When you sign in to an online service, such as your email, online banking, Facebook, or Flickr, the website gives your computer a session cookie. Generally, the login page is secured behind an SSL certificate, meaning that the traffic is encrypted and can’t be deciphered. However, as is the case with Facebook and Flickr, once you’ve logged into the service, you browse the site over regular HTTP that is not encrypted. Firesheep is an extension for Firefox that sniffs internet  traffic on a network and finds cookies from websites like Facebook. Since these cookies aren’t encrypted and you are browsing Facebook without any security, these cookies can easily be copied and a person identity can be spoofed very easily. Firesheep makes this as easy as installing the plugin and click a button. It sits there and gathers all of the cookie traffic across a network and present you with the results, let you click on more button and logging into the Facebook account of someone.

Where Firesheep is incredibly scary is on unsecured wireless networks. Think Starbucks, McDonalds, and hotels. Now think about how many credit union employees use services like that when they travel. I’ve used an unencrypted wifi network every week this month where someone could have logged into my Facebook account, done whatever they wished, and I never would have been the wiser until a friend called me and asked if I really wanted $1000 wired to Western Union in the Netherlands.

Credit unions need to realize a few key things:

1. With this issue, unencrypted wifi isn’t the devil. It is the websites that your users visit that don’t have end to end security (SSL).
2. Your employees are going to use free wifi with the corporate assets, whether you like it or not.
3. You need to have the tools in place to minize the risk of this happening to your CEO.

So how can credit unoions, their employees, and regular users prevent issues like this?

• Your credit union probably already has VPN access. Force your remote users to VPN back to the CU to go out the to internet. While traffic could still get intercepted once it leaves the credit union, it makes it much more challenging.
• Make 100% sure that all of the assets in online banking, including images and remote scripts, are all behind an SSL.
• Put your entire member facing website behind an SSL. An extended validation SSL is all the better.
• Avoid using unencrypted wifi access points at all costs.
• Educated your staff on the security issues with unencrypted wifi and the appropraite use of strong passwords.

Banning the use of wifi, Facebook, or whatever else isn’t the solution here. The best way to solve these issues is to educate your employees or users so they understand the ramifications of using insecure technology.

Corporate credit unions are quite the unpopular kid at prom these days. With fresh allegations of fraud from senior executives at some corporates, dismal investment portfolios, and lackluster capital positions, corporates are riding a wave of negative publicity. With massive changes to their business model on the horizon and the threat of further regulation, corporates face the same dilemma that the 8-track cassette tape faced:  obsolescence.

Unlike 8-track, the popular audio cassette technology from the 1960s and 1970s, the corporate credit union system has not been short lived. However, forces are changing the marketplace, arguably making corporate credit unions much less relevant. In its January 2009 ANPR, the NCUA suggests making changes to nearly every key component of a corporate credit union’s business model including payment systems, liquidity management, field of membership, investment authority, and capital structure.

Progressive corporates have seen the writing on the wall and have launched new internal programs in preparation for the NCUA’s upcoming systemic alterations.  CU Business Group represents a great example of this concept. A CUSO owned by eight corporate credit unions, CUBG provides mainly business services related items such as loan origination, servicing, and SBA lending. The CUSO model has been quite appealing to corporates lately as a way to branch out and diversify some of their services and revenue.  Many corporates are beginning to get into the CUSO game such as Southeast and Georgia Central with Member Business Solutions and Missouri Corporate and the Missouri Credit Union Association with their CUSO, Heartland Business Services.

The CUSO structure provides a solution not only for corporates, but also for natural person credit unions looking to overcome some of the current issues with corporates. Nearly all services offered by a corporate credit union to its member credit unions are being offered through CUSOs. For example, Palmetto Cooperative Services of South Carolina offers item processing, statement processing, and printing and mailing services. Originally started as a League Service Corporation, Palmetto now boasts more than 400 clients across twenty states.

Investments have been a source of much anguish from the corporates, but many alternatives are provided through CUSOs as well. CUSOs such as MaPS Advisory Services offer complete replacements for portfolio management.  When asked why a credit union would choose a CUSO over a corporate for investment options, Kevin Cole, CFO of MaPS Credit Union and Manager of Client Relations for MaPS Advisory Services, had this to say: “MAS can provide credit unions with an alternative to investing funds in corporate certificates that does not require uninsured membership capital.  Rather than credit unions investing in corporate certificates and corporates investing in mortgage backed securities and other bonds, credit unions can directly own the securities with MAS managing the portfolio to a written investment policy statement developed specifically for the credit union.”

