The Most Overlooked Aspect in Credit Union Security

There is one big, scary security hole in credit unions that most IT people pass over and I’ve never heard an auditor mention: domain registration and DNS hosting. Whoa, whoa, whoa, DNS sounds technical. And it is. But domain registration is very self explanatory. You’ve seen the GoDaddy commercials (or bought domains in a drunken stupor late at night) so you know who easy it is to purchase a domain name. Generally your domain registrar handles your DNS hosting for you. DNS is like the phone book of the internet. It takes and converts it to an IP address and then sends the request off to the correct web server. DNS controls your MX records, or email records, as well as where the domain name should be directed.

Why do we have multi-factor authentication in online banking? To prevent unauthorized access, yes? What do you suppose would happen if somebody gained access to your domain registrar where your credit union’s domain was registered?

  1. Bad guy downloads all of the html of your website
  2. Bad guy posts the html of your website on a server he controls. It might not work fully, but it looks legit.
  3. Bad guy logs into GoDaddy (again, just an example) and tells to point to his server instead of your server.
  4. Members visit the site controlled by bad guy who then steals all of their online banking credentials and whatever else he feels like collecting/asking for.
  5. Oh, and while he’s at it, he’ll change where your CU’s email is pointed at and point it to his own email servers. That means he is now getting every single email sent to the credit union for every single employee.
  6. And he might do it after hours. Members will have problems logging into online banking, but won’t be able to contact anyone. Email won’t be coming in, but probably won’t get noticed. He flips the switch right after the call center closes and changes everything back before you open.

Scary stuff to think about. Talk about a security catastrophe for your credit union. So what’s a CU employee to do?

First, follow normal security guidelines in regards to password management and computer security. Keep your anti-virus up-to-date. Use traffic monitoring and/or endpoint protection to disable any traffic outbound from your CU to a known bad guy website. Never, ever, ever write down a password. Etc, etc.

VeriSign Identity Protection LogoSecondly, pick the right registrar. Cheap is rarely the best. Picking on GoDaddy again, but you log into your account on their homepage which is not protected by an SSL. That means your username and password are sent as plain-text over the internet. Fail. So far only one domain registrar,, has implemented mutli-factor authentication. And it is the cream of the crop as far as MFA goes. VeriSign’s Identity Protection, or VIP, works exactly like the RSA key fobs of yore do: an encrypted algorithm that cycles through a code every 30 seconds. VIP Program screenshotIn addition to your username and password being required to log into the site, has the ability to require your VIP credential as well. These credentials can either be a physical key fob or can be downloaded to your iPhone or Blackberry if you’d rather not carry around yet another thing on your key chain.

Currently, is the only domain registrar doing this type of multi-factor authentication. This doesn’t mean you should run out and change domain name providers, just that you need to be aware of the security risks. Some of the larger credit unions use DNS hosting companies rather than their registrar to handle DNS. Even these enterprise level services are vulnerable to comprise as Twitter can attest when their account a Dyn, a large DNS hosting company, was comprised and all of their traffic was redirected.

Credit unions are obsessed with security, but often, their obsessions are missed place. I’d be more concerned with a trojan virus getting on the network and implanting keyloggers on employee machines or this type of DNS redirection than I would with (gasp) CTR and SAR compliance. Sure, failing CTR/SAR compliance will cost you, but what will ultimately have a bigger impact on your members?

4 thoughts on “The Most Overlooked Aspect in Credit Union Security”

  1. Another recommendation is 24/7 monitoring services that work like an alarm and alert you when ever any web site code or DNS settings have been changed. Expensive yes… but an added value of security to protect your site and members.

  2. Nice article. One correction:

    “Picking on GoDaddy again, but you log into your account on their homepage which is not protected by an SSL. That means your username and password are sent as plain-text over the internet.”

    A quick look at GoDaddy’s homepage source shows that the user name and password are in fact protected by SSL. It is NOT sent “as plain-text over the internet.”

    Cost conscious CU’s should consider for low cost website and DNS monitoring.

  3. @David, thanks for the correction. I was always under the assumption that anything on on HTTP page could never be sent encrypted, but I stand corrected. And I can’t over stress website monitoring like that either. It is a great tool, relatively inexpensive, and totally worth the cost.

  4. Good article Robbie, thanks. To add a couple of points, when we review the domain situations for our clients we also recommend that they purchase the other domain extensions if they don’t own them already. So if you have also grab .net .com if you can. It limits the ease of phishing possibilities and is cheap enough to do.

    Secondly, also consider buying domains that could also demean the institution. For example, I’ve seen disgruntled members go out and buy to setup a site to denounce using that credit union. Google picks up that traffic and when people search you definitely don’t want that link showing up next to yours…guess which one they’ll click first probably. We say, buy them yourself and just redirect the URL back to your home site. Little extra thought on these may cost you a few more dollars, but is easier than the reputation hit it may cause.

Leave a Reply

Your email address will not be published. Required fields are marked *