BMI Federal Credit Union
Russian Hacker Update
The report describes the attacks as SQL injection. SQL injection is a code injection technique, most often used to attack web applications. The attack inserts malicious SQL statements into a form field (e.g. username, password) for execution against the underlying database, exploiting a security vulnerability in the application. It should be noted that SQLi attacks are not new, and have been in existence since the late 90's. Unfortunately, we continue to see reports like this one, reminding us that many web applications are still vulnerable to such attacks.
There are controls that can effectively diminish the risk of SQL injection - specifically, by validating user input. BMI FCU's new Online Banking system is built to validate all user input using Secure Access Codes. By launching the new Online Banking system in May, we enhanced the security of our Online Banking system by adding Secure Access Codes, a new type of multi-factor authentication. Secure Access Codes strengthen the safeguards in place at login by adding steps to verify your identity. These enhancements benefit your security, and your day-to-day experience changes very little. Part of this identification process includes recognizing the computer you typically use to access Online Banking. This information, along with your normal login details, is incorporated into your online identity profile. Input that does not match the expected type, length or format is rejected, preventing unauthorized access to your accounts.
This particular incident again highlights the importance of enforcing strong authentication to banking applications, and why the sole use of username/password is simply not enough. BMI FCU is committed to protecting you from identity theft and fraud, and with our new Online Banking system we have incorporated the latest security enhancements to ensure we are always creating a secure Online Banking session for our members.
As a reminder, one of the easiest ways to provide some level of protection to yourself while online is to periodically change passwords.