Fraud is inevitable for financial institutions, even when diligent precautions are taken. As Kelly Dowell, executive director of the Credit Union Information Security Professionals Association, puts it, "Even with all prevention mechanisms, accidents still happen."
Recent accidents include an attack on security giant RSA, which involved a possible compromise of its two-factor authentication system used by millions of end users, including credit union members, and a security breach at marketing firm Epsilon, in which millions of client customer names and email addresses were stolen.
Some credit unions have even been the direct targets of fraudsters. In January, a security breach at the $15 billion Pentagon Federal Credit Union may have put its members at risk of identity theft, and in May 2010, the $889 million Los Angeles Fireman’s Credit Union announced that private member information may have been compromised.
While security experts say fraudsters’ techniques change as banking technology evolves, their end goal has always been the same: steal funds by getting a mass quantity of sensitive customer information such as account numbers. "As far as trends are concerned, whatever they are, the result is money leaving your account," Dowell said.
The newest trends include the use of social media websites and mobile banking channels to commit fraud, said Andrew Jaquith, chief technology officer for Connecticut-based information security vendor Perimeter E-Security. Jaquith said credit union employees can put themselves at risk by exposing private information on social networking sites, and fraudsters can potentially access sensitive data that’s stored on mobile devices used for banking.
Dowell agrees that the Web is the hottest avenue used for attacks, stating that most fraud happens online, whether through a computer or mobile device. But he said he’s seen few changes in attack methods in recent years, noting that the Epsilon breach is "more of the same."
"The trends are with corporate account hacking, manipulation of online banking and phishing," Dowell said. "The attack vectors are not really changing."
Online fraud trends aside, today’s two most prominent breaching methods used against credit unions have been around for a long time, Jaquith said. These are tricking credit union employees to reveal sensitive information and directly obtaining the information by hacking into a credit union’s website. "They’re either going to infect the employee, or go to the front door and rattle the locks," he said.
Jaquith said fraudsters commonly send employees emails in an attempt to trick them into giving out financial account information. Once the employee clicks on a seemingly safe link in the email, his or her PC can become infected. In fact, Jaquith said one in 10 of Perimeter E-Security’s banking clients report a monthly in-house infection. Sometimes, employees put sensitive information at risk without coercion from criminals. Dowell said he recently learned a bank employee knowingly sent out a customer’s loan application user name and password in the text of an email.
Dowell said fraudsters target bank customers and credit union members more often than banks and credit unions themselves, typically by way of malware. "The common channel is exploiting the end-user from their home PC," he said.
Credit unions face many of the same security breach threats as banks do, but Jaquith noted that CUs may have more to worry about given their smaller average size.
"Credit unions have smaller staffs, so their capabilities aren’t as advanced," he said. "They’re disproportionately vulnerable to attacks. It comes down to being a small organization with limited resources, staff and time."
Jason Milletary, the technical director for malware analysis at information security provider Dell SecureWorks, said the two most threatening programs used to target credit unions are ZeuS Trojan, which hackers employed in a theft of about $70 million from business’ bank accounts in 2010, and SpyEye, an attack kit that aims to obtain personal information such as credit card numbers from victims’ computers. Milletary said criminals use these programs to "target credit unions through their members."
While some breaches may be unavoidable, security experts say there is plenty credit unions can do to combat fraud. Jaquith said to avoid hacks due to action taken by employees, credit unions should use Web content filters on their workplace PCs to reduce exposure to dangerous websites. He added that if a breach can’t be prevented, credit unions should develop a plan to detect and eliminate infections as quickly as possible.
To prevent direct website hacks, Jaquith recommends credit unions utilize an SQL injection as a tool for exploiting security vulnerabilities and ensure that their websites are protected from the Open Web Application Security Project’s Top 10 web application weaknesses.
Mobile banking security breaches can be avoided by never allowing sensitive data to be stored on the mobile devices, and social media will pose less of a threat if credit unions educate their employees about exercising privacy.
Dowell preaches education and diligence when it comes to fraud prevention. "Credit unions need to educate their employees about what types of fraud incidents are occurring and how to handle them if they occur," he said.
Milletary stressed the importance of forming partnerships with other credit unions to share information about fraud incidents and help one another handle the threats of malicious activity. He also recommended being aware of breaches that occur at other companies. "It’s important to understand that breaches outside your network can affect your security," he said.
Dell SecureWorks offers a list of tips to clients that comprise the firm’s recommended "layered approach to security." Build firewalls around your network and Web applications, implement an IPS/IDS intrusion prevention system or intrusion detection system as well as a host IPS intrusion prevention system, utilize vulnerability scanning, implement 24/7 log monitoring and Web application and network scanning, use human intelligence to combat the latest threats and employ encrypted email.
The security services provider also suggests how to keep mobile banking devices from becoming an avenue for fraud. These tips include physically securing devices by way of disk encryption, using a VPN when connecting to the Internet via a mobile banking application, solving patching problems by having a single company maintain its software and requiring certificates to stave off fraudulent emails.
Jaquith concluded that the best way for credit unions to handle the security challenges posed by their small size is to place their security in the hands of a trusted third-party vendor. "My advice is that they work with a specialist firm that can take care of all that," he said.