A looming deadline regarding a relatively obscure piece of security technology could soon give credit unions major headaches and call attention to weak spots in their data protections, industry experts warn.
At issue is an authentication protocol called Transport Layer Security, or TLS. It helps establish secure communications between systems, including between credit unions and members, or between credit unions and core processors or other vendors.
There are different versions of TLS, but the oldest is TLS 1.0. Its last major revision was in 1990, according to the PCI Security Standards Council. That version is notoriously vulnerable to hackers, which means that data, files, and processing activities using TLS 1.0 can be especially susceptible to breaches, according to Lou Grilli, who is director of payments strategy at CSCU in Tampa, Florida.
“We’re talking about things like accessing online banking from your home computer, from a browser, that type of thing, but also on a machine-to-machine level, from a credit union uploading or downloading files securely through a file transfer to their core vendor or through their processor,” he noted.
So-called man-in-the-middle attacks — which allow hackers to decrypt sensitive information and even steal cryptographic keys — are of particular concern with TLS 1.0, the PCI Security Standards Council said.
No fixes or patches can adequately repair TLS 1.0, the council reported, which why it is withdrawing support for TLS 1.0 on June 30, 2018. By then, online and e-commerce partners should be using TLS 1.1 or TLS 1.2, it said.
It’s an in-the-weeds piece of technology, but Lou Grilli, Brian Maurer, who is VP of software development at CU*Answers, and CU*Answers EVP of Network Technologies Dave Wordhouse said credit unions that blow off upgrading it could find themselves with broken systems and angry members next summer. They said credit unions need to do a few things now to get ready for the change.
