Compliance Center: “Shellshock” Vulnerability Threatens Credit Union Systems

The Federal Financial Institutions Examination Council (FFIEC) has issued an alert to financial institutions regarding the material security vulnerability in the Bourne-Again Shell (Bash) system software that is widely used in servers and other computing devices. The vulnerability, nicknamed “Shellshock,” could expose organizations and individuals to potential fraud, financial loss or unauthorized access to confidential information.

The vulnerability potentially allows a remote attacker to run malware, or malicious code, on affected systems. Given the broad use of the Bash software tool, the vulnerability may be present in the computer systems of financial institutions, their members and customers, and those of their third-party providers. Attackers could use the vulnerability to access and take control of systems, leading to a range of operational risks. These risks may include the loss of confidentiality, integrity, and availability of sensitive customer information and confidential business data. Additionally, such access could facilitate data destruction, disruption of operations and fraud.

While vendors are working to patch and upset their systems, FFIEC member agencies expect financial institutions to conduct a risk assessment and address the Shellshock vulnerability as part of ongoing information security and incident response plans. FFIEC advices financial institutions to take the following steps, as appropriate:

  • Identify all servers, systems, and appliances that use vulnerable versions of Bash and follow appropriate patch management practices, including conducting a vulnerability scan to detect if the patch is installed and testing to ensure a secure and compatible configuration;
  • Apply mechanisms to filter malicious traffic to vulnerable services such as appropriate web application firewall signatures;
  • Monitor systems for malicious or anomalous activity and update signatures for intrusion detection and prevention systems;
  • Ensure that all third-party service providers are taking appropriate action to identify and mitigate risk and monitor the status of vendors’ efforts to address the vulnerability; and
  • Review systems to determine if this vulnerability has been exploited and, if necessary, conduct a forensic examination to determine the potential effects of any breach.

Financial institutions are encouraged to establish mechanisms for obtaining threat and vulnerability information, such as those available through the United States Computer Emergency Readiness Team (US-CERT) portal at or through the Financial Services Information Sharing and Analysis Center (FS-ISAC) at

Compliance Question of the Week

Does a power of attorney document have to be filed with the court or recorded with the county to be effective?

In most cases, no. The only circumstances where a power of attorney document needs to be filed is when it will be used to perform real estate transactions, in which case it needs to be recorded with the county. Filing the document with the court also allows for the member to get certified copies should they need those to satisfy the requirements of financial institutions or creditors.

Legal Briefs

National Credit Union Administration (NCUA)

The NCUA released a statement regarding the DOD’s proposed update to the Military Lending Act, stating that the rule could impact credit to service members.

The NCUA released a statement regarding the risk-based capital rule, stating that the agency will request a new comment period and a revised proposed rule.

The NCUA issued their fall webinar schedule, which will include webinars on loan size and profitability, keys to lending, and internal controls.

Consumer Financial Protection Bureau (CFPB)

The CFPB announced that a Project Catalyst pilot has been launched to determine how effective early intervention credit counseling is for consumers who may default on their credit card debt.

The CFPB has released an updated Reverse Mortgage Guide.

CFPB Director Cordray delivered prepared remarks at the Announcement on Public Service and Student Debt.

Federal Reserve Board (FRB)

The September Record of Meeting for the Federal Advisory Council and Board of Governors is now available.

Federal Financial Institutions Examination Council (FFIEC)

The FFIEC issued an alert regarding the recent Shellshock vulnerability, urging financial institutions to address this problem.

U.S. Department of Defense (DOD)

The DOD announced that it is issuing a proposed regulation to update the Military Lending Act. The proposed rule aims to increase protections for active duty service members in consumer credit transactions. 

Financial Crimes Enforcement Network (FinCEN)

FinCEN issued an administrative ruling regarding the application of FinCEN Regulations to Currency Transporters, Including Armored Car Services and Exceptive Relief.

The Office of the Comptroller of the Currency (OCC)

The OCC issued a bulletin detailing the final rules and guidelines establishing minimum standards for a risk governance framework for large insured national banks, federal savings associations and insured branches of foreign banks.

The OCC released a Mortgage Metrics Report containing data for the Second Quarter of 2014 regarding mortgage lending.

Federal Trade Commission (FTC)

The FTC released a “bitcoin breakdown” which helps explain bitcoins to consumers.

Office of Foreign Assets Control (OFAC)

OFAC has updated the SDN list as of September 24, 2014. The last update prior to this was September 18, 2014. 

Questions? Contact the Compliance Hotline: 1.800.546.4465,

Posted in Compliance News, Federal.