Blog article
See all stories »

Hackers Target Small Business

Big companies and big government get big press when their data is breached. And when a big company is hit, those whose accounts have been compromised are often notified. With smaller businesses, however, victims are often left in the dark, regardless of the various state laws requiring notification.

One reason for this is that smaller businesses tend not to keep customer names and contact information on file, and credit card companies discourage them from recording credit card data.

This is serious cause for concern. The Wall Street Journal reports that the majority of breaches impact small businesses:

“With limited budgets and few or no technical experts on staff, small businesses generally have weak security. Cyber criminals have taken notice. In 2010, the U.S. Secret Service and Verizon Communications Inc.’s forensic analysis unit, which investigates attacks, responded to a combined 761 data breaches, up from 141 in 2009. Of those, 482, or 63%, were at companies with 100 employees or fewer. Visa Inc. estimates about 95% of the credit-card data breaches it discovers are on its smallest business customers.”

If 95% of breaches affect small companies, it’s anyone’s guess how many times my or your credit card numbers have been compromised. I’ve received four new cards in the past three years as a result of major companies being breached. But I use credit cards at more than a hundred different retailers in a year. And it isn’t only credit card numbers that are stolen, but also usernames and passwords, Social Security numbers, email addresses, and more.

Check your credit card statements online weekly and refute any unauthorized charges. As long as you dispute charges within 60 days, federal laws limit your liability to $50. Unauthorized debit card charges must be reported within two days, or liability jumps to $500.

Change up your passwords at least once every six months. If a business is hacked, they may not know for years, and can’t possibly notify you until it’s much too late.


Comments: (7)

A Finextra member
A Finextra member 19 September, 2011, 08:32Be the first to give this comment the thumbs up 0 likes

Its easy to say 'check your statement regularly' but we all have a day job, or looking for one, and the transaction descriptions are sometimes next to useless.  They are even registered in another state/city/business name to confuse you further. Chip+Pin was a big help but CNP is still the issue - card data floats around for years and is valid for at least a couple.  Its the small charges that get missed.

Robert Siciliano
Robert Siciliano - - Boston 19 September, 2011, 12:33Be the first to give this comment the thumbs up 0 likes

Anonymous commenter, its scary to know that a reader of Finxetra, like you, who is probably in the financuial industry, makes a statement such as checking statements is burdensome etc. If you were an employye of mine I'd fire you on the spot. You are a liablilty. 

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 20 September, 2011, 19:54Be the first to give this comment the thumbs up 0 likes

Unfortunately, anecdotal evidence weighs heavily in favor of the opinion expressed by anonymous Finextra Member's comments. Although I belong to the minority, it appears that an overwhelming majority of over 90% of people don't check their credit card statements, at least not regularly or thoroughly enough to spot fake charges. Technology can help, though: A more practical alternative, at least for US residents, is a website like, to whose CEO, btw, I should give credit for the above statistics. 

Robert Siciliano
Robert Siciliano - - Boston 20 September, 2011, 20:06Be the first to give this comment the thumbs up 0 likes

I subscribe to BillGuard, and I check my statements. The responsibility falls with me. 

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 20 September, 2011, 20:33Be the first to give this comment the thumbs up 0 likes

According to BillGuard, it keeps its service free by making money from banks that offer its advanced card protection services to their (i.e. banks') customers. Banks could invest in implementing realtime, 2-way SMS alerts for all / selective user-defined credit card transactions as an alternative / additional way of solving this problem, as I'd pointed out in my two recent Finextra blog posts:

A Finextra member
A Finextra member 21 September, 2011, 11:55Be the first to give this comment the thumbs up 0 likes

I don't think you can fire an anonymous employee, Robert :)

The reality is that the world moved away from paper statements, so there is no longer a trigger to scan those transactions. Its all online now.  Most folks have several different cards as well.  I don't think it is as common as you think that people set aside time to login to each to check those transactions - they will (like me) do it from time to time when they happen to be logged in.  They care about the overall balance outstanding and therefore only large transactions influence that and draw attention.  Coupled with the vague and misleading merchant names and lack of descriptions, its a poor system.

I agree that configurable SMS notifications of any transaction is a great idea.

I am not ducking that we are personally responsible, but when 99.9% (hopefully more) of txns are genuine, who can blaim the consumer for getting lazy in monitoring it - its a fact.

Robert Siciliano
Robert Siciliano - - Boston 21 September, 2011, 12:44Be the first to give this comment the thumbs up 0 likes

There are laws in place protecting consumers and making consumers responsible as well. Since when did lazy and stuipid make it ok to avoid legal responsibility? How is it that you people are saying this is OK? Its not ok and you and everyone else should adhere to the rules.

I lock my doors, I check my statements, I have systems in place and I take responsibility. The sooner everyone does the better their life will be, instead of blaming someone else for thier problems. How did this post turn into this? 

No matter what technology we introduce there will always be some responsibility in behalf of the end user to protect themselves from whatever risk/reward there is as a result of the conveneience. You carry money, there is a chance you will be bonked on the head. 

This is it, these are the cards we have been dealt, nobody is going to take care of you, stop blaming some big company or governement for your problems. Take responsibility. 

Now hiring