Why Hackers Target Small Businesses Who Use Macs, iPads & iPhones


CC-licensed, thanks homard.net via Flickr.
CC-licensed, thanks homard.net via Flickr.

If you’re a freelance or independent developer, designer, content jockey or two-person startup, you may not even consider yourself a small business.

But the client data on your laptop and the banking you do with your iPhone leaves you wide open as a target for hackers — and lawyers.

For Neal O’Farrell, executive director of the San Francisco nonprofit Identity Theft Council, thinking you’re too small to get serious about security is about as dumb as you can get.

O’Farrell gave a talk titled “The Hackers are Coming – Why the Small Business is the Big Target and What You’ve Got to Lose” as part of San Francisco Small Business Week.

His aim? To “scare the bejesus” out of the 20-or so attendees.

Neal O'Farrell, via nealofarrell.com

“There were more breached records last year than U.S. population than U.S. residents last year and more cases of identity theft than just about all other crimes combined,” he said.

Unless you’re encrypting all of your devices, you’re pretty much asking for trouble.

“You’ve got to wake up and protect yourself, even if you use a Mac,” he said. Hackers hit with automated bots and the ease with which you synch your contact information from your laptop to your iPhone and do your banking on it make all your data vulnerable.

“I don’t use banking apps for my phone,” said O’Farrell, who worked on the first system to secure Ireland’s ATM network, adding that when they first launched eight out of ten mobile banking apps had security flaws. “I’ll wait another 20 years to stick my toe in that pond.”

The idea that Apple devices are less vulnerable to hacking doesn’t hold anymore – in part due to the runaway popularity of the iPhone and iPad. “Hackers go where the crowds are. We’ve also seen a 400% increase in Android attacks. It doesn’t mean they are more vulnerable, just that they are targeting the mass of users.”

After opting out of the family weaving business some 30 years ago, the pugnacious Dubliner became a security consultant who has advised organizations including Toyota, Merrill Lynch, Cost Plus World Market and the Bulgarian Government.

O’Farrell related the horror stories that his nonprofit hears by the hundreds each month from business owners. A small escrow company had half a million dollars slowly drained from its account after two employees clicking on a bogus UPS email notification launched a bank trojan; a restaurant is out about $200,000 from card skimmers.

These hapless victims then discover that the police investigate less than one percent of these crimes — and the banks consider it a police matter. The legal system isn’t much help either, since the 1978 Electronic Funds Act only covers consumers and courts often rule in favor of banks.

“These are almost non-investigatable crimes,” he noted. “If you live in San Francisco and your bank data or identity gets used or stolen in San Mateo, those are different counties and the cops don’t talk to each other. There’s too much paperwork. They signed up to put blue lights on cars and get the bad guys.”

And here’s the thing: you don’t need an office, a staff or what your grandparents would consider a proper business to find yourself with a costly headache.

Say your MacBook gets stolen or data is lifted from it while it’s in for repairs, or you don’t wipe the hard drive when you sell it.

“My biggest fear isn’t the hackers but the lawyers,” he said. “Say you’ve had 1,000 customers over the years. Once that computer is sold or stolen or whatever, it puts you at risk under Federal and state data breach laws.”

And, perhaps more importantly, there’s a difference between liability and what you can be sued for if a lawyer sniffs out a good case, O’Farrell notes. The average cost, depending on the information, is $200 per breached record.

The bright side to this dismal scenario: there are some fairly inexpensive fixes and solutions, O’Farrell said.

A summary of his tips:

  • Get a cheap netbook to use exclusively for online banking. (No email, etc.)
  • “Lose the bank’s money” by using your credit card instead of your debit card for anything other than getting cash from your bank’s ATM. Favor your personal credit card over your small business credit card – individual consumers are better protected.
  • Erase, delete, encrypt. (For encryption, he named AxCrypt and TruCrypt, though he doesn’t specifically endorse them.)
  • Assume that people who send you emails are dumber than you. If it looks funny, call or send a separate email to verify.
  • Teach everyone who exchanges electronic data with you (including your accountant, intern, etc.) to favor caution over curiosity when it comes to opening emails.