Credit Union Geek

Marketing, Strategy, and The Force by Joe Winn

Tag: breaches

Passwords. An Update.

Originally published on CUInsight.com

It’s a topic you’ve seen here before. Time and again. Of course, it’s still pertinent since we keep using them. Passwords are a bane of the tech world. Unless you can invent a simple way to authenticate yourself with any service, they’re going to stick around for a while. That doesn’t mean we need to despise them, though. In the past, we have discussed the problems on both ends, from policies that lead to creating awful passwords, to people insisting on using “love”, “*dogname*”, and “!23456”.

Grab your favorite password and…throw it in the trash (sadly, even “CorrectHorseBatteryStaple“). Because we’re back.

Like the question of eggs being healthy or your worst nightmare, passwords see a wide variety of advice as the years go on. Some of it is due to a long period of terrible advice (which we discussed before, and, I’ll admit, my own suggestions evolved, too). Thankfully, this is changing…slowly. The other part is based upon processing speed increases; it’s easier than ever to parse billions of possibilities (using databases of common passwords from leaks combined with dictionary analysis). So what’s the current solution?

It’s lurking in plain sight, on all your devices. The best password is one you never create. Every modern platform supports strong password suggestions. Then, they save these passwords in a secured database, so you don’t have to put a note in your drawer (it’s ok, you’re not alone). Depending on the system, there might be a master password, or, it can combine with biometrics. Make this be your big, strong password, then never use it. Rely on the fingerprint scanner, FaceID, or other verification system.

On iOS (that’s iPhone and iPad), the next version will have automatic strong (Apple calls them complex) password creation and storing. That means, when a site asks to create a password, your phone already filled in a really good one. Then it saves it so you never even bother thinking of something. To log back in, your phone just asks for verification through TouchID or FaceID (depending on device). This is new; auto-fill now has security, too. Yes, you still have to create a unique username. Sorry, MarioKartKing is taken.

There’s another side of this revisit: Updating your password. I know, I know, I spoke strongly against this practice in the past. My position is unchanged. If you change your password, make it for a good reason. A brilliant website called haveIbeenpwned.com checks your e-mail address or usernames to see if they were included in any breaches. If so, it shows which and to what degree. Then, you know it’s time to update those passwords (and anywhere else you shared those credentials). That password auto-suggest is looking mighty nice right now.

Here’s the bottom line: With password managers so prevalent and easy to use, there’s no excuse to still create your own passwords. It’s putting you (and the data within) at unnecessary risk. It also saves time. When I read of a breach on a service I use, I just go in, update that password, and get back to my life. Since it won’t be shared with any other system, I don’t care what someone does with the information. Granted, if passwords were stored in a way someone could access them, I’d be questioning the utility of said service, given their poor security practices.

Bottom line of the bottom line: Complex, random strings of characters, stored in a quality password manager, is the best way to ensure your personal (or corporate) information remains only in the hands you want.

Resources (A non-exhaustive list of password managers)

OS Based:

  • SmartLock for Passwords (Android/Chrome)
  • iCloud Keychain (Apple devices)

3rd Party:

  • Firefox Sync
  • LastPass
  • 1Password

A Merchant Breach Rant For You To Empathize

This CUbit is an extension of a comment I shared on a CUInsight article today. You can view the full story (and my comment) here. Background: Wendy’s appears to have experienced a POS (Point of Sale) breach sometime in the past, oh, few years. The malware (bad software) has crept around their systems and locations under the radar, only mentioned briefly in a corporate report and supported by credit unions seeing increased debit card fraud from members who frequented the chain.

I don’t eat at Wendy’s, so my cards are not compromised (by this breach, at least). But why should that make a difference? Just because you enjoy an occasional Frosty doesn’t mean you should have to watch your account for fraud. And, in all honesty, when faced with limited options, I’ll have their baked potato. Will I pay with plastic? Of course. Will millions of others? Sure.

If you read my posts regularly, you’ll know this isn’t the first one on merchant breaches. Nor will it be the last. At least with how they’re treated today. The onus on security is akin to me paying someone to watch my car, having it stolen, then the watcher just looking at me while shrugging their shoulders. When was the last time you heard about a card breach affecting the issuer? That’s right, almost never. Because they care about security. In fact, they have regulations mandating their adherence to stringent policies. Whether you’re Bank of America, our regional community bank, or one of thousands of credit unions, you protect card information. And given how rare an issue arises, I’d say you are all doing a great job.

(From this point, my original story comment is expanded upon, so if it looks familiar, that’s on purpose, and thank you for reading!)

My frustration isn’t with the credit unions. Not at all. It’s with the retailers. Wendy’s just happens to be the case in point today. Let me repeat what I’ve said before many times: We. Have. The. Technology. To. End. Breaches.

