In-Depth

Case Study: Credit Union Encrypts Data onto Secure USB Keys

How one financial company distributes secure information to its board of directors, many of whom work in an insecure environment

• By Mathew Schwartz
• 10/13/2004

How can an organization secure information it distributes to its board of directors, many of whom work in insecure environments? For Austin Federal Credit Union in Austin, Texas, the answer was keychain USB drives, and in particular the CryptoStick, from Research Triangle Software Inc.

Like other portable USB flash drives, CryptoStick acts just like a small hard drive—users can plug it into an available USB port, it auto-mounts in most Windows operating systems, then users access it like just another hard drive. Where this “USB stick” differs from most other USB drives, however, is by including built-in encryption software to help secure the information in case the stick is lost or stolen.

“What got us into using them was, we have several board directors of the credit union who work for other employers, or who work in an insecure Internet environment, and to exchange the [board’s] business documents, from minutes to financial documents to other critical things, we needed a way to ensure security,” says Byron Warren, treasurer of Austin Federal Credit Union. Warren is also a board member. Today 15 executives and members of the board of directors use the USB keys.

Above all, “we did it for the security of our financial information,” he notes, since it includes clients’ Social Security and bank account numbers, plus internal marketing information. “By legal [requirements] and by ethics, we had to keep that very secure and between ourselves, or within the building,” he notes. With those factors in mind, “the CryptoStick and the encryption software included on it became a very easy way for us to [secure information], from a technical point of view, and also for the varied environments that our directors may be in.”

What makes it especially useful, he says, is what makes any USB keychain drive useful: it works on almost any PC. Most PCs these days sports at least a couple of USB ports, and every Windows operating system since Windows 98 auto-mounts a USB key as a hard drive, meaning users don’t have to download drivers (unless they’re on Windows 98 itself).

After plugging the CryptoStick USB drive into a USB port, a user then opens CryptoBuddy software, which is an executable file permanently stored on the drive. The software requires the user’s password, then gives access to the information stored on the drive. Users can also use the software to store and compress additional information, or even to maintain browser privacy, by using the drive to store the history, cache, and other records of Internet Explorer sessions.

Beyond simply storing and encrypting the board’s notes, however, the credit union has a more innovative application: using the secure USB keys to facilitate loans. “This fall, we are going to get some more sticks, to send [them] out to potential loan clients that are very remote from us, and save them travel time back and forth … for real estate transactions,” notes Warren. Given Austin traffic, he thinks less-remote users might also opt to use the USB key for sending forms and other required information back and forth to the bank.

So starting this fall, a deposit for the CryptoStick—equivalent to its purchase price—will be included in the loan-closing costs. By using it, customers will be able to deal with all aspects of the loan application remotely, and only appear at the credit union on the final day, to finalize the loan and sign relevant documents. After the close, if the client returns the USB key, their deposit is refunded. “We’ve tested it with processing of a large, complicated real estate loan,” and found it successful, says Warren. The client in question returned the stick and received the credit.

Though this approach is relatively simple, Warren says it’s exactly what the bank was looking for. “Instead of buying software and training, and getting permission—or not—this became a very fast entry into what we needed to do at the bank,” he says, with the added benefit of being relatively inexpensive, easy to install, and compatible with a range of operating systems.

In the past, the credit union needed to use an expensive, bonded courier to transport documents back and forth during the 30 days it typically took to finalize a loan. Now, it can just drop the USB drive, containing the relevant, encrypted loan documents, into the mail. The only prerequisite is a password, which the loan officer and client agree upon beforehand. Then if the client needs to submit additional documents, he or she can just mail the USB drive back to the bank.

“For what it’s designed to do, and for what it’s capable of doing, for ease of use, it works just fine. It’s not a really high-tech thing, but it’s not a really low-tech thing either,” says Warren.

On the more high-technology front, however, what would be nice for the future, he says, is if the stick could carry an entire operating system—such as Red Hat or Microsoft—able to get Internet access, which would make it ideal for business travelers. “So instead of lugging your laptop around, you carry a stick in your pocket,” he says. While the technology is available, he notes there would, of course, be licensing issues to work out. With that feature set—a highly portable USB flash drive with encryption carrying an Internet-enabled operating system—“then you’ve won the day.”