How to Protect Your Credit Union from Security Breaches and Fraud
Security and Risk Management continue to be the two hottest topics in the financial services industry today--for good reason. Fraud is at an all-time high. Security breaches occur, regardless of the measures and safeguards put in place. The nature of the fraudulent activity is moving from interruption of service to organized crime. While credit union members want assurances that their money and personal information are safe; credit union employees seek security measures that are easy to implement and monitor daily. Is there a way to strike a balance between security and convenience? What are the best tools, processes and systems to put in place at your credit union to combat this ever-present threat?
The fact is there are no "silver bullets." Like a second lock on your front door or a steering wheel lock on your car, security is a deterrent--designed to slow the fraudsters down or entice them to look elsewhere. But with today's more sophisticated, more aggressive threats, it's important to review your credit union's overall security with your provider every six months or less to re-assess your risk. Your security plan must be as agile as your potential attacker to keep your credit union and your members as safe as possible. Once is Not Enough
Many applications today rely on one password or PIN to verify the identity of the member using the service. However, the Federal Financial Institutions Council, in its Authentication in an Internet Banking Environment, advises that single-factor authentication alone is inadequate for high-risk transactions, including access to customer information and funds transfers.
The best multi-factor authorization solutions build upon the security you already have at your credit union, like PIN numbers, and add additional layers of security. These layers could include something as simple as additional security questions or a second pass phrase to more complex biometrics, including fingerprints, retina scans and face scans. The key is working with your core solution provider and internal risk management personnel to match an authentication strategy against the risks associated with the access being granted as a result of that authentication process. Keep Things Personal
Hackers spend months replicating keystrokes and creating new ways to access your members' nonpublic information (NPI)--like name and Social Security number--as it travels through your system and Internet banking site. To protect your members, your credit union should replace home-page logins with a button that links your members to a Web site protected by Secure Sockets Layer, or SSL, technology. This technology encrypts data as it's transported from the Web server to the Web browser to protect both the account information and the authentication process. Basically, encryption turns meaningful data into unusable gibberish or cipher text, requiring keys to turn the encrypted data back to its original form. Your provider should use encryption not only to protect data in flight, but also the NPI in your database files and backups. It's also important to look inside your credit union, taking the time to identify which employees truly need and should have access to your members' personal information--and set up passwords and authorization rules to protect your members from the inside out. Make Your Members Aware
Moving your login and taking advantage of SSL can also help to protect against a type of fraud called Social Engineering, a collection of techniques used to con your members into divulging their personal information. Some of the more common types of Social Engineering are phishing and pharming, where the predator convinces your members to link to a counterfeit site and then captures their credentials for later use. For example, your member could receive an email that looks like your email template, directing them to click on a link to update account information or some other ploy that may sound like a valid request. When the member gets to the site, he fills out a form as directed, and has just become a victim. Other hackers use domain name spoofing, which occurs when a member receives an email containing a virus that alters the host file on his computer, or when the Internet service provider alters the record for a domain. When your member opens his browser and types in the name of your credit union or other financial site, he's redirected to a fake site that mimics the original. This site connects the member's user ID and password to gain access to their accounts.
Although SSL technology authenticates the server to provide your members with a layer of protection, and incident reports decrease your exposure, the best way to guard your members from social engineering threats is through education. Create awareness programs that are tailored to your specific membership base--explaining the threats, your security measures and authentication processes, and precautions they should take to protect themselves and their personal information. Make security a feature in your newsletter, and put more information on your Web site. Place a special focus on reaching out to your older members, as they are often the victims of fraud.
Finally, work with your provider for solutions that detect and prevent fraud as closely to the time of presentation as possible--including signature and check stock validation. A new technology is now available that attaches security features on checks from the time they are printed through their lifecycles. This process involves placing an Imaging-survivable bar code on the check during printing that provides an encrypted, unbreakable version of the member's signature and other aspects of the check. When that check is processed--either electronically or physically--the item can be validated, significantly reducing fraud and operating risk. Although no one can change human behavior nor completely eradicate the possibility of fraud and security breaches, you can fight back. Work with your provider to take advantage of the technology at hand, keep a vigilant eye on internal controls and provide your members with the information they need to be part of the prevention effort. Although no solution is iron clad, you can make your credit union--and your members--safer.