The Facebook Account of A Credit Union CEO

What do you suppose could happen if a person with malicious intent was able to gain access to the Facebook account of a credit union CEO? What about a corporate Twitter account? There has been an old hacking technique called HTTP Session Highjacking that has recently been brought to the front of the pack with the release of Firesheep by Eric Butler, and covered by TechCrunch.

When you sign in to an online service, such as your email, online banking, Facebook, or Flickr, the website gives your computer a session cookie. Generally, the login page is secured behind an SSL certificate, meaning that the traffic is encrypted and can’t be deciphered. However, as is the case with Facebook and Flickr, once you’ve logged into the service, you browse the site over regular HTTP that is not encrypted. Firesheep is an extension for Firefox that sniffs internet  traffic on a network and finds cookies from websites like Facebook. Since these cookies aren’t encrypted and you are browsing Facebook without any security, these cookies can easily be copied and a person identity can be spoofed very easily. Firesheep makes this as easy as installing the plugin and click a button. It sits there and gathers all of the cookie traffic across a network and present you with the results, let you click on more button and logging into the Facebook account of someone.

Where Firesheep is incredibly scary is on unsecured wireless networks. Think Starbucks, McDonalds, and hotels. Now think about how many credit union employees use services like that when they travel. I’ve used an unencrypted wifi network every week this month where someone could have logged into my Facebook account, done whatever they wished, and I never would have been the wiser until a friend called me and asked if I really wanted $1000 wired to Western Union in the Netherlands.

Credit unions need to realize a few key things:

  1. With this issue, unencrypted wifi isn’t the devil. It is the websites that your users visit that don’t have end to end security (SSL).
  2. Your employees are going to use free wifi with the corporate assets, whether you like it or not.
  3. You need to have the tools in place to minize the risk of this happening to your CEO.

So how can credit unoions, their employees, and regular users prevent issues like this?

  • Your credit union probably already has VPN access. Force your remote users to VPN back to the CU to go out the to internet. While traffic could still get intercepted once it leaves the credit union, it makes it much more challenging.
  • Make 100% sure that all of the assets in online banking, including images and remote scripts, are all behind an SSL.
  • Put your entire member facing website behind an SSL. An extended validation SSL is all the better.
  • Avoid using unencrypted wifi access points at all costs.
  • Educated your staff on the security issues with unencrypted wifi and the appropraite use of strong passwords.

Banning the use of wifi, Facebook, or whatever else isn’t the solution here. The best way to solve these issues is to educate your employees or users so they understand the ramifications of using insecure technology.

The Most Overlooked Aspect in Credit Union Security

There is one big, scary security hole in credit unions that most IT people pass over and I’ve never heard an auditor mention: domain registration and DNS hosting. Whoa, whoa, whoa, DNS sounds technical. And it is. But domain registration is very self explanatory. You’ve seen the GoDaddy commercials (or bought domains in a drunken stupor late at night) so you know who easy it is to purchase a domain name. Generally your domain registrar handles your DNS hosting for you. DNS is like the phone book of the internet. It takes godaddy.com and converts it to an IP address and then sends the request off to the correct web server. DNS controls your MX records, or email records, as well as where the domain name should be directed.

Why do we have multi-factor authentication in online banking? To prevent unauthorized access, yes? What do you suppose would happen if somebody gained access to your domain registrar where your credit union’s domain was registered?

  1. Bad guy downloads all of the html of your website
  2. Bad guy posts the html of your website on a server he controls. It might not work fully, but it looks legit.
  3. Bad guy logs into GoDaddy (again, just an example) and tells abcfcu.org to point to his server instead of your server.
  4. Members visit the site controlled by bad guy who then steals all of their online banking credentials and whatever else he feels like collecting/asking for.
  5. Oh, and while he’s at it, he’ll change where your CU’s email is pointed at and point it to his own email servers. That means he is now getting every single email sent to the credit union for every single employee.
  6. And he might do it after hours. Members will have problems logging into online banking, but won’t be able to contact anyone. Email won’t be coming in, but probably won’t get noticed. He flips the switch right after the call center closes and changes everything back before you open.

Scary stuff to think about. Talk about a security catastrophe for your credit union. So what’s a CU employee to do?

First, follow normal security guidelines in regards to password management and computer security. Keep your anti-virus up-to-date. Use traffic monitoring and/or endpoint protection to disable any traffic outbound from your CU to a known bad guy website. Never, ever, ever write down a password. Etc, etc.

