Every financial institution today should have a website for consumers to view products and services and learn about their brand. Of the many things a website should be - informative, easy to navigate, carefully designed - the No. 1 priority should be security.
If a credit union has an insecure website, member information could be put at risk. Members likely access their accounts through a web portal on the website. If this is compromised, the member's financial information could be collected by criminals. Not only can this result in devastating consequences for the member, but the relationship between consumer and credit union will almost certainly be damaged or destroyed.
To avoid these negative events from happening, it's critical that credit unions pay careful attention to the security of their websites. Many times, a compromised website isn't immediately clear unless a user is specifically looking for vulnerabilities.
Web shells are hard-to-see breaches
Security blogger Brian Krebs explained that a Web shell is a common tool hackers use to discreetly collect sensitive information. The shell is a backdoor program that gives a criminal the ability to control the website and server from anywhere in the world. For someone who specializes in these programs, a web shell is relatively simple and requires only a web browser to utilize.
Krebs reported on his blog, "Krebs on Security," that he encountered one of these web shells on a California-based credit union. The shell remained on the site for a period of time before the credit union was alerted to the breach and removed it. Luckily, no personal information was collected in this instance, Credit Union Times reported.
While this credit union was alerted to the breach early on and took the right steps to remove the shell, the situation could have quickly gotten out of hand. Alex Holden, founder of Hold Security, told Krebs that he has found more than 13,000 websites retrofitted with web shells similar to the one installed on the credit union's.
Why certain websites are hacked
Websites typically aren't uniquely targeted by hackers, Krebs explained. Instead, a bot crawls the web looking for vulnerabilities. Once detected, the bot uses the weak point to retrofit the web shell. Most often, the bots target outdated WordPress or Joomla sites.
However, this doesn't necessarily mean that WordPress and Joomla are inherently less secure than other content management systems. In fact, WordPress is the most popular CMS, with more than one-quarter of all websites using the platform. Joomla is another well-respected and popular CMS.
There are good things and bad things about using these types of systems for web creation. On one hand, they're user-friendly and offer a plethora of features to customize a website. On the other hand, since they're so widely used, hackers like to create programs that specifically target vulnerabilities in the platforms.
To stay ahead of the game and block smart criminals from hacking into websites built on their platforms, CMSs are constantly building updates. Once the update comes out, users should upgrade their websites accordingly; this is the best way to ensure maximum security.
Tips on how to keep your website secure
Pay attention to your plugins
Of course, total website security goes far beyond CMS upgrades. Any third-party plugins also present a risk, Krebs explained. Like WordPress and Joomla, these plugins need to be regularly updated as well. Never put off a new update. If you decide that a certain extension or plugin is no longer serving your needs, don't let an outdated app stay connected to your website. Either update or delete it.
Whether you're using an updated version or not, a third-party plugin should be carefully chosen. Only use those created by trusted companies, and always do your research on a plugin before adding it to your site.
Choose a good host
When setting up a website, the CMS is only one piece of the puzzle. You'll also need to choose a server to host your website on. Only use a secure server to host your website, Credit Union Times recommended.
Another security feature is as simple as the password you choose. You know the importance of creating a robust username and password to access your personal bank account information; take this advice and apply it to your websites.
Pick your password carefully
Credit Union Times noted that 8 percent of website breaches are successful because the hacker simply guesses the username and password, otherwise called brute force attacks. If you have a common username (like "username" or "admin"), change it immediately.
As far as passwords go, it doesn't need to be anything lengthy or hard to remember; just make it unique enough that a simple guessing game won't crack it. People often turn to surprisingly common and mundane passwords to keep their most valuable information safe. According to Keeper Security, the most common passwords of 2016 included "123456," "qwerty" and "111111." Don't jeopardize your members' financial security for the sake of a simple password.
Guessing a username and password typically isn't done in one round; even when both elements are fairly easy to predict, it'll usually still take a few attempts to gain access to an account. Therefore, many brute force attacks can be shut down if there is a login attempt limit.
Backup your website
Even when you take every precaution, there could be a fluke instance when your website becomes breached or isn't accessible. In these instances, a website backup is crucial for getting things back up and running as soon as possible. Be sure to securely backup your website on a daily basis.