What do you suppose could happen if a person with malicious intent was able to gain access to the Facebook account of a credit union CEO? What about a corporate Twitter account? There has been an old hacking technique called HTTP Session Highjacking that has recently been brought to the front of the pack with the release of Firesheep by Eric Butler, and covered by TechCrunch.
When you sign in to an online service, such as your email, online banking, Facebook, or Flickr, the website gives your computer a session cookie. Generally, the login page is secured behind an SSL certificate, meaning that the traffic is encrypted and can’t be deciphered. However, as is the case with Facebook and Flickr, once you’ve logged into the service, you browse the site over regular HTTP that is not encrypted. Firesheep is an extension for Firefox that sniffs internet traffic on a network and finds cookies from websites like Facebook. Since these cookies aren’t encrypted and you are browsing Facebook without any security, these cookies can easily be copied and a person identity can be spoofed very easily. Firesheep makes this as easy as installing the plugin and click a button. It sits there and gathers all of the cookie traffic across a network and present you with the results, let you click on more button and logging into the Facebook account of someone.
Where Firesheep is incredibly scary is on unsecured wireless networks. Think Starbucks, McDonalds, and hotels. Now think about how many credit union employees use services like that when they travel. I’ve used an unencrypted wifi network every week this month where someone could have logged into my Facebook account, done whatever they wished, and I never would have been the wiser until a friend called me and asked if I really wanted $1000 wired to Western Union in the Netherlands.
Credit unions need to realize a few key things:
- With this issue, unencrypted wifi isn’t the devil. It is the websites that your users visit that don’t have end to end security (SSL).
- Your employees are going to use free wifi with the corporate assets, whether you like it or not.
- You need to have the tools in place to minize the risk of this happening to your CEO.
So how can credit unoions, their employees, and regular users prevent issues like this?
- Your credit union probably already has VPN access. Force your remote users to VPN back to the CU to go out the to internet. While traffic could still get intercepted once it leaves the credit union, it makes it much more challenging.
- Make 100% sure that all of the assets in online banking, including images and remote scripts, are all behind an SSL.
- Put your entire member facing website behind an SSL. An extended validation SSL is all the better.
- Avoid using unencrypted wifi access points at all costs.
- Educated your staff on the security issues with unencrypted wifi and the appropraite use of strong passwords.
Banning the use of wifi, Facebook, or whatever else isn’t the solution here. The best way to solve these issues is to educate your employees or users so they understand the ramifications of using insecure technology.
Thanks to everyone for attending the Southwest CUNA Management School with a special thanks to the Texas Credit Union League and Janine McBee. It was an honor to speak to the group and I hope our sessions encouraged some creative thinking. Here are the presentations if you’d like to download it and keep it for your records.
Using Technology to Attract Younger Members
This was originally written and posted for the CU Times. Here is the article in its entirety:
Corporate credit unions are quite the unpopular kid at prom these days. With fresh allegations of fraud from senior executives at some corporates, dismal investment portfolios, and lackluster capital positions, corporates are riding a wave of negative publicity. With massive changes to their business model on the horizon and the threat of further regulation, corporates face the same dilemma that the 8-track cassette tape faced: obsolescence.
Unlike 8-track, the popular audio cassette technology from the 1960s and 1970s, the corporate credit union system has not been short lived. However, forces are changing the marketplace, arguably making corporate credit unions much less relevant. In its January 2009 ANPR, the NCUA suggests making changes to nearly every key component of a corporate credit union’s business model including payment systems, liquidity management, field of membership, investment authority, and capital structure.
Progressive corporates have seen the writing on the wall and have launched new internal programs in preparation for the NCUA’s upcoming systemic alterations. CU Business Group represents a great example of this concept. A CUSO owned by eight corporate credit unions, CUBG provides mainly business services related items such as loan origination, servicing, and SBA lending. The CUSO model has been quite appealing to corporates lately as a way to branch out and diversify some of their services and revenue. Many corporates are beginning to get into the CUSO game such as Southeast and Georgia Central with Member Business Solutions and Missouri Corporate and the Missouri Credit Union Association with their CUSO, Heartland Business Services.
The CUSO structure provides a solution not only for corporates, but also for natural person credit unions looking to overcome some of the current issues with corporates. Nearly all services offered by a corporate credit union to its member credit unions are being offered through CUSOs. For example, Palmetto Cooperative Services of South Carolina offers item processing, statement processing, and printing and mailing services. Originally started as a League Service Corporation, Palmetto now boasts more than 400 clients across twenty states.