VeriSign Identity Protection LogoSecondly, pick the right registrar. Cheap is rarely the best. Picking on GoDaddy again, but you log into your account on their homepage which is not protected by an SSL. That means your username and password are sent as plain-text over the internet. Fail. So far only one domain registrar, name.com, has implemented mutli-factor authentication. And it is the cream of the crop as far as MFA goes. VeriSign’s Identity Protection, or VIP, works exactly like the RSA key fobs of yore do: an encrypted algorithm that cycles through a code every 30 seconds. name.com VIP Program screenshotIn addition to your username and password being required to log into the site, name.com has the ability to require your VIP credential as well. These credentials can either be a physical key fob or can be downloaded to your iPhone or Blackberry if you’d rather not carry around yet another thing on your key chain.

Currently, name.com is the only domain registrar doing this type of multi-factor authentication. This doesn’t mean you should run out and change domain name providers, just that you need to be aware of the security risks. Some of the larger credit unions use DNS hosting companies rather than their registrar to handle DNS. Even these enterprise level services are vulnerable to comprise as Twitter can attest when their account a Dyn, a large DNS hosting company, was comprised and all of their traffic was redirected.

Credit unions are obsessed with security, but often, their obsessions are missed place. I’d be more concerned with a trojan virus getting on the network and implanting keyloggers on employee machines or this type of DNS redirection than I would with (gasp) CTR and SAR compliance. Sure, failing CTR/SAR compliance will cost you, but what will ultimately have a bigger impact on your members?

Free Things IT Can Do Webinar

We just finished up the first webinar with CU Tech Talk on Free Things IT Can Do to Improve Efficiency and Member Satisfaction. Here’s the presentation for those interested.

Click here to download the PDF version of this presentation.

Auditing the cloud

Cloud computing this, distributed computing that. People hate buzzwords. Cloud computing however, is one you will have to put in your dictionary eventually, if you haven’t already. We’re big fans of cloud computing. It can dramatically change the way that financial institutions leverage infrastructure and their capital. But, cloud computing is still in its infancy. One of the first things most people ask about the cloud is, “Is it secure?” Most of the time, the answer is yes. But for financial institutions, that isn’t good enough. We have to prove it and that’s where it gets a little tricky.

Most financial institutions have robust policies in place allowing their supervisory committee, external auditors, or other vendors access to reports and analysis on the security measures in place. Not just alarms and panic buttons, but also teller and cash drawer controls, dual-custody policies, password policies, remote access policies, and board bylaws. As cloud computing becomes more of the norm, IT will need to demonstrate the security measures in place surrounding their cloud infrastructure.

Windows Azure LogoThe Windows Azure Platform is one of the newer entries into the cloud computing market. Created and run by Microsoft, Azure will be come a very popular selection for cloud computing needs simply because it is owned and operated by Microsoft. They claim to have completed a SAS 70 Type I and Type II audit on their “cloud platform”, which is one of the key factors for financial institutions, but they don’t specify that it is for their Azure platform, nor is it available for download. Either of those factors could be a stumbling block for credit unions or banks.

SQL Azure LogoSQL Azure, Microsoft’s database cloud offering, provides some excellent alternatives for database hosting. Rather than paying expensive licensing fees or hosting fees, a company can use Microsoft’s very robust and redundant infrastructure to host their databases. Even Microsoft’s cloud is still an infant though. Currently, their SQL Azure offering has no server level auditing in place. While logical, as many people are sharing a virtualized database and access restrictions are need, it also prevents users from verifying that no one else is logging in to or otherwise gaining access to their resources. Very few auditing choices exist today for SQL Azure, as demonstrated in this article.

Rackspace LogoRackspace, on the other hand, has a very descriptive page detailing their expertise and certifications, including their SAS 70 Type II and their PCI compliance. Their SAS 70 is able to be downloaded and their PCI compliance also presents a unique security offering to financial institutions, helping them be more confident in their choice of a cloud provider.

Cloud computing is going to become the norm in the financial industry. It may take the form of private clouds or stay public, but technology infrastructure is going to become a utility. Just like we pay for electricity now, we’ll pay for computing resources as well. If your FI is looking to make the move into cloud computing, start with baby steps. Don’t put member information up there quite yet. Start with your public facing website then move your intranet. Start experimenting, but keep in mind the many security and auditing concerns that exist today.

Sensitive Compartmented Information (and your money)

For those with military experience out there, you may be familiar with SCI. Actually, you probably can neither confirm nor deny your SCI or non-SCI status. Regardless, for those not in the know, SCI is the step above top secret. You’ve heard the old saying, “It is on a need to know basis, and you don’t need to know!” Unfortunately, most online transactions performed today do not follow rules anywhere close to that, even though they don’t really need to know.

Ars TechnicaEveryone in the industry is familiar with the Heartland breach, the TJ Maxx theft, and probably half-a-dozen others. Too bad retailers, both brick and mortar and online, don’t believe in SCI. Of all the players in the industry, Microsoft has recently stepped up with a program they’ve dubbed “U-Prove“. U-Prove works with a model similar to SCI, in that it only gives the information necessary to complete a transaction and nothing else. A recent Ars Technica article has offered some editorial insights:

On the other hand, there’s no reason why a storefront like, say, iTunes, needs to know your identity; it only needs to know that the money being handed over is yours to hand over.

