Credit Unions Explore Browser-Based Threat Question
To warn or not to warn, that was the question for credit unions deciding whether to post advisories about the global Internet Explorer vulnerability.
The $88 million Inspire Federal Credit Union in Bristol, Pa., decided not to post a warning but did go desk to desk to make sure its own hatches were battened down.
“Not only was staff required to switch browsers, we had them download the path from Microsoft to all of our computers. Managers walked to each computer to verify that the download was made. The staff is currently using Google Chrome,” said EVP Kevin Unger at Inspire, which has just changed its name from Bucks First FCU.
Security experts have reported the flaw in a number of versions of Explorer, including the latest, and the software giant responded by issuing patches, including an update to the XP system it had just ended supporting.
That news followed by just weeks worldwide concern about the Heartbleed vulnerability, malware aimed at widely used OpenSSL encryption technology. For that one, the general advice was to change passwords. For the IE vulnerability, it's to download the patch or quit using the browser completely.
“We notified our members that our home banking vendor notified us that they were unaffected,” Unger said of the Heartbleed vulnerability. “As for Internet Explorer, we used the patch that was sent out last week by Microsoft to resolve that vulnerability. We also handled it internally by requiring staff to use another browser other than IE.”
Some larger credit unions took a similar approach. “STCU has not yet posted a warning to members on our website regarding the much-publicized IE vulnerability, though we may. Our preference is to engage members in two-way conversations about issues like this one,” said Dale Davaz, director of e-business at the $1.9 billion Spokane Teachers Credit Union in Spokane, Wash.
“So far as website announcements, as a general rule our practice is this: we don't publicize online threats unless there is a specific danger to members posed by the online services that we specifically offer,” Davaz said. “We’re reluctant to set an expectation with our members that we take responsibility for mitigating every particular risk associated with their online activity.”
He added, “We encourage a general ethic of safe and secure online practices instead, which we think keeps the responsibility for specific safe practices where it belongs and serves members best in the long run.”
That strategy entails making staff aware of the situation so that they can inform members in direct conversations and in online discussion through social media.
That's similar to the approach at the $398 million Nassau Financial Federal Credit Union in Westbury, N.Y., where Chief Information Officer Robert Reh said the threat is being taken seriously, but that his credit union has already tried to minimize Internet Explorer in the past as a problem.
“For many years Nassau Financial FCU has routinely recommended to members and employees to use Mozilla Firefox as a browser rather than IE wherever possible,” said Reh, a longtime member of the CUNA Technology Council and its executive committee.
He said that reminder was issued again a few days ago and that the credit union itself is protected by its internal systems.
“Once Microsoft issued a hotfix for IE, our patch management system deployed it automatically as well,” Reh said. “We have no reports so far of any issues as a result of this vulnerability, and don't really expect any thanks to the measures we had already in place.”
Others are going online. For instance, the $313 million Belvoir Federal Credit Union in Woodbridge, Va., posted a warning on its home page at www.belvoircreditunion.org and updated it with the patch after it was issued by Microsoft.
Internally, said Belvoir Federal Chief Information Officer George Ksenics, “We held a debriefing meeting with the IT staff and determined a game plan for replacing IE. The IT and marketing department communicated the IE threat and plan of action to staff. We installed an alternative browser on all computers for staff to utilize, blocked IE traffic, and addressed any affected vendors using IE. Once the issue was resolved, IT unblocked IE from employees’ computers.”
As the warnings and reports of possible attacks across industries went viral, the credit union trades and vendors also reacted.
“For our operations in both Washington and Madison, we recommended that folks stop using Explorer (our default browser here) and employ alternatives (which many already had available to them – such as Google Chrome or Mozilla Firefox) for the short term,” CUNA spokesman Pat Keefe said in an email. “Based on what we’ve heard from credit unions, many of them took the same or similar actions.”
CUNA Mutual Group also issued alerts to its policy holders that included similar warnings. “Credit unions should ensure the security update for Internet Explorer is downloaded and installed as soon as possible. Members should also be notified of the security update,” said the statement from CUNA Mutual Group Risk Management provided by spokesman Phil Tschudy.
Industry giant Fiserv Inc. said in its statement, “We advised clients of the Microsoft Security Advisory on this issue, and recommended that they assess the advisory and its suggested actions, and proceed as they deem necessary – an approach that we followed in our own organization.”
Scott Bush, CTO at Share One, a Memphis, Tenn.-based core processing CUSO, said it has received a few calls from its 105 credit union customers. “Our technical staff is fielding all questions and making suggestions that cover every workstation running Internet Explorer,” Bush said
The 300-client FLEX in Sandy, Utah, also reached out. As soon as it heard of the breaking news about the threat, FLEX said, it emailed its core processing customers to advise them, when possible, to temporarily halt use of Internet Explorer until a fix has been issued.
“In this message, we also urged credit unions to consider advising their members to employ the use of other browsers (such as Chrome or Firefox) until a fix has been issued,” said an email from SVP Sean Holcomb at FLEX in Sandy, Utah.
“Now that Microsoft has issued a fix for the flaw, we are encouraging our clients to ensure their IT policies are up to date, and that all users are allowing pushed updates from Microsoft as well as Adobe. We are advising our credit union clients to do the same with their members,” Holcomb said.
He added, “Due to the swift response of Homeland Security, and the attention this flaw has received, we believe this threat will be limited.
“I hope this will bring to light the need for increased focus on credit unions ensuring security updates are accepted and installed in a timely manner throughout their respective networks.”