If credit unions don’t take action now to sidestep a potentially serious security issue, they could find themselves paying for it next year with weaker data protection technology.
Credit unions, which often have fewer financial and technical resources than large banks, need to take steps now to deal with an outdated authentication protocol called transport layer security, or TLS.
If credit unions fail to update their technology, they could increase the risk that malicious actors will exploit their vulnerabilities and get access to customer data or cryptographic keys.
Waiting to update systems and security protocols will invite headaches, and may not be feasible, since the Payment Card Industry Security Standards Council plans to withdraw support for the oldest version, TLS 1.0, on June 30, 2018. Credit unions should migrate by then to a minimum of TLS 1.1, and preferably TLS 1.2, the council says.
The council notes that according to the National Institute of Standards and Technology, “there are no fixes or patches that can adequately repair SSL or early TLS. Therefore, it is critically important that organizations upgrade to a secure alternative as soon as possible, and disable any fallback to both SSL and early TLS.”
TLS helps “establish secure communications between systems, including between credit unions and members, or between credit unions and core processors or other vendors,” Credit Union Times reports.
The Importance of the TLS Protocol
TLS 1.0 was last revised in 1990, and it’s especially vulnerable to cyberattacks. Credit unions that still use TLS 1.0 may be more susceptible to data breaches and attacks that could access customer data, critical files and processing activities, the publication notes.
“We're talking about things like accessing online banking from your home computer, from a browser, that type of thing, but also on a machine-to-machine level, from a credit union uploading or downloading files securely through a file transfer to their core vendor or through their processor,” Lou Grilli, director of payments strategy at Card Services for Credit Unions, a major credit union card processing association, tells Credit Union Times.
The PCI Security Standards Council says that many of the attacks TLS 1.0 enables, particularly protocol vulnerabilities, allow for man-in-the-middle attacks, which let attackers decrypt sensitive information and can even lead to the loss of cryptographic keys.
How to Get Ahead of TLS 1.0 Vulnerabilities
Credit unions could face major vulnerabilities if they don’t upgrade. Here are six key steps credit unions should take to protect themselves and their customers.
Budget time for the upgrade. Grilli told Credit Union Times that credit unions should set aside three to six months to complete the upgrade and conduct testing and training. Flex, which provides software to credit unions, advises a similar timetable and says agencies should start to transition by January 2018.
Work with vendors. Some of the IT vendors credit unions work with may not have upgraded to TLS 1.1 or 1.2, which means that come June 30, 2018, some credit union services and features may not work for customers. “You really want to make sure your vendors are talking, they're on the same page, they're communicating ahead of these shut-offs,” Brian Maurer, vice president of software development at CU*Answers, which provides technical services to credit unions, tells Credit Union Times. “If you just leave this up to your vendors, that’s where credit unions could potentially find themselves with either a vendor not up to par to where it needs to be, or two vendors not communicating well with each other, potentially causing a miscommunication and ultimately an interruption in some service.”
Negotiate with vendors on contracts. Some vendors may not be willing to upgrade. “Getting out of that contract, switching to a new vendor, all of that stuff, that can certainly cost money,” Maurer says, according to Credit Union Times. “If you have a technology partner who is not aware of the mandate, or has no plans to comply, consider enacting that breach of contract clause,” Flex adds in its blog post.
Audit your own IT. Grilli says that credit unions should thoroughly inspect all of their IT and network equipment. “Yes, it's really time-consuming and probably painful, but now is the best time to do it,” he tells Credit Union Times. “There are potentially homegrown systems that have been in place for a while that are going to have to be touched.” Credit unions may also need to rewrite code or purchase new software.
Communicate with customers. Some credit union members may be using services that rely on TLS 1.0 and will need to be notified and encouraged to switch to new services. “The challenge with that messaging in my opinion is most members don't understand what that means,” Maurer says.
Document the process. Technology upgrades are a never-ending process, and credit unions will probably have to go through a similar experience in several years. “We'll probably have this conversation this time next year for TLS 1.1, and probably a year or two after that for 1.2. I mean, the bad guys are going to continue to attack these protocols looking for weaknesses,” Dave Wordhouse, executive vice president of network technologies at CU*Answers, tells Credit Union Times. “This is part of life in the Internet age.”