The Most Overlooked Aspect in Credit Union Security

There is one big, scary security hole in credit unions that most IT people pass over and I’ve never heard an auditor mention: domain registration and DNS hosting. Whoa, whoa, whoa, DNS sounds technical. And it is. But domain registration is very self explanatory. You’ve seen the GoDaddy commercials (or bought domains in a drunken stupor late at night) so you know who easy it is to purchase a domain name. Generally your domain registrar handles your DNS hosting for you. DNS is like the phone book of the internet. It takes and converts it to an IP address and then sends the request off to the correct web server. DNS controls your MX records, or email records, as well as where the domain name should be directed.

Why do we have multi-factor authentication in online banking? To prevent unauthorized access, yes? What do you suppose would happen if somebody gained access to your domain registrar where your credit union’s domain was registered?

  1. Bad guy downloads all of the html of your website
  2. Bad guy posts the html of your website on a server he controls. It might not work fully, but it looks legit.
  3. Bad guy logs into GoDaddy (again, just an example) and tells to point to his server instead of your server.
  4. Members visit the site controlled by bad guy who then steals all of their online banking credentials and whatever else he feels like collecting/asking for.
  5. Oh, and while he’s at it, he’ll change where your CU’s email is pointed at and point it to his own email servers. That means he is now getting every single email sent to the credit union for every single employee.
  6. And he might do it after hours. Members will have problems logging into online banking, but won’t be able to contact anyone. Email won’t be coming in, but probably won’t get noticed. He flips the switch right after the call center closes and changes everything back before you open.

Scary stuff to think about. Talk about a security catastrophe for your credit union. So what’s a CU employee to do?

First, follow normal security guidelines in regards to password management and computer security. Keep your anti-virus up-to-date. Use traffic monitoring and/or endpoint protection to disable any traffic outbound from your CU to a known bad guy website. Never, ever, ever write down a password. Etc, etc.

VeriSign Identity Protection LogoSecondly, pick the right registrar. Cheap is rarely the best. Picking on GoDaddy again, but you log into your account on their homepage which is not protected by an SSL. That means your username and password are sent as plain-text over the internet. Fail. So far only one domain registrar,, has implemented mutli-factor authentication. And it is the cream of the crop as far as MFA goes. VeriSign’s Identity Protection, or VIP, works exactly like the RSA key fobs of yore do: an encrypted algorithm that cycles through a code every 30 seconds. VIP Program screenshotIn addition to your username and password being required to log into the site, has the ability to require your VIP credential as well. These credentials can either be a physical key fob or can be downloaded to your iPhone or Blackberry if you’d rather not carry around yet another thing on your key chain.

Currently, is the only domain registrar doing this type of multi-factor authentication. This doesn’t mean you should run out and change domain name providers, just that you need to be aware of the security risks. Some of the larger credit unions use DNS hosting companies rather than their registrar to handle DNS. Even these enterprise level services are vulnerable to comprise as Twitter can attest when their account a Dyn, a large DNS hosting company, was comprised and all of their traffic was redirected.

Credit unions are obsessed with security, but often, their obsessions are missed place. I’d be more concerned with a trojan virus getting on the network and implanting keyloggers on employee machines or this type of DNS redirection than I would with (gasp) CTR and SAR compliance. Sure, failing CTR/SAR compliance will cost you, but what will ultimately have a bigger impact on your members?

Missed Social Media Opportunities

Credit unions have been clammoring to get involved with social media, many times without a cohesive strategy behind the action.  The Financial Brand ran an article about why social media doesn’t have any ROI a while back. The basic gist: have a reason to get into social media.

Neighborhood Watch Sign

Some companies have ample opportunity to get involved in social media, and for some reason or another, have yet to do so. Take your good ol’ Neighborhood Watch. While it is officially called USA on Watch, you will most likely recognize the sign you’ve seen many times on telephone poles and buildings in your area. To quote from the USA on Watch website:

Our nation is built on the strength of our citizens. Every day, we encounter situations calling upon us to be the eyes and ears of law enforcement. Not only does the Neighborhood Watch Program allow citizens to help in the fight against crime, it is also an opportunity for communities to bond through service.

The Neighborhood Watch is the perfect example of an organization that could leverage technology and social media to make it stay relevant. Think of the technology you have in your possesion right now that could be “the eyes and ears of law enforcement”. The Neighborhood Watch has some great opportunities to take advantage of the explosion of location-aware technologies. Consider the following examples:

  • Your local neighborhood watch has a Twitter account. One of the neighborhood watch participants tweets the details about a car break-in and the exact location is automatically included in the tweet.
  • You are walking your dog when you notice a stray in the neighborhood. You snap a picture with it from cell phone and sent it off to Twitter, GPS locations included on the picture itself and your tweet.
  • The neighborhood watch website overlays GIS data from the city (here’s an example in Portland, OR) that combines publicly available sex offender data and crime data to make a snapshot of your neighborhood.

