The Facebook Account of A Credit Union CEO

What do you suppose could happen if a person with malicious intent was able to gain access to the Facebook account of a credit union CEO? What about a corporate Twitter account? There has been an old hacking technique called HTTP Session Highjacking that has recently been brought to the front of the pack with the release of Firesheep by Eric Butler, and covered by TechCrunch.

When you sign in to an online service, such as your email, online banking, Facebook, or Flickr, the website gives your computer a session cookie. Generally, the login page is secured behind an SSL certificate, meaning that the traffic is encrypted and can’t be deciphered. However, as is the case with Facebook and Flickr, once you’ve logged into the service, you browse the site over regular HTTP that is not encrypted. Firesheep is an extension for Firefox that sniffs internet  traffic on a network and finds cookies from websites like Facebook. Since these cookies aren’t encrypted and you are browsing Facebook without any security, these cookies can easily be copied and a person identity can be spoofed very easily. Firesheep makes this as easy as installing the plugin and click a button. It sits there and gathers all of the cookie traffic across a network and present you with the results, let you click on more button and logging into the Facebook account of someone.

Where Firesheep is incredibly scary is on unsecured wireless networks. Think Starbucks, McDonalds, and hotels. Now think about how many credit union employees use services like that when they travel. I’ve used an unencrypted wifi network every week this month where someone could have logged into my Facebook account, done whatever they wished, and I never would have been the wiser until a friend called me and asked if I really wanted $1000 wired to Western Union in the Netherlands.

Credit unions need to realize a few key things:

  1. With this issue, unencrypted wifi isn’t the devil. It is the websites that your users visit that don’t have end to end security (SSL).
  2. Your employees are going to use free wifi with the corporate assets, whether you like it or not.
  3. You need to have the tools in place to minize the risk of this happening to your CEO.

So how can credit unoions, their employees, and regular users prevent issues like this?

  • Your credit union probably already has VPN access. Force your remote users to VPN back to the CU to go out the to internet. While traffic could still get intercepted once it leaves the credit union, it makes it much more challenging.
  • Make 100% sure that all of the assets in online banking, including images and remote scripts, are all behind an SSL.
  • Put your entire member facing website behind an SSL. An extended validation SSL is all the better.
  • Avoid using unencrypted wifi access points at all costs.
  • Educated your staff on the security issues with unencrypted wifi and the appropraite use of strong passwords.

Banning the use of wifi, Facebook, or whatever else isn’t the solution here. The best way to solve these issues is to educate your employees or users so they understand the ramifications of using insecure technology.

The Most Overlooked Aspect in Credit Union Security

There is one big, scary security hole in credit unions that most IT people pass over and I’ve never heard an auditor mention: domain registration and DNS hosting. Whoa, whoa, whoa, DNS sounds technical. And it is. But domain registration is very self explanatory. You’ve seen the GoDaddy commercials (or bought domains in a drunken stupor late at night) so you know who easy it is to purchase a domain name. Generally your domain registrar handles your DNS hosting for you. DNS is like the phone book of the internet. It takes godaddy.com and converts it to an IP address and then sends the request off to the correct web server. DNS controls your MX records, or email records, as well as where the domain name should be directed.

Why do we have multi-factor authentication in online banking? To prevent unauthorized access, yes? What do you suppose would happen if somebody gained access to your domain registrar where your credit union’s domain was registered?

  1. Bad guy downloads all of the html of your website
  2. Bad guy posts the html of your website on a server he controls. It might not work fully, but it looks legit.
  3. Bad guy logs into GoDaddy (again, just an example) and tells abcfcu.org to point to his server instead of your server.
  4. Members visit the site controlled by bad guy who then steals all of their online banking credentials and whatever else he feels like collecting/asking for.
  5. Oh, and while he’s at it, he’ll change where your CU’s email is pointed at and point it to his own email servers. That means he is now getting every single email sent to the credit union for every single employee.
  6. And he might do it after hours. Members will have problems logging into online banking, but won’t be able to contact anyone. Email won’t be coming in, but probably won’t get noticed. He flips the switch right after the call center closes and changes everything back before you open.

Scary stuff to think about. Talk about a security catastrophe for your credit union. So what’s a CU employee to do?

First, follow normal security guidelines in regards to password management and computer security. Keep your anti-virus up-to-date. Use traffic monitoring and/or endpoint protection to disable any traffic outbound from your CU to a known bad guy website. Never, ever, ever write down a password. Etc, etc.

VeriSign Identity Protection LogoSecondly, pick the right registrar. Cheap is rarely the best. Picking on GoDaddy again, but you log into your account on their homepage which is not protected by an SSL. That means your username and password are sent as plain-text over the internet. Fail. So far only one domain registrar, name.com, has implemented mutli-factor authentication. And it is the cream of the crop as far as MFA goes. VeriSign’s Identity Protection, or VIP, works exactly like the RSA key fobs of yore do: an encrypted algorithm that cycles through a code every 30 seconds. name.com VIP Program screenshotIn addition to your username and password being required to log into the site, name.com has the ability to require your VIP credential as well. These credentials can either be a physical key fob or can be downloaded to your iPhone or Blackberry if you’d rather not carry around yet another thing on your key chain.

