COLUMBIA, S.C. – A hacker's reported swift entry into three Swedish banks through the vaunted protections of SSL technology has some experts in the credit union space scratching their heads more than crossing their fingers. According to the Reuters news service, the hacker – who was not named but described as well known in computer security circles – demonstrated for a reporter in Stockholm how he could easily bypass the secure socket layer (SSL) encryption protections embedded in Microsoft Web server software and enter the systems of three of four large Swedish banks. SSL encryption, of course, is the standard for online transactions, regardless of the vendor, and an intrusion like that described by Reuters can raise eyebrows. "It really concerns me," said Cynthia Hawk, president of GTX Credit Union in Houston. Her $13 million, 2,700-member CU has been considering online banking products for the past year, she said, but Hawk and her board members are leery of possible security breaches. "Regulations now require credit unions to implement online security programs and measures designed to ensure secure operations, but reports like these and hacker attacks on agencies like the California comptroller's office makes one wonder about the ability to really protect member information and prevent financial fraud and identity theft," she said. While he remains confident of the financial services industry's ability to protect consumers, "it makes me wonder what really happened," said Paul Hemond, a San Diego-based Fiserv senior vice president of technology in daily touch with Microsoft and other major vendors. Hemond – who described what he said were several technical inaccuracies in the hack as reported – and others agreed it shouldn't have been able to occur the way it was recounted. "I've got to think that instead of what we're hearing was an SSL breach, that it really was a so-called `man-in-the-middle' attack, someone spoofing the site with a bogus certificate," he said. Such an attack, involving creating a sophisticated-enough duplicate Web site to attract legitimate traffic – including access codes and other confidential information – would actually be quite a feat in and of itself, but that's what appears to have happened, Hemond and others theorize. Indeed, a recent bulletin from Microsoft – the favorite target of hackers – addresses the possibility of what's called a certificate validation flaw, a possible way to exploit a vulnerability in personal key identification (PKI) technology used to secure passwords and other identifiers exchanged across the Internet. Niels Taylor, a network security analyst for CU Defense, a division of South Carolina-based PM Systems Corp. that provides security to more than 100 credit unions, also thinks that might be what happened. "This vulnerability is complex, but off the top of my head, I can envision a scenario where a hacker could exploit this flaw to set up a spoofed site . complete with what appears to be a positive certificate validation that would create an SSL connection," Taylor said. "He could then receive member authentification credentials that he could then use to enter a user's real online banking account and, if the proper controls are not in place, steal from this account," he said. Such an attack would be quite sophisticated and would require the actual penetration of DNS servers, the heavily armored technology at the very heart of information transfer across the Internet. "This would not be the work of your typical script kiddie," Hemond said. The unnamed consultant in the Reuters report, for his part, noted that part of the problem lies in not keeping up with the patches and other updates Microsoft and other vendors constantly issue as vulnerabilities are discovered and reported. That's not unimportant. "SSL is the standard of our industry," said Hugh McArthur, information systems security officer for Online Resources Corp., a Virginia-based major supplier of Internet banking and related services to credit unions. "While vulnerabilities have been exposed in the past, Microsoft has provided effective patches, and SSL is still a very reliable form of security," McArthur said. "We wouldn't be in business without it." Of course, viruses and worms, hack and attacks are nothing new, whether the target be Microsoft or a competitor. What was new about this report was the alleged unprecedented ease with which a hacker broke through SSL encryption, which the non-technical have always considered perhaps inviolable. "I would say that in the circles of those who are familiar with security at this level and comfortable in this environment, I would say the attitude is that such an attack, as it was reported, is not impossible but definitely unlikely," said Oscar Mireles, senior vice president for Fiserv's Credit Union Group. "As a whole, our systems continue to be basically secure, but because of the complexities of this environment, you have to keep your eyes and ears open, keep your systems updated, stay diligent. "That's why we have to have security operations." -

[email protected]