Goodbye, 25-Year-Old Security Technology
September 11, 2017
Your CU needs to disable or get rid of TLS 1.0.
By Jim Trautwein
In the security-conscious world we live in, many people would not believe our computers still rely on security technologies that were developed more than 25 years ago, back before Al Gore invented the Internet. Our 25-year-old technology puts a lot of our information and financial processing at risk.
Case in point: Transport Layer Security, or TLS, has been around since the early 1990s. Its first version, TLS 1.0, hasn’t been updated since 1990 and is vulnerable to many of the hacks and viruses we read about almost daily. Even worse, TLS 1.0 is still used in many browsers and a lot of financial system interfaces today.
Newer versions, TLS 1.1 and 1.2, have more protections, but a feature of the TLS protocol allows systems to “dumb down” the security to TLS 1.0 if that’s the only way two systems can connect. The issue can be found anywhere connections are made and data is exchanged—file transfers, online sessions, interfaces to the core or payment systems, and more. The fact is, your members’ browsers can hunt for a way to connect with your online banking system even if it’s less secure. In a perfect world, members would be told their system can’t find a secure way to connect. Unfortunately, we don’t live in that perfect world.
Our industry is realizing the risk. The Payment Card Industry determined that TLS 1.0 is so vulnerable to hacks and attacks that it is kicking it out of PCI transactions altogether. While the group’s security Standards Council recently extended the deadline for sunsetting TLS 1.0 to June 30, 2018, it doesn’t recommend waiting.
Vendors are following the trend and disabling TLS 1.0 support in their systems. And even though some systems are starting to say “No!” to dumbing down security, credit unions need to take corrective action, because this security feature works on both sides of a transaction or a session—not just in your shop but with your members, too.
So how do credit unions go about this?
Ideally, CUs should upgrade to TLS 1.2. TLS 1.1 is acceptable but if you are going to upgrade you should upgrade to the most secure option that’s a current standard.
Note that it may not be enough to simply enable TLS 1.1 or 1.2. Remember, TLS searches for a way to connect, and if 1.0 is still available it’s going to try to use it. Check the security details of all your systems that exchange data or enable users. That’s likely to be every banking system and browser the credit union has. If any system uses TLS 1.0, it should be disabled or, better yet, removed altogether.
A lot of systems won’t let you disable security features, so it will be necessary to work with the vendors to get upgrades. And you’re going to need to notify your members because they probably have no idea if TLS 1.0 is enabled in their browsers and smart phones.
For those of us that remember, this is going to feel like Y2K all over again. But the sky didn’t fall then, and it won’t fall now—so long as we all take steps to protect our systems and educate our members to the potential dangers of outdated security.
Jim Trautwein is a senior director for CUES Supplier member and strategic provider Cornerstone Advisors, Scottsdale, Ariz.
It’s not too late to register for CUES School of IT Leadership, Sept. 20-22, 2017, in Orlando.
You may also be interested in the 2018 Payments University, Aug. 13-14, 2018, in Denver.