Investments have been a source of much anguish from the corporates, but many alternatives are provided through CUSOs as well. CUSOs such as MaPS Advisory Services offer complete replacements for portfolio management. When asked why a credit union would choose a CUSO over a corporate for investment options, Kevin Cole, CFO of MaPS Credit Union and Manager of Client Relations for MaPS Advisory Services, had this to say: “MAS can provide credit unions with an alternative to investing funds in corporate certificates that does not require uninsured membership capital. Rather than credit unions investing in corporate certificates and corporates investing in mortgage backed securities and other bonds, credit unions can directly own the securities with MAS managing the portfolio to a written investment policy statement developed specifically for the credit union.”
Card and ACH processing is another mainstay of corporate credit unions, but again, many options are available to credit unions of all sizes. PSCU, The Members group, and CO-OP are just a few of the CUSO card processors out there today. PSCU has over 600 credit union owners and CO-OP has one of the largest ATM networks in the nation.
As practically every operating aspect of a corporate credit union is available from other providers, natural person credit unions will begin to look elsewhere for products and solutions. In today’s economy, credit unions are avoiding risk at all costs, and that includes any potential issues that may arise from utilizing a corporate credit union. Such risks might include changes related from mergers and acquisitions, key employee turn-over, or further capital calls.
While the more modern cassette tape replaced the 8-track in the 1980s, the outdated standard still had a leg up on the competition in sound quality. That advantage was very short lived and within a few years of being introduced, the cassette tape killed 8-track. Corporate credit unions are currently at the same turning point as the 8-track. CUSO’s and other providers can deliver the exact same services and products to natural person credit unions that a corporate credit union can deliver. While corporates do maintain some slim advantages, they will be quick to deteriorate as the NCUA hands down new regulations in the future.
CUSOs represent a unique opportunity for the credit union industry. Corporate credit unions can capitalize on that opportunity by creating new CUSOs to deliver their existing products in a different format or by adding new business lines. These new business lines could contribute significantly to the bottom line of the corporate, helping to diversify revenue and decrease reliance on products with embedded risk. Natural person credit unions can also leverage CUSOs to collaborate on new joint ventures to better serve themselves and other credit unions.
Time and time again, new technologies over take old. New businesses enter a market and crush existing competitors. The companies, and business models, that survive have a major skill at their disposal: their ability to confront change. The corporate credit union model is being challenged and if corporates are going to survive, they need to confront that fact and embrace all the tools available to them to ensure that they do not become the credit union equivalent of the 8-track.
Credit unions, most of the time, tend to be sticks in the mud. We’ve got to be serious about people’s money, right? Take a clue from Nestle. You can be functional and still have fun at the same time.
Have a listen, it is hilarious!
There is one big, scary security hole in credit unions that most IT people pass over and I’ve never heard an auditor mention: domain registration and DNS hosting. Whoa, whoa, whoa, DNS sounds technical. And it is. But domain registration is very self explanatory. You’ve seen the GoDaddy commercials (or bought domains in a drunken stupor late at night) so you know who easy it is to purchase a domain name. Generally your domain registrar handles your DNS hosting for you. DNS is like the phone book of the internet. It takes godaddy.com and converts it to an IP address and then sends the request off to the correct web server. DNS controls your MX records, or email records, as well as where the domain name should be directed.
Why do we have multi-factor authentication in online banking? To prevent unauthorized access, yes? What do you suppose would happen if somebody gained access to your domain registrar where your credit union’s domain was registered?
- Bad guy downloads all of the html of your website
- Bad guy posts the html of your website on a server he controls. It might not work fully, but it looks legit.
- Bad guy logs into GoDaddy (again, just an example) and tells abcfcu.org to point to his server instead of your server.
- Members visit the site controlled by bad guy who then steals all of their online banking credentials and whatever else he feels like collecting/asking for.
- Oh, and while he’s at it, he’ll change where your CU’s email is pointed at and point it to his own email servers. That means he is now getting every single email sent to the credit union for every single employee.
- And he might do it after hours. Members will have problems logging into online banking, but won’t be able to contact anyone. Email won’t be coming in, but probably won’t get noticed. He flips the switch right after the call center closes and changes everything back before you open.
Scary stuff to think about. Talk about a security catastrophe for your credit union. So what’s a CU employee to do?
First, follow normal security guidelines in regards to password management and computer security. Keep your anti-virus up-to-date. Use traffic monitoring and/or endpoint protection to disable any traffic outbound from your CU to a known bad guy website. Never, ever, ever write down a password. Etc, etc.