Currently, name.com is the only domain registrar doing this type of multi-factor authentication. This doesn’t mean you should run out and change domain name providers, just that you need to be aware of the security risks. Some of the larger credit unions use DNS hosting companies rather than their registrar to handle DNS. Even these enterprise level services are vulnerable to comprise as Twitter can attest when their account a Dyn, a large DNS hosting company, was comprised and all of their traffic was redirected.

Credit unions are obsessed with security, but often, their obsessions are missed place. I’d be more concerned with a trojan virus getting on the network and implanting keyloggers on employee machines or this type of DNS redirection than I would with (gasp) CTR and SAR compliance. Sure, failing CTR/SAR compliance will cost you, but what will ultimately have a bigger impact on your members?

Action Items: Free (or near free) Ideas for Credit Unions

Two weeks ago, I got on my little soapbox and wrote about how credit unions and the blogosphere are stuck on inactivity. In the spirit of helping to resolve that issue, I’ve decided to launch a new section of the site called “Action Items”.  As you may have guessed, it will include things that almost any credit union can do as most ideas will be free, or darn close to free.  If the idea is highly technical, I’ll try and include as many details and instructions as possible.  If the idea needs a CPA, then the same promise will apply. I’ll do my best to provide as many details and instructions as I can.

Most everyone as heard of SMART goals before.  In my experience, no product launch, job, home improvement project, or run will succeed with them.  So here is my SMART for Action Items:

Specific: CU Innovators will provide actionable items for credit unions of all sizes to digest and implement within their organization.

Measurable: Each idea must have metric on which to be measured against, ie reduction of budget, increased website traffic, or added efficiency.

Actionable: Credit unions of all shapes, asset sizes, and hair colors should be able to accomplish each idea.

Realistic: All ideas, concepts, or products must be grounded in reality.  For example, not all credit unions could send someone to a BarCampBank, mainly from a budget standpoint and depending on the location of the BarCampBank.

Time-bound: We’ll strive to produce an idea every two weeks, or roughly 25 ideas for 2010.  Credit unions must also be able implement said idea with less than one day of actual work. Committees, debating, and political maneuvering don’t count.

I know every so often I get hit by a blinding flash of the obvious and say something along the lines of, “I wish every credit union was doing this” or “Wow, it can’t be that simple, can it?” If that ever happens to you and you see an idea in action that you think ever credit should do, let us know.  Email us at freeideas@cuinnovators.com, we’ll do some due diligence, and then see how we can get more credit unions to do it!

You can find the new section of action items for credit unions under the Blog link on our main navigation.

Don't get filtered out

I mentioned a few posts back about a company called OpenDNS that provides a recursive DNS service. That’s a fancy way of saying that they are the phone book for the internet and translate IP addresses into people-friendly domains like cuna.org. Every computer that you get on points to a DNS server, whether is is provided by your ISP, your employer, OpenDNS, or now Google.

Similar to other freemium models, OpenDNS provides a free service but also a paid subscription model, both to individuals and businesses. In all levels of their account, OpenDNS has a very robust content filtering mechanism in place. Basically, a domain is tagged by the OpenDNS community and placed into a category. These categories can then be filtered out.  For instance, if your credit union or employer used the OpenDNS product, they could simply check a box in the configuration and not allow any traffic to any site that has been classified as chat, adult, adware, malware, nudity, etc. This would prevent a great number of visits to websites that could be harmful to the network of the credit union. Many credit unions already have a filtering system in place to prevent access to certain types of sites and OpenDNS is just another mechanism to accomplish that.

In my credit union community service act of the week, I took all of the website addresses for credit unions out of the call report data, uploaded them to OpenDNS, and tagged all of them as “Financial Institution”. Don’t worry, it wasn’t that hard. There were only about 7000. Only about 3% of credit union websites were listed, which could potentially lead to some of those websites being blocked for users of OpenDNS. With nearly 20 billion DNS requests handle per day, OpenDNS is becoming a large provider of these services and thus CU’s need to ensure that their members can reach their website.

I have uploaded and tagged all of the credit union url’s, but now they have to be voted on by the community to ensure the tags are accurate. To check your website and vote on the category it is placed in, go to the OpenDNS Domain Tagging page. In the upper, right-hand corner, enter in your website address and vote “Yes” to ensure it is placed in the Financial Institution category. If you run other public facing subdomains, such as blog.mycu.org or onlinebanking.mycu.org, you can add those domains as well.

Phish TankOpenDNS also runs another project called PhishTank, which is something that will most likely hit all of us by some point. PhishTank works exactly like OpenDNS, in that the community can submit phishing attempts to the website and it then gets voted on. This data can then be used by law enforcement or the company that is being phished to educate their members. OpenDNS also uses this data to possibly filter these phishing sites and prevent users from going to a confirmed site.

So if you’ve got 30 seconds, go to OpenDNS, look up your CU’s website, or your own, and vote to make sure that it is in the correct category. You wouldn’t want your site to be inaccessible to your members!

In the spirit of giving, should I do this using all of the FDIC for the banks, assuming that their website addresses are in the data?

UPDATE: I also uploaded all of the FDIC bank url data as well.  So if you are a banker out there, go vote for your website as well.