FREAK Flaw Targets Mobile
The hacking of dozens of home pages by a group claiming to be ISIS and a newly discovered FREAK flaw emphasizes the need to protect against vulnerabilities, even in mobile banking channels.
FREAK (Factoring Attack on RSA-Export Key) is a relic of the U.S. government’s restriction on the export of strong encryption in the 1990s, which compelled developers to devise a system that could deliver strong encryption for U.S.-based users and weaker encryption for foreign users.
According to the website freakattack.com, this new vulnerability allows an attacker to intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption, which the attacker can break to steal or manipulate sensitive data. The number of actual attacks is unknown.
The vulnerability affects the Android, Apple Safari Web browsers that rely on OpenSSL to establish secure connections, and Microsoft’s Secure Channel in all currently supported versions of Windows. Apple, Google Android and Microsoft announced that updates to fix the FREAK attack should be available for all major browsers soon.
For credit unions, there are good and bad sides to the FREAK story.
Carl Mazzanti, founder/and CEO of IT consulting firm eMazzanti Technologies, explained, “A lot of the credit unions cannot afford some of the technologies you would need to support mobile banking, so because of that, they might have less or no exposure,” Mazzanti said. “Those that are less vulnerable developed their mobile systems within the last five years and don’t have a legacy system to support it. Older systems are more susceptible than newer systems. Those running platforms that have some sort of legacy back to the late 1990s are the ones with the largest exposure.”
The $2.4 billion Texas Dow Employees Credit Union of Lake Jackson, Texas, took a proactive approach when it comes to its members’ Internet safety by providing an update to keep members informed of the FREAK exploit. The alert reads in part, “Internet researchers have discovered a new browser vulnerability you should know about. The exploit is called FREAK.” The alert goes on to explain that for FREAK to affect members, both the browser and visited website must be vulnerable, and provides assurance that TDECU’s servers are not vulnerable.
Paul O’Malley, vice president of e-commerce at TDECU, said the alert grew out of policy resulting from member concern over last year’s much-publicized data breaches.$2
“Our goal here is to alert our members so they can be educated, and know that they need to pay attention to Internet security,” O’Malley explained. “We understand our members are not expected to be experts on these types of things.”
TDECU also maintains a very close relationship with its technology partners.
“Typically what will happen is, they will see something out in the blogosphere or we’ll see something, and we’ll immediately call each other and ask if we’ve heard about it and what we’re doing about it,” O’Malley said.
Maintaining members’ reassurance levels when it comes to cybersecurity is good business. O’Malley pointed out, “We want our members to feel comfortable using our services and protect their security, not just with us, but with their other activities on the web and on their phones.”
How does a credit union protect itself? “Update their servers and devices with a patch for the vulnerability,” Mazzanti said. That’s the short answer, however Mazzanti also pointed out new threats emerge every day, and organizations must develop a security-first mindset.
Brooks suggested, “Take charge of the process [technical workload] and take a look to see where and what is vulnerable in your environment. Compromise is a terrible strategy for discovery.”