Press "Enter" to skip to content

How Gesa hardened its web applications to prevent client-side attacks

Gesa Credit Union partners with Tala Security to protect its web applications

Securing member data and online transactions should be a top priority for any financial institution. Andrew Chung, VP of Development and Analytics at Gesa, tells us how Gesa secured their websites and web applications against the growing threat of Magecart and other client- side attacks.

Background

Gesa Credit Union is Washington’s second largest credit union with over $4.6 billion in assets and is nearly 262,000 members strong. Gesa is a full-service financial institution that offers a complete array of consumer, mortgage, and business products and services. Headquartered in Richland, Washington, Gesa operates 27 branches across Washington and supports 12 student-operated high school branches. Gesa’s commitment to local communities includes support for Junior Achievement, the American Red Cross, annual youth scholarships, and free financial and educational resources available to members and the general public. For more information visit gesa.com.

Choosing the right solution

Security has always been ‘top of mind’ for us. We use many products that offer various layers of security, but to get visibility on each of the scripts that are injected in the browser on the client side, we needed a better solution. That is when we looked into Tala. Our criteria was threefold:

  • Keeping customer data safe from Magecart and other client-side attacks: Securing and maintaining full visibility into mission critical web applications is a primary focus for us. With the rising incidence of Magecart and Magecart-style attacks, every online transaction on the platform was at risk. In addition, our CIO wanted to enhance customer security and protect sensitive data from man-in-the-middle attacks, malware deployments, and website cloning.
  • Seamless online experience with no dip in performance:  Our customers valued face-to face interactions and moving them to a similar online experience was a challenge. We wanted new innovations like online video chat to provide a world class customer experience; it was vital that the chosen solution did not disrupt the customer experience or impact website performance. 
  • Meeting regulations and guidelines from NCUA and DFI: Gesa is audited annually by its governing bodies (NCUA, DFI). Data security is always a major requirement for these audits and we wanted to make sure that we were compliant in all respects.

Why we chose to partner with Tala

Having evaluated a number of solutions that addressed Magecart, XSS and other threats, we quickly realized that each used different methods and some lacked coverage for a wide range of attacks such as first-party compromise, DOM-based cross site scripting and advanced Magecart attacks. Some of the solutions were unable to operate effectively without significant degradation of website performance and user experience.

Following a vigorous evaluation process, Tala’s solution matched our requirements for both security and zero performance impact. We have experts in-house who know about developer best practices, like making sure we eliminate SQL injection risks, etc. but when it came to addressing the breadth of client-side security, we wanted to strategically partner and work with experts. Better still, as the only vendor that adopts a standards-based approach to solving client-side security, Tala was able to solve a long-standing issue for our security team, which had identified the importance of security standards and was seeking industry expertise to learn more and implement this approach. 

Benefits and Business Impact

Currently, we have deployed Tala across four crucial web properties and realized benefits in a number of areas:

  1. Preventing Magecart and other client-side threats: Tala’s Active Protection mode provided protection against major threats such as XSS, SQL injection, code injection and Magecart. We were able to secure all the scripts running on the client side and obtain valuable insights that helped security teams with threat monitoring and incident response.
  2. Visibility into indicators of compromise: Tala has helped us increase awareness and insight into the code and applications running on our websites, and conduct periodic reviews with our internal application owners. It has been eye-opening to observe that so many previously unmonitored scripts could be used to conduct malicious activities.
  3. Partners in compliance: Reports generated by Tala have proved useful in demonstrating compliance to our governing bodies. Periodic reviews are conducted prior to every audit to make sure we take a proactive approach and stay compliant.
  4. Code Reviews: Our developers routinely use Tala prior to key releases to review code and ensure that there are no inherent risks that the web application might be susceptible to.
  5. Improved user experience: Our customer experience has improved significantly since Tala was deployed. The customer journey is free of disruptions and the web applications have registered almost zero impact to performance.

Conclusion

At Gesa, much like most credit unions, we take a holistic approach to serving our customers’ core business needs while keeping them and their data safe when they are online. We are constantly assessing the threat landscape and partnering with solution providers that help us meet our security standards as well as business objectives. Our client-side security implementation has hardened our web applications, improved our online user experience and most importantly, reinforced trust in our customer base.

This content is for CU BUSINESS eMagazine , THE TEAM BUILDER (GROUP SUBSCRIPTION), and Special Deal: 2 websites members only.
Log In Register

Comments are closed.