It’s been months since the POODLE SSL 3.0 vulnerability has been discovered and many credit unions and even large banks are still trying to figure out how to mitigate the risk. Now, as of December 8th, 2014, a new twist on POODLE reveals even more risk. A cursory review using a SSL/TLS scanning tool indicates that the Web sites for some of the world’s largest financial institutions are vulnerable to the new POODLE bug, including Bank of America, Chase.com, Citibank, HSBC, Suntrust — as well as many credit unions across the nation. This is a serious risk.

Firstly, if you’re reading this as a CUdefender customer using our security services, you are already protected. But, there is still some information you may still like to know.

What is POODLE?

“POODLE,” an acronym for a serious security flaw in a specific version (version 3.0) of Secure Sockets Layer (SSL), the technology that most web sites use to protect the privacy and security of communications with customers.

What systems could be affected?

Any web browser accessible system supporting SSL 3.0 and certain versions of TLS.

What are the security consequences?

POODLE can potentially lead to exposure of personal data such as email addresses, passwords, and credit card numbers—the very things SSL was designed to protect. Basically, any data sent of a vulnerable encrypted connection could be at risk.

How can our credit union protect against POODLE?

According to an advisory from the U.S. Computer Emergency Readiness Team (US-CERT), a partnership run in conjunction with the U.S. Department of Homeland Security, although there is currently no fix for the vulnerability SSL 3.0 itself, disabling SSL 3.0 support in Web applications is the most viable solution currently available. US-CERT notes that some of the same researchers who discovered the Poodle vulnerability also developed a fix for the TLS-related issues.

Non-CUdefender users:

1. Scan your web endpoints using a good SSL/TLS scanning tool to determine vulnerable systems (many free scanning tools exist).
2. Disable SSL 3.0 on any web exposed system including websites, webmail, remote access gateways, online account opening tools, etc.

CUdefender users:

1. CUdefender has immediately removed support for POODLE-vulnerable CBC ciphers. CUdefender customers are not susceptible to the POODLE vulnerability for protected endpoints.

For more information on how CUdefender can protect your credit union, please visit http://www.cudefender.com or contact us now at 888-632-4339.