Security Protocol Deadline Nearing, & It's a Big Deal, Experts Warn
A looming deadline regarding a relatively obscure piece of security technology could soon give credit unions major headaches and call attention to weak spots in their data protections, industry experts warn.
At issue is an authentication protocol called Transport Layer Security, or TLS. It helps establish secure communications between systems, including between credit unions and members, or between credit unions and core processors or other vendors.
There are different versions of TLS, but the oldest is TLS 1.0. Its last major revision was in 1990, according to the PCI Security Standards Council. That version is notoriously vulnerable to hackers, which means that data, files, and processing activities using TLS 1.0 can be especially susceptible to breaches, according to Lou Grilli, who is director of payments strategy at CSCU in Tampa, Florida.
“We're talking about things like accessing online banking from your home computer, from a browser, that type of thing, but also on a machine-to-machine level, from a credit union uploading or downloading files securely through a file transfer to their core vendor or through their processor,” he noted.
So-called man-in-the-middle attacks — which allow hackers to decrypt sensitive information and even steal cryptographic keys — are of particular concern with TLS 1.0, the PCI Security Standards Council said.
No fixes or patches can adequately repair TLS 1.0, the council reported, which why it is withdrawing support for TLS 1.0 on June 30, 2018. By then, online and e-commerce partners should be using TLS 1.1 or TLS 1.2, it said.
It’s an in-the-weeds piece of technology, but Lou Grilli, Brian Maurer, who is VP of software development at CU*Answers, and CU*Answers EVP of Network Technologies Dave Wordhouse said credit unions that blow off upgrading it could find themselves with broken systems and angry members next summer. They said credit unions need to do a few things now to get ready for the change.
- Start grilling vendors. Credit unions often work with different vendors to create various offerings for members. But if some or all of those vendors haven’t transitioned to TLS 1.1 or 1.2 by the deadline, some features or services could suddenly stop working, Maurer said. “You really want to make sure your vendors are talking, they're on the same page, they're communicating ahead of these shut-offs,” he warned. “If you just leave this up to your vendors, that's where credit unions could potentially find themselves with either a vendor not up to par to where it needs to be, or two vendors not communicating well with each other, potentially causing a miscommunication and ultimately an interruption in some service.”
- Be ready to renegotiate. Some vendors may not be willing to upgrade. “Getting out of that contract, switching to a new vendor, all of that stuff, that can certainly cost money,” Maurer said.
- Scrutinize your own systems. Grilli recommends audits of every machine and every piece of software. “Yes, it's really time-consuming and probably painful, but now is the best time to do it,” he said. “There are potentially homegrown systems that have been in place for a while that are going to have to be touched.” Code in custom applications may need to be rewritten, and new operating systems may need to be purchased, Maurer added.
- Make a communications plan. Some members may be using TLS 1.0 via old operating systems, so credit unions will need to notify members of the change soon and encourage them to update, Wordhouse said. “The challenge with that messaging in my opinion is most members don't understand what that means,” Maurer added.
- Make time. Set aside three to six months for the transition work, Grilli advised. Besides everything else on this list, there’s a lot of testing to do, plus upgrades and purchases may take weeks. Be sure to build in time for training, too. Things should be happening in the first quarter of 2018, he advised.
- Save your notes. “We'll probably have this conversation this time next year for TLS 1.1, and probably a year or two after that for 1.2. I mean, the bad guys are going to continue to attack these protocols looking for weaknesses,” Wordhouse said. “This is part of life in the Internet age.”