To use a credit card on iTunes, I have to hand over so much information that Apple, if it was a bad actor, could masquerade as me. I can’t just give Apple some electronic money; instead, I have to give them my name, address, and credit card number. In practice, the real problem with me handing over so much info to iTunes isn’t that Apple might pretend to be me—with billions in the bank the company doesn’t really need to charge things to my credit card, after all—but that hackers (both external and internal) might take this stored data and use it for their own nefarious purposes.

U-Prove aims to stop organizations from being forced to collect excessive information from their customers when, in reality, it is not needed. To the contributor’s first quote, Apple doesn’t really need to know all of my info, just that the money I’m sending them is good. Microsoft has open-sourced the U-Prove framework, enabling other applications to use the protocols. U-Prove, using a combination of many cryptographic solutions, creates a one-time unique and secure key with the necessary information contained within it, which is then decoded and used by the organization requesting the transaction.

As is the case with any new technology, adoption is always going to be the hardest part. Some retailers, such as the Amazon example used the in Ars Technica article, will not welcome the U-Prove framework as it removes many key data mining aspects of their business. Amazon doesn’t really need to know your age, unless of course you are subscribing to Playboy or buying a CD with explicit lyrics, but they use that information extensively in their advertising. In much the same way, Apple has no need for your address when purchasing a song, but they can use that information to determine the best location to place their next store, geographic and contextual marketing, and potentially track down problems in their supply and distribution chain.

The U-Prove framework has the potential to be a game changer for the way business and individuals transfer information between one another, but the implementation and adoption hurdle will be a large hill to overcome. Microsoft has begun implementing U-Prove within some of their own products such as Active Directory and some of their web technologies. Even with this show of good faith, convincing other organizations to limit the amount of data they can collect from their customers, all in the sake of privacy and security, will be a challenge.

Is U-Prove the correct way to diminish some of the risk associated with breaches like Heartland and TJ Maxx by limiting the amount of data exposed on a need-to-know basis only or are the implementation challenges to great to overcome?

Who knew monkeys could be cool

As I mentioned in my last post, all of my email subscribers (thanks Mom) will be treated to a new, and way better, email version of this site.  Previously, we were using Feedburner to deliver email, but we moved to MailChimp last week for this blog as well as any jobs we do for our clients.  I’ve used ConstantContact and PoliteMail in the past, but I love everything that MailChimp can do.

I’ve moved the list from Feedburner over to MailChimp and also added the option to get emails as we post them or to get a weekly digest edition.  If you’d like to get an special edition of this blog emailed to you as it is updated, please subscribe here. And if you’d like to update your preferences on receiving email from us, simply click the link of the bottom of the email. And if you have any problems pop up or any questions, don’t hesitate to let me know!

I also have an extra copy of The 10 Faces of Innovation from Ideo laying around my office and at the end of the week, I’ll pick a random email subscriber to mail it to. So make sure you sign up!

Don't get filtered out

I mentioned a few posts back about a company called OpenDNS that provides a recursive DNS service. That’s a fancy way of saying that they are the phone book for the internet and translate IP addresses into people-friendly domains like cuna.org. Every computer that you get on points to a DNS server, whether is is provided by your ISP, your employer, OpenDNS, or now Google.

Similar to other freemium models, OpenDNS provides a free service but also a paid subscription model, both to individuals and businesses. In all levels of their account, OpenDNS has a very robust content filtering mechanism in place. Basically, a domain is tagged by the OpenDNS community and placed into a category. These categories can then be filtered out.  For instance, if your credit union or employer used the OpenDNS product, they could simply check a box in the configuration and not allow any traffic to any site that has been classified as chat, adult, adware, malware, nudity, etc. This would prevent a great number of visits to websites that could be harmful to the network of the credit union. Many credit unions already have a filtering system in place to prevent access to certain types of sites and OpenDNS is just another mechanism to accomplish that.

In my credit union community service act of the week, I took all of the website addresses for credit unions out of the call report data, uploaded them to OpenDNS, and tagged all of them as “Financial Institution”. Don’t worry, it wasn’t that hard. There were only about 7000. Only about 3% of credit union websites were listed, which could potentially lead to some of those websites being blocked for users of OpenDNS. With nearly 20 billion DNS requests handle per day, OpenDNS is becoming a large provider of these services and thus CU’s need to ensure that their members can reach their website.