Between adopting EMV and contactless payment (Apple Pay, Android Pay, CU Wallet, etc.), we can have tokenized transactions at all purchases. This means your card number, unless physically lost/stolen, is impossible to be compromised. Even if the merchant’s system is crawling with malware. All the criminals get is a one-time use number (which is immediately identified as fraud when attempted again). The number you see on the piece of plastic never appears on their end.

Would new systems solve the problem? Mostly. But there are also an enormous amount of dangerous practices still being performed. Know anything about PCI compliance? No way these actions would pass. Now you want examples, so here are two I’ve experienced in just the past few weeks. The first came while I was with a friend getting his car serviced. This wasn’t at a mom-and-pop shop, rather, he went to one of the largest dealerships in the southeast United States. What did they do upon payment? They photocopied his credit card, front and back, to store with his service paperwork.

Let me repeat: They took a picture of his credit card. Then they put it in a glass office with hundreds of others, in full view of staff and customers. “We lock that office”, they said. Color me comforted.

Another crazy action occurred just two days ago at a hotel in Los Angeles. Upon check-in, hotels like to keep your card on file for incidentals (or if you decide to rock-star-style destroy the room). That’s fine, and there’s a proper way to do it. This Comfort Inn (again, big company which knows better) took an imprint and put it with the regular paperwork, under no lock and key.

And we wonder why breaches are so common (imagine their security on digital if that’s how they treat in-person).

Since merchants (especially multi-nationals) have little responsibility in the breaches (it’s not like we’ve heard credit unions talk about this before…), they are slow to make any changes. If they had to burden 100% of the breach costs, do you think we’d still have major merchants doing such dumb things with your information?

As a technologist, it’s incredibly frustrating to see event after event of preventable breaches occur, while those completely not in the wrong having to bear the costs (the Big 3, community banks, and credit unions all included).

Plus, who likes having to reset all of your automatic payments and online shopping accounts?

Image credit: https://www.flickr.com/photos/[email protected]/11406986014/

Is Your Computer Reminiscing You Into Insecurity?

The Internet is a unique place. Where else can you come in with antiques that are only a few years old? And even more, those “antiques” can put you in danger! Imagine if your car, at the end of the lease, was considered “obsolete”. So much for that ’65 muscle car! May as well get rid of it now before it explodes at a stoplight. Really, it’s only a matter of time!

Yes, the pace of digital improvement is staggering. As is the pace of obsolescence. Part of it is “planned”, where a manufacturer or developer wants you to buy their latest version, so they stop supporting the previous. Another aspect is opportunity cost. Keeping security and compatibility updates flowing for an older product requires staff time and resources. At what point does that investment become a losing proposition?

The core of our network-connected society has become the web browser. What used to be “just another program” on your computer has evolved into an operating system of its own. Suffice it to say, your trusty IE, Firefox, Safari, or Chrome (or Opera, if you’re one of the brave outliers) does an incredible amount of work behind the scenes. They are what allows us to receive notifications from websites, load full 3D games in a webpage, play back videos without additional software, and display engaging websites powered directly by the computer’s video card. If you want to see how far we’ve come, simply install an old version of Mozilla Firefox, say, 1.5 (from 2005), into your computer. Watch how slow browsing becomes, how many sites refuse to load, or do, but with horrid interfaces.

Unfortunately, with the good comes the bad. There are individuals and groups out there which want to do harm to your computer. Some for “fun”, others for profit, and still more for political motivations. As a result, your lock is always being picked. Good thing there are security teams devoted to closing these holes at every company! Security updates are the main reason why you receive regular updates on your computer…do them! Patch Tuesday, the monthly Windows Update, may include dozens of security fixes for the operating system and Internet Explorer. Each time you skip one of these, you are leaving your door unlocked for the person who knows where to look.

Which brings us to the point. I had a peek at my logs for credituniongeek.com. Between the period of November 17, 2014 and December 17th, 2014, my site was visited by potentially unsupported web browsers. 10.28% were using Internet Explorer 8, which, if you’re on XP, is no longer receiving security updates. An additional 4.67% were browsing on IE 7, an incarnation of the program which struggles to load much of the modern internet, and, as well, has unpatched security vulnerabilities. Read Microsoft’s official support policy.

I understand if your credit union has custom software running on old platforms. It’s expensive to change, and if it still serves your staff and members, why upgrade? That’s fine. But these systems cannot be connected to the public internet. Especially at a financial institution, this is asking for security breaches. Even with good procedures, it happens, all, the, time.

For the safety of your credit union, members, and staff, please update your public-facing systems.

© 2018 Credit Union Geek

Theme by Anders NorenUp ↑