Expansion into new areas like business services and new channels like P2P and mobile present new opportunities for credit unions and fraudsters alike.
Compounding the possible problems for technologists committed to fighting fraud are people problems inside the brick and firewalls of credit unions, who might knowingly or unknowingly help criminals do their deeds.
Inside jobs are nothing new, but the unwitting part is a growing concern, according to one industry participant, who said shrinking fee income and margins are tempting loan officers and others to engage in "risk-seeking behavior."
"There’s a shrunken pool of profitable, viable customers out there, so churn and avoiding turnover have become real keys," said Keir Breitenfeld, a product manager with Experian’s Decision Analytics team. "What we’ve been seeing since about the middle of last year is more risk-seeking behavior from both a fraud and credit perspective."
The credit crunch of the past couple years had made it "hard for even the fraudsters to get credit," Breitenfeld said, but he sees that now "we’re seeing more risk tolerance as the financial institutions understand they have to go into high-risk customer segments to win business."
That means Experian, which is in the business of providing fraud and risk analytics, recommends using strong risk-assessment tools to prevent a spike in fraud rates, "which really have held quite steady" the past few years, he said.
He said existing accounts are an area of particular concern because that’s where the money already is, and other industry players note that new communication channels–both transactional and social–could be opening the door.
"I know you hear this all the time, but education of your staff still remains vitally important," said Mary Landesman, a senior security researcher at networking giant Cisco. "One of the worst things that can happen to your credit union would be for a machine to get infected in-house. There are some very surreptitious malware that can scan your network and very quickly morph into a persistent threat and in some cases, a very finely tuned missile aimed at your enterprise."
Landesman, co-author of Cisco’s 2010 annual security report, noted that "getting scammed has been happening since communications were developed," and that social networks are raising the stakes electronically.
For instance, the LinkedIn professional networking site attracts a large amount of spam and scam, according to Cisco’s analysis, and then there’s Facebook.
"Promiscuous friending is a problem," Landesman said. "As person after person gets linked, a legitimate friend can give access to infiltrators who make their way deeper and deeper into their social networks, gathering personal information about a target for spear-phishing attacks against high-level people, for instance, at your credit union." People with access to Treasury accounts, for example, have become known targets for such attacks.
That’s the unwitting factor. Willing participants also are a problem, especially those who have access to the multiple, disparate channels of money movement in their organizations. "Organized crime rings, sometimes in collusion with insiders, are launching more complex attacks, resulting high-dollar fraud events and moving the money quickly offshore, where it’s much harder to recover the loss," said Karen Van Ness, a senior manager for product management at Oracle who focuses on compliance, money laundering and fraud in the financial services sector.
Van Ness said the need continues to grow for sophisticated solutions that scan the enterprise for anomalous transactions in any channel and correlate those with other events. "You then need to couple that with really robust case management that can handle such things as AML alerts and lead and information sharing," she said. "At a lot of our clients, we’ve seen situations that didn’t look like money laundering at first, but then the data was shared."
Sharing data is something that Don Jackson, director of threat intelligence at Dell SecureWorks, does daily in the global networks of companies like his and their clients that scan the globe for malware and the deeds of those who create them.
He agreed that the growing number of delivery channels is now increasing the threat of fraud. Bill pay applications, for instance, are typically sourced to third parties, and the growing mobile channel is creating a whole new field of opportunity, he said.
"People creating these sophisticated malware programs also have made their tools available on the black market and the fraudsters using them only have to concentrate on a few hosted applications like bill pay or checking account management," Jackson said. "And then there are the app stores where people are downloading mobile banking software. Credit unions and banks are pushing mobile banking and trusting it as a controlled environment but it could become uncontrolled very easily."
While companies like his continue to work to keep up or stay ahead of the fraudsters, Jackson said, he noted that Dell SecureWorks includes a large number of smaller financial institutions on its client list, and said that their growing use of the same channels and applications to serve a growing list of products and services as the big banks is further increasing their vulnerability to cyber fraud.
Van Ness at Oracle also noted the downstream flow of fraud. "We’re seeing some anecdotal evidence now that credit unions are no longer any safer than banks. Many of our client credit unions have very sophisticated business models with the same kinds of conveniences and channels that would let me go into there and get the same services I would from a bank. Those increased services increase vulnerability."