and business offices. Locate fax machines on which credit apps are transmitted away from public access. Train dealership employees with respect to the Rule, and document that effort (an often overlooked requirement). And so on.

But computer security is not quite so intuitive, and the risks are far greater. To put this in economic perspective, consider that the potential FTC penalty for leaving one deal jacket in plain sight, unprotected, is $11,000. But the potential penalty for leaving a computer unprotected, with access to 15,000 customer files, is $165 million. In one recent case, the FTC assessed a $15 million fine against a company that failed to fully comply with the Safeguards Rule. Clearly, it is worth a dealer’s while to protect customers’ NPI stored in electronic format. But how does one do that?

Actually, it is easier than you might think, or fear. But first, one must understand how computers are used in the average dealership, how they work, and how a bad guy can exploit a network’s vulnerabilities to gain unauthorized access. Then, a dealer needs to know what the Safeguards Rule actually requires. Once that basic understanding is achieved, understanding how to protect your network becomes a manageable task.

There are two main types of computer systems at a car dealership: a dealership management system (DMS) and a dealership’s own network. A DMS is generally leased from a third-party vendor such as Reynolds and Reynolds or ADP, which combined are said to control more than 90 percent of the market. Other players include ARKONA, Proceed, UCS and EDS. A dealer’s network, on the other hand, is homegrown, unique and owned by the dealer.

Dealership computer systems have evolved rapidly over the last decade or so. Ten or 15 years ago, the dealership was run almost exclusively by the DMS. It controlled sales, service, parts, F&I, accounting and payroll. Those who needed access to it were given that access through a “dumb” terminal that alone didn’t have any processing power. There was virtually no access to the Internet or to any other computer, for that matter.

As information technology improved, dealer personnel needed access to processing power at their desks. Microsoft Word, Excel and other applications were needed. Dealers began to exchange dumb terminals with real computers with actual processing and networking capabilities. When individual computers, or “work stations,” are connected, either to a central server or to other work stations, a network is born. So today, many dealership computing functions are performed on a dealer’s own network, independent of the DMS.

Of course, dealers still need to access their DMS, so the DMS providers give dealers “terminal emulators,” such as ERA Link or Reflections. Terminal emulators permit dealer personnel to access the DMS from the convenience of their own networked computer.

The Internet then brought on a whole new set of connections. Dealers went online to apply for tags, register service contracts, do online menus, post their inventory, send credit applications to lenders, retrieve credit bureaus, get book values, generate Internet leads, communicate with the manufacturers, confirm driver’s licenses, pull tag information and a host of other online applications. But all of these new applications, while bringing function, also bring risk.

[PAGEBREAK]

How Hackers Hack

A dealer’s customer data can now be seen by an attacker without even breaching the DMS itself. An attacker could monitor a specific computer within the dealership from the comfort of his own home using a little know-how and freely-available hacking programs. Once inside, he could take screen shots of customer information while the dealership employee was working. He could read stored reports like sales logs and mailing lists. He could get to Excel with its payroll information. Depending on the possibilities presented, he could even take control of the user’s PC and reach the DMS just like the user would.

The DMS is simply just another computer on the network. It does all of the functions that the Big Box of years past did, but now is accessed though desktop computers just like any Microsoft application would be. As mentioned above, access is gained through terminal emulators. They are programs that, as the name suggests, emulate dumb terminals. From the DMS point of view, they look just like the old green screens.

So, to hack a DMS is not some magical trick. A bad guy gains control of a computer on the network that has access to the DMS, and then the only thing needed to get in is a logon and password.

To get past the former is easy. First, you try first name only, then last name only, then first name last initial, then first initial last name, store number last name or some combination of the above. While that may sound somewhat involved, it is not. If a username can’t be quickly guessed, there are computer programs that will do the work in the blink of an eye — if you blink quickly.

The password is a little trickier but certainly not bullet proof. A hacker would first try the easy route — a lucky guess. Try the logon as the password, add a 1 at the end or spell it backwards. Don’t forget the local sports team names, birthdates and street addresses.

