Hackers Can Exploit Trust in CU-Linked Channels
Credit unions and social media seem to be made for each other, which is both a good thing and maybe not so much.
The affinity that members feel for their credit union make Facebook and Twitter natural channels for communication for them, but it also creates a level of trust that hackers can exploit in ways that could have financial and regulatory consequences alike, an industry stakeholder says.
"Just a tweet to a member saying thanks for coming in today can be a compliance problem," said Sarah Carter, vice president at Actiance Inc. in Belmont, Calif. Perhaps worse, there have been documented instances, she says, of a credit union losing control of a Twitter password in a social engineering attack to hackers who then used it to send out spam porn with malicious links.
"Although no harm was done, besides a few surprised members being offered more than a great APR, the incident potentially damaged the reputation of the credit union," said Carter, whose company–until recently named FaceTime Communications–provides platforms that help credit unions and much larger organizations monitor communications across multiple network and social media channels.
Carter’s company recently put out a white paper, "Compliance Implications of Social Media: A Guide for NCUA Credit Unions." She said that while the NCUA has not to this point issued additional rules or guidelines on the use of social media, regulations already in existence make it pretty clear to her that they’re covered as electronic communications.
"Basically, we’re saying that regulations and guidelines that the NCUA has issued can be interpreted to include social networks because they don’t preclude social networks."
While Facebook and Twitter command the most attention, Carter also said that her company has "heard that a number of LinkedIn profiles are being audited at present. I’m not at liberty to say by who, but it’s a government agency."
She cited specific areas of concern that include retention of records, leaking personally identifiable information or account numbers, complying with disclosure terms and retaining records of communications.
That can be difficult, Carter said. For instance, Facebook doesn’t offer a way to archive members’ posts and also changes its user interface routinely. And Actiance found in a survey that 14% of the organizations it questioned experienced data leakage through social networks.
The channel is only going to continue to grow in popularity and credit unions can expect to have to both use and protect the channel, with technology and staff education as its primary tools, Carter said. For instance, it’s easy to find reports of staffers complaining about individual members or their job on Facebook, which may not be a fraud issue per se but can cause both compliance and reputational problems.
"They need to know not to do that and you need to be able to find out when they do," she said.
Carter also noted that a Callahan & Associates survey of 11,000 online credit union members found that 82% were using Facebook, and that was almost two years ago. About half of them said they would read their credit union’s Facebook page periodically and many of them expect their credit union to provide them with fraud alerts, special offers, financial tips and the like through Twitter.
That makes it tempting to tweet some offers, but regulations such as NCUA’s 707 rule require detailed descriptions of yields and terms and the like, "which would be pretty hard to do in 140 characters," Carter points out.
So while Twitter, Facebook and LinkedIn use may be appealing, if not mandatory, for individual and corporate reasons, Carter said, she added this caveat: "The danger for credit unions is that the without the right security, management and compliance controls in place, any benefit of its use can evaporate quicker than you can say ‘federally insured.’"