UTICA, Mich. — The recent hacking of a Montana credit union provides a stark lesson for CUs across the nation about the security of their web sites — namely that they aren't as secure as executives think.
Last weekend, Southwest Montana Community FCU's web site was hacked by a group claiming to be the Islamic State (ISIS).
The hack was caused by a weakness in FancyBox, a plug-in on the WordPress platform used to build the site.
According to Jason Sherrill, CEO at Inet Solution, a web design and consulting firm near Detroit, far too many credit unions rely on WordPress for their web needs — a utility he says is free and easy to use, but doesn't provide the kind of security financial institutions require.
WordPress, explained Sherrill, was created as a blogging software, not as a home for financial institutions.
"At its core, WordPress is a great platform," said Sherrill. "I like it for its intended purpose, which is when an aunt or uncle or grandma calls and says 'I want to create a web site,' WordPress is the solution. It's easy to learn and easy to set up, but because of that, security is not a consideration."
The other part of the problem, continued Sherrill, is that by its very nature, WordPress is an open-source system that allows anyone to create plug-ins that can be used on WordPress sites — and the vast majority of functionality on WordPress sites comes via those plugins.
"Bank or credit union web sites may have 20 or 30 plug-ins in use, all written by different authors and all adding different functionalities," he said. But those plugins aren't necessarily created by designers focused on security, and they aren't always updated to protect against security threats. Worse, they can easily be created and then abandoned, "but they're still out there full of security holes and vulnerabilities," he said.
So if WordPress sites are so risky for credit unions, why do so many use it? According to Sherrill, the answer is easy: it's free.
"Especially for smaller credit unions, budget is a concern when looking at technology, so [with WordPress] they've got something that's free, compared to enterprise-class systems out there that run several thousand dollars for licensing costs," he said. On top of that, since many CUs don't have in-house IT expertise, management often relies on local firms that may know how to get a web site up and running but aren't as familiar with the security needs of financial institutions.
"Because credit unions are placing a fair amount of trust in that web designer, the questions aren't always being asked about security," he said.
Most credit unions cannot afford to spend thousands of dollars on a top-of-the-line web site. But unfortunately, said Sherrill, there's not much middle ground between free, easy-to-use WordPress or Drupal sites and more secure, sophisticated and expensive sites from the likes of Ektron and Kentico.
"Security is expensive and finding developers that know how to write really secure code is very difficult, and they tend to earn a lot of money," he said. "That's why you don't see a lot of $299-type high-security web site platforms out there."
A Very Common Fallacy'
Speaking with Credit Union Journal earlier this week, Southwest Montana Community FCU CEO Tom Dedman emphasized that while the marketing arm of the site was impacted by the hack, all member data was safe because it was siloed elsewhere on a separate server.
But Sherrill called that sense of security "a very common fallacy," since even though sites may not "suffer as direct a data theft that could occur if someone got access to the online banking system," there are still plenty of ways for hackers to gain access.
Because so many CUs have a login box for online banking on their home page, hackers can manipulate the code presented on that page and capture usernames and passwords. Attackers might also choose to embed java script into code that takes advantage of unprotected users' computers, rather than siphoning off data, Sherrill suggested.
While in this case the site was merely defaced, he said, "that's not what's always going to happen."
Regarding the defacement, Sherrill shared some of the skepticism of others quoted in news reports that the attack may not have actually been orchestrated by the Islamic State.
"My gut reaction was that it's probably a hoax," he said. "It was probably somebody looking to capitalize on current media, but can I say that for certain? No."
How CUs Can Fight Back
Regardless of the source of the attack, Sherrill agreed with Dedman's assertion that credit union executives often doesn't understand the inner workings of their web sites.
"The solution to it is not, in my opinion, for a CEO or senior management to go out and try to become an expert on programming," said Sherrill, noting that CUs need a partner that understands not only web design, but hosting and coding.
"Ask those questions: 'Do you understand our risk as a financial institution? Do you understand the types of attacks launched against us? We want to make sure we're protected against these, what platforms are suited for us?'" He emphasized that CUs can still work with the creative teams they've always utilized, "but they need to understand that the web today is not just a creative medium — it's far more a software and systems medium and a creative one."
Credit unions should also remember that they have a trusted resource in their peers, he added, noting that smaller credit unions can always turn to larger institutions to ask about potential partners that have already been vetted by the community.
For CUs currently running WordPress sites, he said, the first step they should take is to ensure that every plug-in they use is up to date, since that's what led to the Southwest Montana hacking.
And that's not just a one-time task. Someone needs to stay on top of those updates and ensure that they're kept current. Because hackers and bots don't stop after one pass, he reminded. They're going at it 24/7/365 — and so should credit unions.
