The Point

Planning to Upgrade to TLS 1.3? Read This First

Apr  03 
Kristin Ford  Communications Manager, Fiserv 

Swift adoption is key to maintaining security

Don Jackson's 20-year career in cybersecurity has brought him up close and personal with hackers perpetrating increasingly complex attacks. He's watched those attacks evolve and understands their disastrous potential.

"It's not difficult to imagine how a criminal could develop something that snowballs into a crisis for the global economy," said Jackson, who is now a principal information security advisor with Fiserv. "That's not to mention the impact of smaller-scale attacks on individuals and businesses every day."

Jackson's mission, he said, is to defend against those attacks. He wants to ensure financial institutions are taking the right steps to protect themselves and their customers, and he said keeping up to date on Transport Layer Security  (TLS) is vital to that effort.

"TLS is essential for effective cybersecurity," Jackson said. "Even financial institutions with robust, layered security strategies could leave the door open to criminals if they continue to rely on older versions of TLS to protect the data being exchanged between systems ."

For example, even when the latest version of TLS is set as the default, a hacker could override those settings to connect through a more vulnerable version of TLS that has not yet been disabled. In fact, that risk led to an FDIC-mandated upgrade to TLS 1.2 in 2018, 10 years after it was first released.

What Is TLS?

Transport Layer Security is what puts the "s" for secure in "https." It powers the familiar green padlock before the URL in web browsers when we visit secure websites – including financial institution sites. By preventing anyone from seeing or tampering with the data being exchanged, it provides the foundation for secure digital banking and e-commerce. If TLS were to be broken, the risk to the world's economy would be enormous.

That version still is considered secure. However, TLS 1.2 was released in 2008, which means criminals have been chipping away at its defenses for more than a decade.

But there is a new version of TLS that has been tested, approved and made available for adoption. TLS 1.3 greatly simplifies configuration options to remove any alternatives that have been weakened by attacks – keeping only the strongest, most secure options. And perhaps best of all, there are currently no effective attacks against TLS 1.3 encryption.

Past Experience Slows Adoption

As a primary target for fraud schemes, financial institutions would be strong candidates to be first adopters of a new TLS version. But there have been delays, Jackson said, partially because many financial institutions still recall the difficulties they had adopting TLS 1.2.

"Because the mandate involved removing all previous versions of TLS," he said, "some financial institutions experienced compatibility issues with older software and browsers."

The upgrade to TLS 1.3, though, does not involve disabling previous versions, Jackson said, so there should be no compatibility problems.

"It's actually a pretty fast and easy change," he said. "All that's involved is simply switching out the code library, testing and then release."

All the best practices and lessons learned from the previous update apply to the TLS 1.3 switch, Jackson said. Adopting the new version now, when the process is still fresh in the minds of IT and operations teams, can help ensure a smooth update that minimizes risk and cost.

Winning the War on Latency

Not only does TLS 1.3 strengthen security, but the simplified connection options also help applications and servers communicate faster – minimizing latency. That added speed helps financial institutions achieve faster payments.

"A lot of data needs to move between systems before payments can be finalized," Jackson said. "When applications are communicating through TLS 1.3, the data exchange is inherently faster and more secure. There aren't as many security decisions being made in the background, eating up time."

Even financial institutions with robust, layered security strategies could leave the door open to criminals if they continue to rely on older versions of TLS to protect the data being exchanged between systems.

The simplified protocols are also ideal for API-based communication, which requires multiple fast connections. That puts financial institutions in a better position to pursue API-based banking initiatives, as well as future applications of artificial intelligence-based defenses.

There's One Consideration

Early adoption of TLS 1.3 by internet technology giants such as Google, Cloudflare and Apple has helped resolve bugs and pitfalls along the road to standardization. However, Jackson said, there's one optional feature that can unintentionally open security holes.

The feature, called "zero round trip time" (0-RTT) session resumption, is designed to store data from a session so it can resume nearly instantaneously using the same parameters. The option adds network speed. However, if an application is unaware 0-RTT is being used, attackers could carry out unauthorized actions.

For example, let's say a criminal captures the network traffic of someone paying $100 using an online banking application. If the application is unaware 0-RTT is being used, the attacker could play back the encrypted TLS data so the payment is made multiple times. Fortunately, 0-RTT is disabled by default.

If using the more secure default settings, in which 0-RTT is not enabled, there is every reason to adopt TLS 1.3 now, Jackson said. Financial institutions can better protect themselves and their customers while paving the road to faster payments and unique offerings through API-based banking.

"My hope," he said, "is to see all financial institutions make the upgrade without delay so everyone can start reaping the benefits and breathing a lot easier."

For additional perspectives on the hottest topics in financial services, learn more about Forum 2019 where we shared best practices, gained valuable insights and connected with the best and brightest in Fintech.