RSA, Epsilon Breaches Show Fraud Trends Pointing to Online and Mobile Channels
Fraud is inevitable for financial institutions, even when diligent precautions are taken. As Kelly Dowell, executive director of the Credit Union Information Security Professionals Association, puts it, "Even with all prevention mechanisms, accidents still happen."
Recent accidents include an attack on security giant RSA, which involved a possible compromise of its two-factor authentication system used by millions of end users, including credit union members, and a security breach at marketing firm Epsilon, in which millions of client customer names and email addresses were stolen.
The newest trends include the use of social media websites and mobile banking channels to commit fraud, said Andrew Jaquith, chief technology officer for Connecticut-based information security vendor Perimeter E-Security. Jaquith said credit union employees can put themselves at risk by exposing private information on social networking sites, and fraudsters can potentially access sensitive data that’s stored on mobile devices used for banking.
Dowell agrees that the Web is the hottest avenue used for attacks, stating that most fraud happens online, whether through a computer or mobile device. But he said he’s seen few changes in attack methods in recent years, noting that the Epsilon breach is "more of the same."
Jason Milletary, the technical director for malware analysis at information security provider Dell SecureWorks, said the two most threatening programs used to target credit unions are ZeuS Trojan, which hackers employed in a theft of about $70 million from business’ bank accounts in 2010, and SpyEye, an attack kit that aims to obtain personal information such as credit card numbers from victims’ computers. Milletary said criminals use these programs to "target credit unions through their members."
While some breaches may be unavoidable, security experts say there is plenty credit unions can do to combat fraud. Jaquith said to avoid hacks due to action taken by employees, credit unions should use Web content filters on their workplace PCs to reduce exposure to dangerous websites. He added that if a breach can’t be prevented, credit unions should develop a plan to detect and eliminate infections as quickly as possible.
Dowell preaches education and diligence when it comes to fraud prevention. "Credit unions need to educate their employees about what types of fraud incidents are occurring and how to handle them if they occur," he said.
Milletary stressed the importance of forming partnerships with other credit unions to share information about fraud incidents and help one another handle the threats of malicious activity. He also recommended being aware of breaches that occur at other companies. "It’s important to understand that breaches outside your network can affect your security," he said.