Card and ACH processing is another mainstay of corporate credit unions, but again, many options are available to credit unions of all sizes. PSCU, The Members group, and CO-OP are just a few of the CUSO card processors out there today.  PSCU has over 600 credit union owners and CO-OP has one of the largest ATM networks in the nation.

As practically every operating aspect of a corporate credit union is available from other providers, natural person credit unions will begin to look elsewhere for products and solutions. In today’s economy, credit unions are avoiding risk at all costs, and that includes any potential issues that may arise from utilizing a corporate credit union. Such risks might include changes related from mergers and acquisitions, key employee turn-over, or further capital calls.

While the more modern cassette tape replaced the 8-track in the 1980s, the outdated standard still had a leg up on the competition in sound quality. That advantage was very short lived and within a few years of being introduced, the cassette tape killed 8-track. Corporate credit unions are currently at the same turning point as the 8-track.  CUSO’s and other providers can deliver the exact same services and products to natural person credit unions that a corporate credit union can deliver. While corporates do maintain some slim advantages, they will be quick to deteriorate as the NCUA hands down new regulations in the future.

CUSOs represent a unique opportunity for the credit union industry. Corporate credit unions can capitalize on that opportunity by creating new CUSOs to deliver their existing products in a different format or by adding new business lines. These new business lines could contribute significantly to the bottom line of the corporate, helping to diversify revenue and decrease reliance on products with embedded risk.  Natural person credit unions can also leverage CUSOs to collaborate on new joint ventures to better serve themselves and other credit unions.

Time and time again, new technologies over take old. New businesses enter a market and crush existing competitors. The companies, and business models, that survive have a major skill at their disposal: their ability to confront change. The corporate credit union model is being challenged and if corporates are going to survive, they need to confront that fact and embrace all the tools available to them to ensure that they do not become the credit union equivalent of the 8-track.

Have a listen, it is hilarious!

Why do we have multi-factor authentication in online banking? To prevent unauthorized access, yes? What do you suppose would happen if somebody gained access to your domain registrar where your credit union’s domain was registered?

1. Bad guy downloads all of the html of your website
2. Bad guy posts the html of your website on a server he controls. It might not work fully, but it looks legit.
3. Bad guy logs into GoDaddy (again, just an example) and tells abcfcu.org to point to his server instead of your server.
4. Members visit the site controlled by bad guy who then steals all of their online banking credentials and whatever else he feels like collecting/asking for.
5. Oh, and while he’s at it, he’ll change where your CU’s email is pointed at and point it to his own email servers. That means he is now getting every single email sent to the credit union for every single employee.
6. And he might do it after hours. Members will have problems logging into online banking, but won’t be able to contact anyone. Email won’t be coming in, but probably won’t get noticed. He flips the switch right after the call center closes and changes everything back before you open.

Scary stuff to think about. Talk about a security catastrophe for your credit union. So what’s a CU employee to do?

First, follow normal security guidelines in regards to password management and computer security. Keep your anti-virus up-to-date. Use traffic monitoring and/or endpoint protection to disable any traffic outbound from your CU to a known bad guy website. Never, ever, ever write down a password. Etc, etc.

Secondly, pick the right registrar. Cheap is rarely the best. Picking on GoDaddy again, but you log into your account on their homepage which is not protected by an SSL. That means your username and password are sent as plain-text over the internet. Fail. So far only one domain registrar, name.com, has implemented mutli-factor authentication. And it is the cream of the crop as far as MFA goes. VeriSign’s Identity Protection, or VIP, works exactly like the RSA key fobs of yore do: an encrypted algorithm that cycles through a code every 30 seconds. In addition to your username and password being required to log into the site, name.com has the ability to require your VIP credential as well. These credentials can either be a physical key fob or can be downloaded to your iPhone or Blackberry if you’d rather not carry around yet another thing on your key chain.

Currently, name.com is the only domain registrar doing this type of multi-factor authentication. This doesn’t mean you should run out and change domain name providers, just that you need to be aware of the security risks. Some of the larger credit unions use DNS hosting companies rather than their registrar to handle DNS. Even these enterprise level services are vulnerable to comprise as Twitter can attest when their account a Dyn, a large DNS hosting company, was comprised and all of their traffic was redirected.

Credit unions are obsessed with security, but often, their obsessions are missed place. I’d be more concerned with a trojan virus getting on the network and implanting keyloggers on employee machines or this type of DNS redirection than I would with (gasp) CTR and SAR compliance. Sure, failing CTR/SAR compliance will cost you, but what will ultimately have a bigger impact on your members?