If 10 or 15 guesses don’t do the trick, a hacker may try "social engineering." Social engineering is a fancy term for getting the necessary information from someone entitled to have it. (In one famous example, while researching “The Sum of All Fears,” author Tom Clancy learned the last secret to building a nuclear weapon by simply calling the government contractor in question and asking.) A hacker would call the dealership and ask for an employee by name or title, say he is with the computer company or some support company and ask the user for his logon and password. (This works more often than you might think.)

If all else fails, a hacker might just use brute force. A simple Google search reveals over 1.8 million available sites providing access to “brute force” password hacking programs.

Do not be comforted by the thought, “We’re safe. We have a firewall.” Hackers expect a firewall, and know how to get around it. The first thing they do is find you in the world of the Internet. Then, they scan your firewall from the outside using any one of thousands of programs. Next, they scan the inside of the network through some of the open doors in the firewall. The hacker then compiles a list of network weaknesses called vulnerabilities, and then exploits one of those vulnerabilities using commonly available utilities.

The preceding discussion illustrates how a network/DMS tandem works, and how a hacker can gain access to the DMS through the network. But there is still another, more basic way to get into a DMS: its modem. The average DMS connects to its owner through an old-fashioned dial-up modem.

This is not as antiquated as it may sound because the DMS transmits vanilla data only. Rather than dense audio or video files, the transmission rates of a conventional dial-up modem are satisfactory. The problem is that the modem works both ways, and anyone with its phone number (which would include, of course, all current F&I employees and former F&I employees) can simply dial in and enter a valid password.

[PAGEBREAK]

For those lacking a DMS’s telephone number, it is easy to establish a telephone number “range” from dealership numbers listed in a phonebook or posted online. Once the range is established, a “war-dialer” program will detect the DMS line in short order. After connecting to the DMS, a similar program may be launched against the password, assuming the default password of “password” was ever changed (in most dealerships, it was not).

Once a hacker has accessed a network or DMS through the Internet or via modem and defeated the login screen, the fox is in the henhouse. What he does from there can range from the benign (as an authorized “white knight” hacker just checking security) to disastrous (as an identity thief copying credit information). How hackers remove data is beyond the scope of this article and, in any event, largely irrelevant. The Safeguards Rule requires you to make it so tough that the fox starts looking for another henhouse.

To protect customers’ NPI, the Safeguards Rule requires dealers to conduct a risk assessment that addresses the dealer’s network and DMS. Safeguards need to be in place that detect attempted intrusions, protect against them, and scan for the vulnerabilities hackers exploit to gain unauthorized access. In addition, the Rule requires dealers to train their personnel with respect to the Rule, and periodically audit the effectiveness of their information security program.

The Cost of Failure

In addition to hefty fines, the FTC can impose an onerous consent order to resolve a complaint. Such consent orders have required federal oversight of a dealership’s compliance efforts for a period of 20 years, including biennial third-party audits.

But wait, there’s more: The FTC has already determined that “a violation of the Safeguards Rule constitutes an unfair or deceptive act or practice in violation of Section 5(a) of the FTC Act.” (Nationwide Mortgage Group, Inc. et al., FTC Docket No. 9319 (2004).)

In other words, failure to comply with the Safeguards Rule is like a lead-pipe lock as a basis for a class-action lawsuit alleging a deceptive trade practice applied to each and every dealership customer since May 23, 2003.

And lest a dealer think a failure to properly address computer security is likely to go unnoticed, it has not. In the same case cited above, the FTC specifically identified failure to conduct an NVA, failure to train personnel, and failure to monitor a network for vulnerabilities to constitute violations of the Safeguards Rule.

This article discussed the scope of computer security and the cost of not complying with the Safeguards Rule. Next month, we’ll tackle the fun part: securing customer data in the real world of dealerships.

Alan Andreu is president of Dealership Defense LLC. He began working in the retail automotive industry in 1983 as a finance director. For the past seven years, Alan has used his experience in the industry and his education in computer science to develop methods that support and provide security to dealership management systems for dealerships nationwide.