Website Security 101 for Banks and Credit Unions
One of the most challenging aspects of maintaining your banks' digital presence is keeping current with website security. Banks and credit unions, and their customers and members, are vulnerable to a host of threats from sophisticated hackers and cyber thieves. Where should you start?
If you're an IT professional or marketing director at a bank, you do need confidence in the people you've hired to design and implement your website, along with a basic understanding of what it means to have a secure website.
We've assembled a rundown of website security fundamentals so you can walk into your next website planning meeting feeling secure that you'll be able to hold your own.
Ready to do a full audit of your website? Click to download our free website audit kit for banks and credit unions here.
Sanitize Your Input
One major issue that developers face is filtering user input. Of course, user input is required for your website, and that input can come from any number of sources. While most of these sources are perfectly fine, occasionally a more malicious source could try to infiltrate your system. There are three common attacks that can result from failure to validate, or sanitize, your input.
Cross-site scripting (XSS) — This occurs when attackers insert themselves into a legitimate website by injecting a malicious code allowing them access to information that other users believe is only visible to the owner of the website. Unfortunately, neither the user or the owner is aware of the presence of the third party.
Remote File Inclusion (RFI) — An RFI attack involves the download and execution of a remote file that will run malicious code on the server. This is a pretty rudimentary attack, but it's still rife with potential for danger to your data.
SQL Injection Attack — Structured Query Language, or SQL, is the language used in relational databases that are often used in both web applications and content management systems. When an attacker launches a SQL injection attack, they find a website that includes user input within a SQL statement, and then they inject a payload that will be run against the server, leaving the user's information vulnerable to hacking.
Beyond these attacks, you can also lose valuable data when you don't practice input sanitization.
Secure sockets layer, or SSL, encrypts your data so that it can't be seen by anyone other than the website owner and the user. If your site is not encrypted with an SSL certificate, any computer that stands between the user and your website's server could have access to personally identifiable information, or PII. Therefore, in order to maintain data security, you must acquire and install an SSL Certificate.
Where do you acquire an SSL Certificate? From a certificate authority (CA), of course. There are a number of certificate authorities, so you should do your homework before you sign anything to be sure it's the best one for you. One option is Let's Encrypt, a free source for SSLs that we've used for websites before. It's a great service, and did we mention that it's free?
Once you've chosen a CA, they will issue a digital certificate to you, and you'll be added to their roster and held to their standards. CAs are routinely audited, and they must prove that they're following the procedures that they use to verify applications, so they won't just hand out an SSL certificate unless they're sure you'll follow the rules.
When you're SSL certified, your site will feature a small green padlock in the browser— here's ours:
If you're using a site that does not feature that little green padlock, you should probably think twice before offering up any kind of sensitive personal information.
How can you be sure your SSL is up to snuff? This website will do an in-depth analysis of your website to see if it is as secure as can be. We checked our website, and we're pretty proud of our result:
HTTP Strict Transport Security
In addition to maintaining your SSL, you should utilize HSTS, aka HTTP Strict Transport Security. HSTS is another method of preventing attacks on your data. It forces web browsers to access websites solely through a more secure HTTPS connection, rather than an HTTP connection.
An HTTP connection is more prone to encounter attacks such as "man-in-the-middle" attacks, which results in the stripping of the SSL and leaving your site vulnerable to data breaches, therefore it's definitely preferable to route users through HTTPS connections. HSTS will help you manage this.
Take Care of Your Data
There's almost nothing you can do that's more dangerous to your users' security than asking for a great deal of very sensitive personally identifiable information (PII) and storing it in an unencrypted database. For instance, if you require a client's date of birth, social security number, and credit card number, and you just plop it into a database to use later, it's basically an invitation to have their information stolen.
The term PII pertains to information beyond the basic identifiable information that hackers crave; it's any information that can be used by a malicious party to identify you. Your mother's maiden name, where you went to high school, your place of birth, or any other employment or medical information that might be linkable to you is considered valuable to hackers, and it should be protected.
Unfortunately, there are no laws pertaining to PII. The health care industry has the Health Insurance Portability and Accountability Act, or HIPAA, but that simply requires health care facilities or clinics to take steps to encrypt information pertaining to or provided by patients; it doesn't affect any other industry. Technically, any company could take your information over an unprotected connection and place it in an unencrypted database and face no legal ramifications.
The truth is that every time you try to store PII securely, there is someone out there who's trying to gain access to it. The only truly secure way to store this information is to make it completely inaccessible, which is counterproductive. If you must have your clients' PII, be wary, and destroy it as soon as you can.
You've probably heard that you should never share your password with anyone, but sometimes there are times when sharing a password (or twelve) is a must, particularly when the site in question is pertinent to multiple people in your agency. What can you do to ensure that your password is as safe as possible, even though multiple people have access to it?
Many sites require a crazy combination of upper and lowercase letters, numbers, and special symbols, which basically means that there's no way on earth you'll ever remember it. Some agencies utilize password managers such as LastPass or Dashlane in hopes that they will prevent people from jotting the passwords down on a slip of paper or, even worse, in their computer's browser. (Check here for some ideas for maintaining password security as an agency.)
One way to ensure that your password is not only secure but easy to remember is to create a passphrase—that is, several words in a row instead of a string of nonsense. A passphrase like "neverforgetthislongphrase" is more secure than "oisnp9e8&*wbe!" Are you unconvinced? Check your passwords with howsecureismypassword.net to see how secure your important website related passwords are. We checked one of our passwords, and we're sure we're safe:
Keeping your software and licenses on the latest version may be a time-consuming task, but these updates are vital to maintaining your website's security. Does your IT team, website team, or marketing agency stay on top of it?
Often, the updates to your website's CMS or plugins are created to combat the latest form of hacking; as quickly as you load the updates, the hackers are creating new and interesting ways to breach your security again.
"But I update at least once a month," you protest. That's not frequent enough. Are you confident that all of your weak spots can withstand the attacks that are incoming every day? They're probably not if you're not updating immediately.
If you're feeling a little overwhelmed, that's understandable. Your website's security is a big job—that's why you hire an experienced website agency who understands the particular security challenges your bank or credit union faces. If you've got questions, or you need help planning and creating your website, we're here to help.