CHAPIN, S.C. – A team of online banking security specialists has developed a software tool to help credit unions determine if their sites can be comprised by automated hacking scripts and denial-of-service attacks. The CUDefense team is trying to drum up business for its new BankBuster software that it's offering free testing for a limited time to credit unions who have determined that they already have no password or denial-of-service vulnerability. BankBuster acts like an orchestrated script-based hacking attack, and can be set to either try to quickly find passwords for individual accounts or to lock out large numbers of users in a simulated denial-of-service attack, its creators say. "We believe this tool helps detect weaknesses that may be largely ignored," says Rick Woehler, a security analyst at CUDefense, a unit of online banking vendor PM Systems Corp. (www.pmsyscorp.com) in Chapin, S.C., which serves about 180 credit unions. Two-way authentication systems that rely totally on passwords and PINs are considered particularly vulnerable to such attacks, Woehler says. "Many credit unions currently use these types of logins to allow access to Internet banking, bill pay, electronic statements and more. In some cases, these systems may be extremely vulnerable or even worse, already compromised," the Internet security specialist says. Exacerbating that vulnerability is the fact that many credit unions use a member number as the first part of a login component, making it relatively easy to figure out the first part of the two-way system, the company says. A typical system locks an account after a pre-determined number of entry attempts. Because many systems require the credit union or the member to re-set the password, a denial-of-service attack that "locks out 10,000 members would be in real trouble under this scenario," Woehler says. CUDefense's offer of free testing includes credit unions whose Internet banking providers "may not allow credit unions to independently test their authentication systems," Woehler says. "Credit unions using these vendors have to rely only on `authorized' third-party certifications or SAS70 audit reports issued by these companies. Unfortunately, these types of audits may fail to adequately test these types of authentication systems," Woehler says. He maintains that such audits often rely on "off-the-shelf testing software that does not adequately test all of the various login systems provided to credit union member." The BankBuster software runs in two modes. The denial-of-service mode will quickly lock out accounts if the system is vulnerable, Woehler says, while the password resolution mode runs more slowly and tries to find passwords for each account without locking them out. Each mode simulates real-life attacks, which, especially if they're slow-moving attacks, can fall under the radar of many detection systems because they look like normal member activity while rotating through a range of IP addresses to disguise the attack, CUDefense says. Many two-way systems now have added security measures, such as script killers and hardware authentication, and adding a third or fourth authentication mechanism can sharply improve security, the company says. "No one has the perfect security system and the threats change on a daily basis," says Robert Broadwell, PM Systems vice president. "Staying in a proactive mode is always the best defense." -

[email protected]