Do you know why most credit union CEO’s don’t blog and aren’t on Twitter? Because nothing important happens in the credit union blogosphere. Yeah, we all get to network, see what each other are doing, and maybe catch a pearl of wisdom here and there. But the bottom line is the important stuff, the game changing stuff, is never really talked about online. Changes to the member business lending cap. That’s a game changer. A partnership developed between FSCC, CUSC, PSCU, Fidelity, etc that enables all credit unions to become shared branches automatically. That’s a game changer.

I’ll bet we could fill an airplane with all the people in the credit union social media space. Literally. What would happen if that plane went down? Nothing. That’s right, nothing.  Now imagine filling that plane with the CEO’s of the credit union leagues, trade associations, CUSO’s, and credit unions. We would have a catastrophe. Innovation would be ground to a halt. The real partnerships and collaborations that were happening, albeit on a small scale, would cease.

Tim McAlpine recent wrote on the CUES blog about using social media to advanced your career. And he is 100% right. Social media can help to get your name out there. But we in the social media blogosphere need a greater goal than getting 500 twitter followers or blog subscribers. Trey Reeme and I recently had a conversation about this issue of social media being disconnected from the important things in the industry. Daily life at a credit union isn’t glamorous and fun. It is trying to find a way to help a teller do a process 1 minute faster. It is about finding a better checking product to match up with the maturity of your credit card portfolio. It is about patterning with neighborhood credit unions to form a multi-owned business CUSO to get around an individual credit union’s business lending cap because a.) business loans are profitable and b.) members need them.

If a flood was coming to the credit union industry, would you be invited onto Noah’s Ark to weather the storm? Right now, I wouldn’t be. And I’m not going to stop fighting for the credit union industry until I am.

In light of the poor economic and budgetary shape the city of New York is in, they are facing tax cuts to schools and the removal of programs. To help combat this shortfall of funds, and most likely for some good publicity, some strippers from Long Island are asking for a “pole” tax. Boiling down to a cover charge or door fee, stripping establishments would collect the fee with the specific purpose of sending that “tax” back to a local school. While entirely voluntary, the group of stripping advocates are lobbying to make this tax required by the state.

Sin taxes have existed for years on cigarettes, beer, liquor, tobacco, and the like while very few states have a stripping tax currently on the books. Some may call CRA a sin tax as well, forcing banks to reinvest, or pay a special tax depending on one’s point of view, into their local community. Seeing as credit union taxation is such a hot topic, what would happen if a CU stepped up and asked to be voluntarily taxed? A credit union could come out and say, “Because we care about our community so much, we’re going to pay a voluntary tax of 1% of our net income into the general school fund.” Would some CU’ers freak about calling it a tax rather than “community involvement”?

• All CUSC shared branches are now included in the database (~4000)
• All COOP ATM’s. Over 28,000 of them.
• In partnership with REAL Solutions, we’ve added a list of all credit unions with branches in schools.

What does this mean to you? Well, the shared branching data and the ATM data both have latitude and longitude included. You can make nearly any variety of map mash-up that you can think of. iPhone branch locator app? Check. Andriod app? Check. A branded ATM locator app for your CU? A walk in the park.

We’re working on even more data and hope to have every credit union branch location in the US sometime this quarter. In the mean time, we’re also creating some new “views” in the database because nobody knows that fs220.acct_010 is the field that contains the asset size of the credit union. Once we get a few of the views built, it will be much easier for people not intimately familiar with the data to do useful things with it.

As always, keep playing around with Numbers and let us know if you have any ideas or concerns!

As is usual with NACUSO, the caliber of people that this conference attracts is amazing. These are hands down, the most innovative and entrepreneurial people in the entire credit union industry. The things that people at the conference have been able to accomplish is amazing. Ongoing Operations of Hagerstown, Maryland, for example, won the 2010 CUSO of the Year award for their outstanding disaster recovery services. They have over 125 credit union clients and 20(ish) credit union owners in the actual CUSO demonstrating what real collaboration can accomplish.

The theme NACUSO has been driving home is collaboration and innovation throughout the whole week. The speakers have really brought home many of the concepts and done a great job talking about the good, and the bad, of collaboration and innovation.

Check out CU Times for for some more coverage from Michelle Samaad and don’t forget to check out the Twitter feed. Make sure to try and make it a point to attend next year. Who knows, maybe we’ll get a crash together for it…