Basics of Technology Security for Credit Unions
26th Feb 2019
Like most things in life, get the basics right and you’re 95% of the way there. Here are our top 10 tips for keeping you and your members secure.
1. Don’t share sensitive information on unsecured channels
Channels like email and SMS are regularly compromised these days.
Many email accounts may already be compromised. Many may have credentials up for grabs on the dark web even if they aren’t yet compromised. Those accounts that aren’t compromised may well be compromised in future.
SMS take over is often as simple as convincing a telephone operator to port a number.
Don’t be misled into thinking the encryption on services like WhatsApp help either. They haven’t been built for financial services transactional conversations. There are a few reasons for caution, but perhaps the most pertinent one is the fact that the account itself is likely controlled by an email or SMS account. Hack an email or SMS account, you can probably compromise any accounts based on those accounts.
You should refrain from discussing anything outside the public domain on these channels. Certainly, don’t ask for documents like bank statements and identity documents. These are a fraudster’s dream.
2. Avoid using paper
Rummaging through bins must be the most low-tech way of obtaining sensitive data. Incredibly effective though. If you’re honest, can you be sure your bins won’t give away sensitive information? The easiest way to prevent this risk is to eliminate paper from your operation. With modern technology, this is not difficult or expensive. If you find yourself having to use paper (maybe a member who simply refuses anything else!), make sure you have a robust secure disposal process (i.e. shred it at a minimum!)
3. Make sure any bespoke technology you develop is properly tested
Many credit unions will develop bespoke software. This may be an online form integrated into your back-end technology, a mobile app, an online service or something else. It may be based on an existing product or it may be built from scratch. Whatever it is, make sure it is independently security tested. Even the best software engineers may make mistakes or will be unaware of vulnerabilities in their code.
The best way to test these bespoke developments is to get a penetration test. To choose providers, look for relevant certifications. CREST is a good validation of standards.
If you’re going to spend £thousands on some fantastic new tech, it is worth the additional investment to make sure it is secure.
4. Make sure your website is secured with HTTPS
It is easy to think a public website doesn’t need to be secure if it doesn’t contain sensitive data. If you think about it though, this is a trusted place many of your members will rely on. Imagine if a phone number or email address on your website was updated by a fraudster? They’d be able to easily con your members and prospective members if they were contacting them thinking it was you.
HTTPS encrypts traffic between the browser and the server. It certainly isn’t infallible on its own, and you should consider other controls too, but as a start it helps. It also makes the site look secure as many browsers will show a lock or equivalent symbol to denote security. This “visible” sign of security is good reassurance for members and prospective members but might also put off fraudsters looking for an easy target.
5. Make sure any devices (particularly portable ones) are encrypted and have good security settings
Let’s face it, if your staff are accessing credit union materials on a device, irrespective of other technical and procedural controls, the chances are there is going to be sensitive information on that device. Particularly if the device is portable, it could well be lost or stolen.
You should ensure that all devices lock automatically after a reasonable period of time, with a strong PIN or password set, and that the data on the device is encrypted. These will all be configurable settings on the device. Make sure you check them.
6. Keep operating systems and applications up to date
You don’t have to look far in the press for examples of vulnerabilities being found on some of the most common software, including operating systems. It happens. The best way to protect against being a victim of the latest flaws is to keep your software up-to-date. If you’re using SaaS software (i.e. you access it through a browser), this will happen by default. For everything else, check your settings in the application and make sure updates are set to automatic. You should do this on any device and account being used for credit union purposes.
7. Use two-factor authentication (2FA) as a minimum (and don’t share account credentials)
Like everything, 2FA it isn’t perfect, but making sure you have two-factor authentication on any account which provides access to credit union services does a lot to reduce risk. It is far harder for a fraudster to compromise two accounts than it is to compromise one.
Most services now will offer the ability to set this up. It usually requires username and password and then a SMS code or a code from a device (which could be an app like Google Authenticator)
This doesn’t just apply to software you are using. Any mobile apps or online services you are asking members to use should definitely have 2FA as a minimum.
Also, pretty obvious, but don’t share credentials. Sharing significantly increases the likelihood of credentials being disclosed by accident. Not only that, but you’re also compromising your ability to audit actions taken by individuals. Nobody expects to be the victim of internal fraud, but unfortunately, it does happen all the time. In the event of it happening to you, you’ll want to be able to trace back who did what and you will regret sharing credentials if you’ve historically encouraged this (even if this was passively encouraging it by not saying anything).
8. Use strong passwords that are different for each application
Passwords are an inevitable pain of most secure applications. Thankfully modern browsers have recognised this. They will automatically generate strong passwords that are different to each site and will securely store these. That’s a great way to keep stuff safe. Check out how to use this feature on your favourite browser if you aren’t using it already.
If you and your team are going to generate your own passwords then:
• Make sure you use different passwords for each application and don’t just vary a digit! (the dark web is full of people’s email accounts and compromised passwords from previous hacks)
• Don’t write them down!
• Set security principles for the complexity of the password – this tool is a good test: https://reactpasswordstrength.netlify.com/
9. Run up-to-date antivirus software
Yes, I hear you, it does often slow things down 😫. Really though, it is a basic thing and there can’t be an excuse in financial services for not doing it. Find a good one (independently reviewed, assessed and extensively used) and make sure it is up-to-date on every device.
10. Train your staff
Most frauds are going to occur from the most basic breaches – usually a phishing email. These emails can be pretty clever these days, including genuinely appearing to come from known email addresses.
It won’t take long to continually remind people of the basics of always thinking twice before clicking a link, downloading an attachment or paying someone:
• Do you know that person?
• Are you expecting that email?
• Is the language and format consistent with how they’ve emailed in the past?
• If you have any doubts, surely it is worth a clarification?
We’re at the ABCUL annual conference in Manchester 8/9 March – get in touch to arrange a time to get together there