By Seth Jaffe.
The Credit Union Information Security Professionals Association held its yearly meeting last week in San Antonio. One of the topics that came up often was core migration, a security issue that just got a booster shot from Tuesday’s article by Brian Krebs on that very subject. One of Krebs’ colleagues received an email notification requiring password reset due to migration to a new e-banking platform. To successfully login to the new platform, a customer need only her username and the last four digits of the social security number, two items that are likely for sale on the darkweb for just about all Americans (though individuals are getting better at setting unique passwords, usernames often remain the same across accounts). Armed with just these two pieces of information, a cyber criminal could implement a new password, set new security questions, and register a new phone number, thereby bypassing any two-factor authentication that the customer originally relied upon.
Though most banking institutions utilize these core platforms (such as FISERV, FIS, Jack Henry, Corelation, CSI, D+H, and COCC), smaller entities like local banks and credit unions may feel they don’t have sufficient bargaining power when it comes to managing migration or even core upgrades. But in many cases, they have more leverage than they suspect. For example, the NCUA Part 748 Appendix A requires a credit union to “ensure the security and confidentiality of member information” and “protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any member.” Appendix A goes on to impose obligations to oversee service provider arrangements, including “requir[ing] its service providers by contract to implement appropriate measures designed to meet the objectives of these guidelines.”
The Code of Federal Regulations, therefore, arms a credit union with significant bargaining power in matters such as core migration and upgrades. A service provider would be hard pressed to maintain an inadequate migration process in view of such. Moreover, the core platform company likely has similar information security obligations itself, whether it be through Gramm-Leach-Bliley, a state law, or something else. Take a look at the FFIEC’s information security website, or talk to your attorney.