I have uploaded and tagged all of the credit union url’s, but now they have to be voted on by the community to ensure the tags are accurate. To check your website and vote on the category it is placed in, go to the OpenDNS Domain Tagging page. In the upper, right-hand corner, enter in your website address and vote “Yes” to ensure it is placed in the Financial Institution category. If you run other public facing subdomains, such as blog.mycu.org or onlinebanking.mycu.org, you can add those domains as well.

Phish TankOpenDNS also runs another project called PhishTank, which is something that will most likely hit all of us by some point. PhishTank works exactly like OpenDNS, in that the community can submit phishing attempts to the website and it then gets voted on. This data can then be used by law enforcement or the company that is being phished to educate their members. OpenDNS also uses this data to possibly filter these phishing sites and prevent users from going to a confirmed site.

So if you’ve got 30 seconds, go to OpenDNS, look up your CU’s website, or your own, and vote to make sure that it is in the correct category. You wouldn’t want your site to be inaccessible to your members!

In the spirit of giving, should I do this using all of the FDIC for the banks, assuming that their website addresses are in the data?

UPDATE: I also uploaded all of the FDIC bank url data as well.  So if you are a banker out there, go vote for your website as well.

Don't be so serious

In my recent quest to clean up the website and try to squeak out some performance gains, I have been looking at different CDN (Content Delivery Network) providers to host all of my static files, like images.  Rackspace has a service they call Cloud Files that enables you to save files to the proverbial “cloud” for $.15 per GB, exactly like Amazon’s S3 offering.  Rackspace, however, has a CDN built in to their online file storage.  Long story short, I went to their site to sign up and try it out.

What in the world does this have to do with credit unions?  Well, I never finished the sign-up process and the next day I received this email:

How cool is that!  Not only can they tell that I didn’t finish the setup process, but they are providing me an incentive to come back and finish.  Credit unions are just beginning to get into opening accounts online, but they can take a page out of the Rackspace playbook.  First off, they have the technology to make this happen, so make sure your online account vendor can do this.  Secondly, they don’t take any kind of holier-than-thou attitude about why the potential member didn’t finish.  Finally, they provide an incentive to come back.  “Outbound calling”, aka hounding indirect auto loan customers, would do well with some like this.

Here’s my version:

Hey Joe,

We noticed that you didn’t complete your online (insert product name here) application yesterday.  If you have any questions about the process or just need someone to talk to, feel free to give me a call directly at 888-888-8888 or call into our Member Service Center at 888-8888-7777.  Oh, and by the way, we really value the business of all of our members, so if you’d like to finish the application online or come into a branch, enter in your discount code of ALMOSTGOTAWAY and we’ll give you another .5% on your (insert product name here).

Robbie Wright

ABC Credit Union

Windows unsafe for online banking

Take a look for yourself here.

What a load of crap.  That’s like saying people die wearing seat belts, thus it must be the seat belt’s fault so you shouldn’t wear your seat belt.  The reason there are so many viruses and malware for Windows is because it is such a big “prize” for hackers.  MS owns the desktop OS market, thus making them the biggest target.  If you were going to rob a bank, wouldn’t you pick the branch that had the most money in it?  It doesn’t make much sense to write a virus for Linux because it owns such a small portion of the market that the payoff would be nothing.

The FFIEC guidelines for multi-factor authentication are a pain.  But the concept behind MFA is a must.  There are three ways to identify someone online: something they know (Q&A), something they are (bio-metrics or computer ID), and something they have (cell phone or email).  If an FI really, truly applies 2 of those factors, it will make it nearly impossible to directly hack a person’s account.  The article speaks of the proverbial “man in the middle” attack in which a hacker somehow manages to gain access to the user’s password, either through a keylogger or a fictitious webpage made to look like the real thing.  Both of these are easy to stop:

  1. Don’t download anything from anyone you don’t know.
  2. Don’t install anything from anyone you don’t know.
  3. Don’t follow a link to an FI website, type it in or bookmark it yourself.
  4. Look at the url of the webpage you are on and make sure it says mycu.com.

Now some will argue that most people aren’t smart enough to figure that out on their own.  True, it is possible to build such a great phishing site that even an employee couldn’t tell the difference, but it is highly unlikely.  This is where the FI has to step in.  Companies like Trusteer have built a glorified browser add-on, but it works.  It prevents any type of keylogging software from detecting what is being typed into the webpages that the browser is serving up.  They’ve done the right thing and they count on the users machine already being infected.  Additionally, FI’s could help with 3 and 4 by offering other security measures like RSA keys.  Make it optional for users if they want it or if a member has had fraud on their account, make it mandatory.

However FI’s and online banking companies handle their security, two things need to happen: The users have to take some responsibility for their actions (don’t log into phishing sites or download shady applications) and FI’s have to offer appropriate security measures to make unauthorized access to someone’s account extremely difficult.