A looming deadline regarding a relatively obscure piece ofsecurity technology could soon give credit unions major headachesand call attention to weak spots in their data protections,industry experts warn.

At issue is an authentication protocol called Transport LayerSecurity, or TLS. It helps establish secure communications betweensystems, including between credit unions and members, or betweencredit unions and core processors or other vendors.

There are different versions of TLS, but the oldest is TLS 1.0.Its last major revision was in 1990, according to the PCI SecurityStandards Council. That version is notoriously vulnerable tohackers, which means that data, files, and processing activitiesusing TLS 1.0 can be especially susceptible to breaches, accordingto Lou Grilli, who is director of payments strategy at CSCU inTampa, Florida.

“We're talking about things like accessing online banking fromyour home computer, from a browser, that type of thing, but also ona machine-to-machine level, from a credit union uploading ordownloading files securely through a file transfer to their corevendor or through their processor,” he noted.

So-called man-in-the-middle attacks — which allow hackersto decrypt sensitive information and even steal cryptographic keys— are of particular concern with TLS 1.0, the PCI SecurityStandards Council said.

No fixes or patches can adequately repair TLS 1.0, the councilreported, which why it is withdrawing support for TLS 1.0 on June30, 2018. By then, online and e-commerce partners should be using TLS 1.1 orTLS 1.2, it said.

It's an in-the-weeds piece of technology, but Lou Grilli, BrianMaurer, who is VP of software development at CU*Answers, andCU*Answers EVP of Network Technologies Dave Wordhouse said creditunions that blow off upgrading it could find themselves with brokensystems and angry members next summer. They said credit unions needto do a few things now to get ready for the change.

• Start grilling vendors. Credit unions oftenwork with different vendors to create various offerings formembers. But if some or all of those vendors haven't transitionedto TLS 1.1 or 1.2 by the deadline, some features or services couldsuddenly stop working, Maurer said. “You really want to make sureyour vendors are talking, they're on the same page, they'recommunicating ahead of these shut-offs,” he warned. “If you justleave this up to your vendors, that's where credit unions couldpotentially find themselves with either a vendor not up to par towhere it needs to be, or two vendors not communicating well witheach other, potentially causing a miscommunication and ultimatelyan interruption in some service.”
• Be ready to renegotiate. Some vendors may notbe willing to upgrade. “Getting out of that contract, switching to a new vendor, all of that stuff,that can certainly cost money,” Maurer said.
• Scrutinize your own systems. Grilli recommendsaudits of every machine and every piece of software. “Yes, it'sreally time-consuming and probably painful, but now is the besttime to do it,” he said. “There are potentially homegrown systemsthat have been in place for a while that are going to have to betouched.” Code in custom applications may need to be rewritten, andnew operating systems may need to be purchased, Maurer added.
• Make a communications plan. Some members maybe using TLS 1.0 via old operating systems, so credit unions willneed to notify members of the change soon and encourage them toupdate, Wordhouse said. “The challenge with that messaging in myopinion is most members don't understand what that means,” Maureradded.
• Make time. Set aside three to six months forthe transition work, Grilli advised. Besides everything else onthis list, there's a lot of testing to do, plus upgrades andpurchases may take weeks. Be sure to build in time for training,too. Things should be happening in the first quarter of 2018, headvised.
• Save your notes. “We'll probably have thisconversation this time next year for TLS 1.1, and probably a yearor two after that for 1.2. I mean, the bad guys are going tocontinue to attack these protocols looking for weaknesses,”Wordhouse said. “This is part of life in the Internet age.”