As information technology improved, dealer personnel needed access to processing power at their desks. Microsoft Word, Excel and other applications were needed. Dealers began to exchange dumb terminals with real computers with actual processing and networking capabilities. When individual computers, or “work stations,” are connected, either to a central server or to other work stations, a network is born. So today, many dealership computing functions are performed on a dealer’s own network, independent of the DMS.
Of course, dealers still need to access their DMS, so the DMS providers give dealers “terminal emulators,” such as ERA Link or Reflections. Terminal emulators permit dealer personnel to access the DMS from the convenience of their own networked computer.The Internet then brought on a whole new set of connections. Dealers went online to apply for tags, register service contracts, do online menus, post their inventory, send credit applications to lenders, retrieve credit bureaus, get book values, generate Internet leads, communicate with the manufacturers, confirm driver’s licenses, pull tag information and a host of other online applications. But all of these new applications, while bringing function, also bring risk.
How Hackers Hack
So, to hack a DMS is not some magical trick. A bad guy gains control of a computer on the network that has access to the DMS, and then the only thing needed to get in is a logon and password.
To get past the former is easy. First, you try first name only, then last name only, then first name last initial, then first initial last name, store number last name or some combination of the above. While that may sound somewhat involved, it is not. If a username can’t be quickly guessed, there are computer programs that will do the work in the blink of an eye — if you blink quickly.
The password is a little trickier but certainly not bullet proof. A hacker would first try the easy route — a lucky guess. Try the logon as the password, add a 1 at the end or spell it backwards. Don’t forget the local sports team names, birthdates and street addresses.
If 10 or 15 guesses don’t do the trick, a hacker may try "social engineering." Social engineering is a fancy term for getting the necessary information from someone entitled to have it. (In one famous example, while researching “The Sum of All Fears,” author Tom Clancy learned the last secret to building a nuclear weapon by simply calling the government contractor in question and asking.) A hacker would call the dealership and ask for an employee by name or title, say he is with the computer company or some support company and ask the user for his logon and password. (This works more often than you might think.)If all else fails, a hacker might just use brute force. A simple Google search reveals over 1.8 million available sites providing access to “brute force” password hacking programs.
Do not be comforted by the thought, “We’re safe. We have a firewall.” Hackers expect a firewall, and know how to get around it. The first thing they do is find you in the world of the Internet. Then, they scan your firewall from the outside using any one of thousands of programs. Next, they scan the inside of the network through some of the open doors in the firewall. The hacker then compiles a list of network weaknesses called vulnerabilities, and then exploits one of those vulnerabilities using commonly available utilities.
The preceding discussion illustrates how a network/DMS tandem works, and how a hacker can gain access to the DMS through the network. But there is still another, more basic way to get into a DMS: its modem. The average DMS connects to its owner through an old-fashioned dial-up modem.This is not as antiquated as it may sound because the DMS transmits vanilla data only. Rather than dense audio or video files, the transmission rates of a conventional dial-up modem are satisfactory. The problem is that the modem works both ways, and anyone with its phone number (which would include, of course, all current F&I employees and former F&I employees) can simply dial in and enter a valid password.
[PAGEBREAK]For those lacking a DMS’s telephone number, it is easy to establish a telephone number “range” from dealership numbers listed in a phonebook or posted online. Once the range is established, a “war-dialer” program will detect the DMS line in short order. After connecting to the DMS, a similar program may be launched against the password, assuming the default password of “password” was ever changed (in most dealerships, it was not).Once a hacker has accessed a network or DMS through the Internet or via modem and defeated the login screen, the fox is in the henhouse. What he does from there can range from the benign (as an authorized “white knight” hacker just checking security) to disastrous (as an identity thief copying credit information). How hackers remove data is beyond the scope of this article and, in any event, largely irrelevant. The Safeguards Rule requires you to make it so tough that the fox starts looking for another henhouse.To protect customers’ NPI, the Safeguards Rule requires dealers to conduct a risk assessment that addresses the dealer’s network and DMS. Safeguards need to be in place that detect attempted intrusions, protect against them, and scan for the vulnerabilities hackers exploit to gain unauthorized access. In addition, the Rule requires dealers to train their personnel with respect to the Rule, and periodically audit the effectiveness of their information security program.
The Cost of Failure
And lest a dealer think a failure to properly address computer security is likely to go unnoticed, it has not. In the same case cited above, the FTC specifically identified failure to conduct an NVA, failure to train personnel, and failure to monitor a network for vulnerabilities to constitute violations of the Safeguards Rule.This article discussed the scope of computer security and the cost of not complying with the Safeguards Rule. Next month, we’ll tackle the fun part: securing customer data in the real world of dealerships.
Alan Andreu is president of Dealership Defense LLC. He began working in the retail automotive industry in 1983 as a finance director. For the past seven years, Alan has used his experience in the industry and his education in computer science to develop methods that support and provide security to dealership management systems for dealerships nationwide.