CU’s and Earth Day

Seeing as today is Earth Day (really every day should be earth day) I was trying to think of a good way for CU’s to participate.

HSBC has their “Virtual Forest” for switching to e-statements and quite a few institutions are going the carbon neutral route.

How difficult would it be for a CU to install solar panels on the roofs of their branches?  If the branch had a large enough array of panels, it would be entirely possible for the branch to actually create enough solar energy to run the branch and sell energy back to the power company.  There’s a new CUSO idea…

Let’s go phishing

Phishing sucks. There’s very little we can do to prevent it and once it happens it can take days before the situation can be resolved.

Everyone’s heard the phrase, “the best defense is a good offense”. So could we go on the offensive against phishers? And by offensive, I mean launch a brute force denial of service attack against the offending site.

We could write a small web-based program and give it to any participating CU to load onto one (or all) of their web servers. When a CU in the coop gets phished, they log onto a secure server and initiate a new attack. The main site/program would kick off the clients installed on the other CU’s web servers and initiate an attack against the offending server, hopefully bringing the phishing site to its knees.

Yes, there are massive security concerns with this. What if a hacker gains access to our secure server and uses all of the participating CU’s to launch an attack against a valid web site? What if a phisher hacks into a genuine business site and phishes from there? We’d bring down both the phishing site as well as the valid business site. The list goes on… On the other hand, wouldn’t it be nice for the CU industry to have a tool for immediate use to stop phishers?

Update — I must give credit where credit is due, and one of my co-workers, Alex, and I spoke about this idea months ago. Great thinking Alex!

Lambeth Savings & CU in Google Groups

Congrats to Lambeth Savings and CU (in the UK) for being the first credit union to use Google Groups as an outlet for speaking with members. View their Google Groups page here.

As I’ve posted about previously, I believe that CU’s have an opportunity to use Google Groups not only for public communication with members, but also as a means of communication with each other. It’s a great way for CU’s to share info. also possess the possibility of facilitating those conversations, but it appears nobody but spammers are contributing to the conversation.

MFA not all it’s cracked up to be

Christopher Soghoian at Slight Paranoia has a great example of how MFA isn’t the end-all-be-all some wanted it to be.

In his article, A Deceit-Augmented Man In The Middle Attack Against Bank of America’s SiteKey ® Service , he demostrates how a phisher can bypass elements of image-based MFA, such as SiteKey. They even have a video!

CU’s need to carefully review their MFA policies and the software they have in place to monitor their online security.

See our own post here about BofA and SiteKey security flaws.