Those are what some may call the “low hanging fruit” for USA on Watch. Many more things can be done using some of the free tools available. This may include using the Twitter API to combine local tweets in real time with Google MaPS and Google Earth that have been tagged a certain way or contain certain keywords. It could also build the ever-popular iPhone application to enable people to join their local neighborhood watch and send out updates to the application when a crime occurs or an Amber Alert is issued.

Goodwill Industries presents another wonderful opportunity to engage in social media to further fulfill their mission. It appears Goodwill has taken too long to create an iPhone app, as a private developer has already beat them to it. iDonatedIt also is stepping on Goodwill’s toes by tracking customer’s donations on their iPhone or iTouch. Goodwill should take a cue from the airline industry and develop their own iPhone and/or Blackberry application that lets customers not only find their store locations, but also enables the customer to receive their receipt via email or a message to their iPhone app.

The wonderful thing about some of the new social media tools available to marketers, technology geeks, and grandmas, is the ability for these tools to make interacting with their favorite and preferred stores or brands much easier. Forget about using Twitter to blast your latest rates or talk about going green with e-statements. Your members want banking to be easy. If you or your team can think of a way to make credit unioning easier for your members using social media, you’re on to something. Create a business plan around your idea and sell it to upper management. By making your social media strategy actionable with a clear goal in mind, you will position your credit union to be the envy of all of your competitors.

My GAC 2010 Acceptance Speech

First off, I’d like to thank God, for without Him, nothing is possible. I’d like to thank my family, my wife, and my new son Mason, for being supportive of all of the long hours I had to put in over the week. I’d like to extend a very large thank you to CUNA for putting the GAC on in the first place. It is an incredible, must attend event for all credit union professionals. Also, without CUNA, Crash the GAC would never have been able to attend the entire conference and become involved with the great sessions and events. Thanks to their generous sponsorship, the GAC was tweeted about nearly 1000 times which translates to a ton of free press for CUNA and the ability to extend their conference to people around the US and the world who were not able to attend.

I’d like to extend a huge thanks to Palmetto Cooperative Services and Mark Curran for putting up the crashers in our two star lodging for the week and picking up the tab for dinner and drinks on a few occasions. Another big thanks goes out to CU Swag (and PTP New Media) and James Robert Lay for the killer Crash the GAC t-shirts. I’d also like to thank all of the crashers and their sponsoring credit unions for come up to DC and livin’ it up at the GAC.

And finally, I’d like to thank the master behind the curtain, Brent Dixon and his design shop, The Haberdashery, for his amazing work at putting this together. Also, Filene, who supported Brent in his quest to bring under 30 professionals to the GAC. Without Brent, none of this would have been possible!

I’d also like to thank my personal trainer, my dog… (cue music)

The real use for Twitter in CU’s (and Banks)

Screw banks and CU’s using Twitter.  It is over rated and doesn’t give you any ROI.  I don’t care if you are having a seminar on credit reports or a shred day.  Pilcher’s Twitter directory is fine and dandy and it does a great job demonstrating that nobody is using Twitter except to regurgigate tired marketing messages.  Twitter could be a real communication tool for your members if it is a medium they are currently using.  You’ve surveyed your members and done your market research so you know what percentage of your membership is on Twitter, right?

Why the hell don’t we actually make Twitter a useful communication tool?  Think about how text banking works.  I text bal to MYCUBAL or whatever and 10 or 20 seconds goes by and my balance comes back.  Whoo hoo.  Why don’t we do the same thing with Twitter?  Log into online banking and link your Twitter username to your online banking account.  Tweet a direct message to your credit union with a command like bal or last 5.  The CU’s application grabs the direct message, looks up the Twitter username in online banking and pulls the balance out of the OFX server or directly from the core.  Then the application direct messages the CU member back.

Duh.  Seems like a no brainer to me.  Let’s get off the marketing band wagon with Twitter and figure out how to actually make it a useful tool for our membership.

Update:  I was just catching up on my feeds and noticed the post at The Financial Brand about the How To: Twitter for FI’s guide.  Look at the bullet points:

  • Promote new products and offers
  • Share personal finance tips
  • Express their brand and reveal their personalities
  • Build community outreach programs
  • Provide information about community events and activities
  • Increase exposure for their charitable and philanthropic efforts

Pick one of those that isn’t marketing and show me one useful thing that a member could use any of that for.  Oh wait, you can’t.