A recent news story from Texas should be an object lesson for all dealers. An Austin, Texas used car dealer installed GPS starter interrupt devices in its buy here/pay here vehicles that it sold. The internet-based system can be used to disable vehicles when customers are behind in payments and to activate horns when the dealer is looking to retake the vehicles. Suddenly, more than 100 vehicles sold by the dealership either wouldn’t start for the customers or had their horns continually blaring, for no apparent reason. The dealership was deluged with complaints. Upon investigating, the dealership found that a former employee used another employee’s password to tamper with the vehicles’ starter interrupt systems through the internet. Eventually, the ex-employee was arrested, but not before tremendous damage to the dealership’s reputation and customer image.
So what lesson should a dealer take from this? Protect passwords to dealership computer systems. The Texas dealer’s case is an unusual one. However, there is much mischief and downright dishonesty that can come from careless password practices. Problems can range from improper access to customer information to use of computerized ordering to improperly purchase products or services on the dealership’s accounts.
So what should you do?
Train employees. Many employees simply do not appreciate the importance of passwords. For many employees, they’re simply a nuisance. Employees must understand the danger to the business if passwords are misused, and the danger to them if it appears that they are the wrongdoers. Train employees in the importance of password protection.
No sharing. Passwords should not be shared. It is easy for an employee who forgets his or her password to simply borrow someone else’s. The pressure on the employee who is asked to share a password is enormous. Simplify this for employees. Make very clear that sharing passwords is a serious personnel offense that will lead to disciplinary action. If the rule is breached, follow through and take appropriate disciplinary action, including termination if necessary.
Writing passwords down? Many employees simply write down their passwords on their desk blotter or on a sheet of paper in a desk drawer. That is one of the most basic password errors. Passwords should not be written down in areas that are easily accessible. If an employee must write down the password, the paper on which the password is written should be kept in a wallet or purse or some other place that is not easily accessible.
Creating a password. For years, security administrators have preached about the evils of creating easily guessed passwords. Passwords such as “1234” or “password” are very common terms that any amateur will try. For years, security consultants suggested using long strings of random letters, symbols and numbers. However, security consultants have discovered that those sorts of passwords lead to users having to write them down which is itself a problem. Even worse, high tech theft devices such as key loggers are designed to identify a long string of random symbols to isolate a password. Use a phrase or some easily remembered series of letters and numbers.
Regularly change passwords. It is a pain for employees to have to change passwords every 30 days. However, the longer passwords are in effect, the more easily they can be discovered by wrongdoers and misused.
Require that passwords employees use on their personal computers and internet sites are different from those used in the dealership’s systems. Computer users generally limit themselves to one or two passwords. When doing personal computing, they may enter a password into dozens of sites frequently visited. High tech theft devices will be able to pick up a password from those personal sites, and if the business password is the same, it becomes a dealership problem.
No Personal Computing. Limit use of your computer system to business matters. High tech theft programs attack your system through viruses and spyware. Those are most easily contracted from pages employees may visit in personal computing. Have a strict rule against personal computing at work.
Keep your operating system and virus protection up to date. A firewall and programs to protect against viruses and spyware are your best defense against key trackers and other high tech theft programs.