Secondly, pick the right registrar. Cheap is rarely the best. Picking on GoDaddy again, but you log into your account on their homepage which is not protected by an SSL. That means your username and password are sent as plain-text over the internet. Fail. So far only one domain registrar, name.com, has implemented mutli-factor authentication. And it is the cream of the crop as far as MFA goes. VeriSign’s Identity Protection, or VIP, works exactly like the RSA key fobs of yore do: an encrypted algorithm that cycles through a code every 30 seconds. In addition to your username and password being required to log into the site, name.com has the ability to require your VIP credential as well. These credentials can either be a physical key fob or can be downloaded to your iPhone or Blackberry if you’d rather not carry around yet another thing on your key chain.
Currently, name.com is the only domain registrar doing this type of multi-factor authentication. This doesn’t mean you should run out and change domain name providers, just that you need to be aware of the security risks. Some of the larger credit unions use DNS hosting companies rather than their registrar to handle DNS. Even these enterprise level services are vulnerable to comprise as Twitter can attest when their account a Dyn, a large DNS hosting company, was comprised and all of their traffic was redirected.
Credit unions are obsessed with security, but often, their obsessions are missed place. I’d be more concerned with a trojan virus getting on the network and implanting keyloggers on employee machines or this type of DNS redirection than I would with (gasp) CTR and SAR compliance. Sure, failing CTR/SAR compliance will cost you, but what will ultimately have a bigger impact on your members?
Thanks to everyone for attending the Credit Union Association of Oregon’s Youth Summit. It was an honor to speak to the group and I hope our session encouraged some creative thinking. Here is the presentation if you’d like to download it and keep it for your records.
Do I really care about the latest marketing campaign that XYZ Credit Union is doing? “Have you seen the video on YouTube by GenY Star? It would make the perfect national marketing campaign,” bleets many of the social media sheep in the credit union industry.
Do you know why most credit union CEO’s don’t blog and aren’t on Twitter? Because nothing important happens in the credit union blogosphere. Yeah, we all get to network, see what each other are doing, and maybe catch a pearl of wisdom here and there. But the bottom line is the important stuff, the game changing stuff, is never really talked about online. Changes to the member business lending cap. That’s a game changer. A partnership developed between FSCC, CUSC, PSCU, Fidelity, etc that enables all credit unions to become shared branches automatically. That’s a game changer.
I’ll bet we could fill an airplane with all the people in the credit union social media space. Literally. What would happen if that plane went down? Nothing. That’s right, nothing. Now imagine filling that plane with the CEO’s of the credit union leagues, trade associations, CUSO’s, and credit unions. We would have a catastrophe. Innovation would be ground to a halt. The real partnerships and collaborations that were happening, albeit on a small scale, would cease.
Tim McAlpine recent wrote on the CUES blog about using social media to advanced your career. And he is 100% right. Social media can help to get your name out there. But we in the social media blogosphere need a greater goal than getting 500 twitter followers or blog subscribers. Trey Reeme and I recently had a conversation about this issue of social media being disconnected from the important things in the industry. Daily life at a credit union isn’t glamorous and fun. It is trying to find a way to help a teller do a process 1 minute faster. It is about finding a better checking product to match up with the maturity of your credit card portfolio. It is about patterning with neighborhood credit unions to form a multi-owned business CUSO to get around an individual credit union’s business lending cap because a.) business loans are profitable and b.) members need them.
If a flood was coming to the credit union industry, would you be invited onto Noah’s Ark to weather the storm? Right now, I wouldn’t be. And I’m not going to stop fighting for the credit union industry until I am.
One of my most popular posts ever, probably for the evocative title, was Do stripper strip at home? Drawing more similarities between credit unions and strippers, the issue of taxation has come up. However, in this particular instance, the strippers are asking to be taxed.
In light of the poor economic and budgetary shape the city of New York is in, they are facing tax cuts to schools and the removal of programs. To help combat this shortfall of funds, and most likely for some good publicity, some strippers from Long Island are asking for a “pole” tax. Boiling down to a cover charge or door fee, stripping establishments would collect the fee with the specific purpose of sending that “tax” back to a local school. While entirely voluntary, the group of stripping advocates are lobbying to make this tax required by the state.
Sin taxes have existed for years on cigarettes, beer, liquor, tobacco, and the like while very few states have a stripping tax currently on the books. Some may call CRA a sin tax as well, forcing banks to reinvest, or pay a special tax depending on one’s point of view, into their local community. Seeing as credit union taxation is such a hot topic, what would happen if a CU stepped up and asked to be voluntarily taxed? A credit union could come out and say, “Because we care about our community so much, we’re going to pay a voluntary tax of 1% of our net income into the general school fund.” Would some CU’ers freak about calling it a tax rather than “community involvement”?