A guy walked into a bar… No, that’s not the start of a joke. It’s the beginning of a LinkedIn post that got lot of kudos last week.
Shortly after the man enters the tavern, chaos erupts: The music stops playing, the credit card machine stops working, the TV goes down. Yes, the entire technology infrastructure was out. The restaurant had a remote IT company (no full-time employee or smart hands-on staff) and they got them working on the problem. Meanwhile, the guy who walked into the bar offered his services to the manager. He worked, he said, for a technology company and would be happy to see if he could help.
Great. The manager takes him into the back and gives him passwords and access. He talked to the IT guys on the phone and together they get things back up and running.
The manager is very happy. The guy who walked into the bar makes a potential sale of some new hardware, and he is hailed a hero by everyone in the place as well as, now, a number of new LinkedIn fans. “Great job, man.” “Way to set yourself above the rest!”
It’s tempting to take this story at face value and accept it as just a good deed with a positive result. In this specific case, that appears to be the case. But it could just as easily have turned out far differently, which means there are some lessons to be learned.
1: Retail businesses have a lot to offer, especially if a hacker or scammer can obtain administrative credentials. The big “get” would, of course, be credit card numbers. If your establishment uses wireless internet connections (don’t, by the way), they can be scraped via a packet sniffer. But if I can get onto your server, I can easily install a key logger that will capture your logins and passwords as you go about your regular business. Eventually, you will log into your merchant account and, well, you know what happens from here.
2: What are the odds that a scammer just happened to be in the restaurant when this happened? Pretty slim. But most likely, if this was a scam, the guy who walked into the bar also caused the crash. Probably through malware previously installed on the system. Presenting a business card as a form of validation and introduction is an easy scam that is often successful. I can print up business cards tomorrow that say I am the senior technology editor of The New York Times. But, sadly, it doesn’t make it so.
3: Have backup systems tested and ready. In the case of this scenario, and for most retail sites, the most critical issue is capturing credit card information and receipting to the customer. Redundant hardware, a secondary internet connection, or a backup solution that utilizes the tethering capability from a personal hotspot or even your smartphone to keep you up and running, with some tradeoffs, like speed, are possible. With a backup method immediately accessible, a scam like this fails.
4: Do not panic. And do not throw your best practices out when they are really tested. In this case, the restaurant had remote IT guys working on the issue. The manager, apparently without the confidence of a backup solution and hoping to speed up the resolution, gave away the farm, opening the door for a far bigger problem. Never give anyone administrative access to your servers, computers, or cloud services. Not only is it possible for someone to infect your systems or steal your data, but they can also have taken a minute to install a dummy account for themselves with admin rights. So even if the manager or the IT company had the presence of mind to change the administrative password after this episode (something I would give about a 50-50 chance to), they would not stop the scammer from getting in through the dummy account.
5: One way to avoid panicking and handing over your tech keys to a guy in the bar is to have confidence in your backup solutions and your staff’s ability to get them online quickly. That comes from testing. You have just half a disaster plan if it exists only on paper. It is a bit of a pain to test, but it is well worth it. That’s where you find out that the plan depends on getting into something that is locked and no one but the owner has the key.
Was the guy who walked into this bar just a good guy trying to help out? Probably. Was the manager just in over his head, trying to be creative in resolving the problem quickly? Most likely.
Situations like this really aren’t that unusual. I myself have offered to help people with problems, and I am always amazed how quick they are to give up administrator credentials, and how unlikely they are to change them afterward. We tend to take people at their word and to be grateful for a helping hand when needed. But hope is not a strategy, and real security that protects your customers and your business is based on often-harsh realities.
Prepare for the worst and hope you never need it.