There is one big, scary security hole in credit unions that most IT people pass over and I’ve never heard an auditor mention: domain registration and DNS hosting. Whoa, whoa, whoa, DNS sounds technical. And it is. But domain registration is very self explanatory. You’ve seen the GoDaddy commercials (or bought domains in a drunken stupor late at night) so you know who easy it is to purchase a domain name. Generally your domain registrar handles your DNS hosting for you. DNS is like the phone book of the internet. It takes godaddy.com and converts it to an IP address and then sends the request off to the correct web server. DNS controls your MX records, or email records, as well as where the domain name should be directed.
Why do we have multi-factor authentication in online banking? To prevent unauthorized access, yes? What do you suppose would happen if somebody gained access to your domain registrar where your credit union’s domain was registered?
- Bad guy downloads all of the html of your website
- Bad guy posts the html of your website on a server he controls. It might not work fully, but it looks legit.
- Bad guy logs into GoDaddy (again, just an example) and tells abcfcu.org to point to his server instead of your server.
- Members visit the site controlled by bad guy who then steals all of their online banking credentials and whatever else he feels like collecting/asking for.
- Oh, and while he’s at it, he’ll change where your CU’s email is pointed at and point it to his own email servers. That means he is now getting every single email sent to the credit union for every single employee.
- And he might do it after hours. Members will have problems logging into online banking, but won’t be able to contact anyone. Email won’t be coming in, but probably won’t get noticed. He flips the switch right after the call center closes and changes everything back before you open.
Scary stuff to think about. Talk about a security catastrophe for your credit union. So what’s a CU employee to do?
First, follow normal security guidelines in regards to password management and computer security. Keep your anti-virus up-to-date. Use traffic monitoring and/or endpoint protection to disable any traffic outbound from your CU to a known bad guy website. Never, ever, ever write down a password. Etc, etc.
Secondly, pick the right registrar. Cheap is rarely the best. Picking on GoDaddy again, but you log into your account on their homepage which is not protected by an SSL. That means your username and password are sent as plain-text over the internet. Fail. So far only one domain registrar, name.com, has implemented mutli-factor authentication. And it is the cream of the crop as far as MFA goes. VeriSign’s Identity Protection, or VIP, works exactly like the RSA key fobs of yore do: an encrypted algorithm that cycles through a code every 30 seconds. In addition to your username and password being required to log into the site, name.com has the ability to require your VIP credential as well. These credentials can either be a physical key fob or can be downloaded to your iPhone or Blackberry if you’d rather not carry around yet another thing on your key chain.
Currently, name.com is the only domain registrar doing this type of multi-factor authentication. This doesn’t mean you should run out and change domain name providers, just that you need to be aware of the security risks. Some of the larger credit unions use DNS hosting companies rather than their registrar to handle DNS. Even these enterprise level services are vulnerable to comprise as Twitter can attest when their account a Dyn, a large DNS hosting company, was comprised and all of their traffic was redirected.
Credit unions are obsessed with security, but often, their obsessions are missed place. I’d be more concerned with a trojan virus getting on the network and implanting keyloggers on employee machines or this type of DNS redirection than I would with (gasp) CTR and SAR compliance. Sure, failing CTR/SAR compliance will cost you, but what will ultimately have a bigger impact on your members?