The art of banking has come a long way over the last couple of decades – undoubtedly due to mobile banking, bill pay and website technology advancements. Yet, with consumer convenience, comes financial institution risks and responsibilities.
One of the most challenging aspects of maintaining a financial institution’s digital presence is keeping data secured and out of the hands of cybercriminals. Online banking, bill pay and website applications’ security is completely dependent upon the strength of a secured connection during online sessions.
Normally, these sessions are secured using a Hyper Test Transfer Protocol Secure (HTTPS) connection, with one of two security protocols – Secure Socket Layer (SSL) or Transport Layer Security (TLS). Basically, each protocol encrypts data so that it can only be seen between the sites’ owner and end user.
With cybercrime on the rise across the nation, many institutions are wondering if their digital platforms’ connections are secure enough to withstand an attack. And, that question is a valid one.
Just like any technology, the SSL and TLS protocols have evolved over time – sometimes leaving past versions vulnerable. Unfortunately, today the majority of these protocol versions have been found to be susceptible to attacks and unable to protect the data that is being encrypted. These versions include:
As a result, the PCI Security Standards Council (PCI SSC) released a special bulletin back in February 2015 announcing that SSL is no longer acceptable for protection of data based on the definition of “strong cryptography.” Although most websites have stopped using the older versions of SSL, many are still supporting the use of SSL 3.0. In addition, many websites are using TLS 1.0, with its last major update in 1990, which has been found to be easily breached, leaving data and files unsecured. Unrepairable by any patches or fixes, the PCI SSC has announced it will be withdrawing support for TLS 1.0 effective June 30, 2018.
To safeguard your institution’s and consumers’ information, make sure your running on secured connections that are up-to-date. All financial institutions should be upgraded to use the latest cryptography to secure connections no later than the first quarter of 2018. But, be prepared, it won’t be long before TLS 1.1 and TLS 1.2 are replaced by new protocols.
Also, work with your institution’s external vendors to ensure they have discontinued the use of these older protocols. You wouldn’t want another source’s site to leave your institution’s information vulnerable.
If you need help assessing if your institution’s digital platforms are susceptible to breaches, contact Doeren Mayhew’s IT specialists. Focused on the security and integrity of financial institutions’ technology systems, they stand ready to help keep your connections secured and data protected.
By David Day, CISSP, CEH, CHFI, CCNA, MCSA, CISA – Senior IT Auditor, Doeren Mayhew
A quick registration is required to view our resources.
You will only be asked to do this one time (unless you don't save your browser cookies).