Protecting Credit Unions from Brute Force Attacks
Cyber security is at the forefront of every business, so credit unions need to be aware of cyber criminals as well as stronger, more frequent methods called brute force attacks. A brute force attack is a direct hacking method where cyber criminals attempt to gain unauthorized access to an account by using a computer program to cycle through various logins and passwords multiple times until they get in. This repetitive action is like an army attacking a fort, hence the name. The code to execute this attack doesn’t take much effort to create, as there are existing tools that submit thousands of passwords per second. If an account is breached, it can be used to shut down a credit union’s computer system or steal funds.
Identifying and Preventing Brute Force Attacks
Fortunately, credit unions can identify a brute force attack by looking through their Apache access log or Linux log files. A series of unsuccessful login attempts will be displayed. Credit unions can also take the following preventive measures to help strengthen their cyber security:
- Develop a strong password policy: The stronger the password, the tougher it is for brute force programs to break in. Employees’ passwords should contain at least eight characters consisting of numbers, uppercase and lowercase letters and special characters. Frequent password changes should be required.
- Check server logs: Administrators should monitor log files daily to ensure nothing suspicious shows up.
- Implement account lockouts: After several unsuccessful login attempts, an account lockout with progressive delays should be implemented. Having an account locked for a set amount of time helps disrupt the codes for automated brute force attacks.
- Use 2-Factor Authentication (2FA): Implementing 2FA helps reduce potential breaches of data by requiring more than just a password. Even if a brute force attack cracks the password, it would still need access to a smartphone or email a client.
- Require CAPTCHA: A short test to distinguish a human from a robot, CAPTCHA is a great way to render automated bots ineffective.
- Use a specified IP address: Limiting logins to a single, designated IP address or range adds an extra layer of security that is difficult for brute force attackers to get past.
Skilled brute force attackers can be persistent, so credit unions should continue to help protect their business by identifying and preventing cyber breaches in advance. ProSight also helps to protect credit unions with unique products and solutions customized for the credit union industry that go beyond traditional insurance coverage.
–Tammy Behnke, Program Executive for Credit Unions