Fraud is inevitable for financial institutions, even whendiligent precautions are taken. As Kelly Dowell, executive directorof the Credit Union Information Security Professionals Association,puts it, “Even with all prevention mechanisms, accidents still happen.”

Recent accidents include an attack on security giant RSA,which involved a possible compromise of its two-factorauthentication system used by millions of end users, includingcredit union members, and a security breach at marketing firmEpsilon, in which millions of client customer names and emailaddresses were stolen.

Some credit unions have even been the direct targets offraudsters. In January, a security breach at the $15 billionPentagon Federal Credit Union may have put its members at risk ofidentity theft, and in May 2010, the $889 million Los AngelesFireman's Credit Union announced that private member informationmay have been compromised.

While security experts say fraudsters' techniques change asbanking technology evolves, their end goal has always been thesame: steal funds by getting a mass quantity of sensitive customerinformation such as account numbers. “As far as trends areconcerned, whatever they are, the result is money leaving youraccount,” Dowell said.

The newest trends include the use of socialmedia websites and mobile banking channels to commit fraud, saidAndrew Jaquith, chief technology officer for Connecticut-basedinformation security vendor Perimeter E-Security. Jaquith saidcredit union employees can put themselves at risk by exposingprivate information on social networking sites, and fraudsters canpotentially access sensitive data that's stored on mobile devicesused for banking.

Dowell agrees that the Web is the hottest avenue used forattacks, stating that most fraud happens online, whether through acomputer or mobile device. But he said he's seen few changes inattack methods in recent years, noting that the Epsilon breach is“more of the same.”

“The trends are with corporate account hacking, manipulation ofonline banking and phishing,” Dowell said. “The attack vectors arenot really changing.”

Online fraud trends aside, today's two most prominent breachingmethods used against credit unions have been around for a longtime, Jaquith said. These are tricking credit union employees toreveal sensitive information and directly obtaining the informationby hacking into a credit union's website. “They're either going toinfect the employee, or go to the front door and rattle the locks,”he said.

Jaquith said fraudsters commonly send employees emails in anattempt to trick them into giving out financial accountinformation. Once the employee clicks on a seemingly safe link inthe email, his or her PC can become infected. In fact, Jaquith saidone in 10 of Perimeter E-Security's banking clients report amonthly in-house infection. Sometimes, employees put sensitiveinformation at risk without coercion from criminals. Dowell said herecently learned a bank employee knowingly sent out a customer'sloan application user name and password in the text of anemail.

Dowell said fraudsters target bank customers and credit unionmembers more often than banks and credit unions themselves,typically by way of malware. “The common channel is exploiting theend-user from their home PC,” he said.

Credit unions face many of the same security breach threats asbanks do, but Jaquith noted that CUs may have more to worry aboutgiven their smaller average size.

“Credit unions have smaller staffs, so their capabilities aren'tas advanced,” he said. “They're disproportionately vulnerable toattacks. It comes down to being a small organization with limitedresources, staff and time.”

Jason Milletary, the technical director formalware analysis at information security provider Dell SecureWorks,said the two most threatening programs used to target credit unionsare ZeuS Trojan, which hackers employed in a theft of about $70million from business' bank accounts in 2010, and SpyEye, an attackkit that aims to obtain personal information such as credit cardnumbers from victims' computers. Milletary said criminals use theseprograms to “target credit unions through their members.”

While some breaches may be unavoidable, security experts saythere is plenty credit unions can do to combat fraud. Jaquith saidto avoid hacks due to action taken by employees, credit unionsshould use Web content filters on their workplace PCs to reduceexposure to dangerous websites. He added that if a breach can't beprevented, credit unions should develop a plan to detect andeliminate infections as quickly as possible.

To prevent direct website hacks, Jaquith recommends creditunions utilize an SQL injection as a tool for exploiting securityvulnerabilities and ensure that their websites are protected fromthe Open Web Application Security Project's Top 10 web applicationweaknesses.

Mobile banking security breaches can be avoided by neverallowing sensitive data to be stored on the mobile devices, andsocial media will pose less of a threat if credit unions educatetheir employees about exercising privacy.

Dowell preaches education and diligence when it comes to fraudprevention. “Credit unions need to educate their employees aboutwhat types of fraud incidents are occurring and how to handle themif they occur,” he said.

Milletary stressed the importance of forming partnerships withother credit unions to share information about fraud incidents andhelp one another handle the threats of malicious activity. He alsorecommended being aware of breaches that occur at other companies.“It's important to understand that breaches outside your networkcan affect your security,” he said.

Dell SecureWorks offers a list of tips to clients that comprisethe firm's recommended “layered approach to security.” Buildfirewalls around your network and Web applications, implement anIPS/IDS intrusion prevention system or intrusion detection systemas well as a host IPS intrusion prevention system, utilizevulnerability scanning, implement 24/7 log monitoring and Webapplication and network scanning, use human intelligence to combatthe latest threats and employ encrypted email.

The security services provider also suggests how to keep mobilebanking devices from becoming an avenue for fraud. These tipsinclude physically securing devices by way of disk encryption,using a VPN when connecting to the Internet via a mobile bankingapplication, solving patching problems by having a single companymaintain its software and requiring certificates to stave offfraudulent emails.

Jaquith concluded that the best way for credit unions to handlethe security challenges posed by their small size is to place theirsecurity in the hands of a trusted third-party vendor. “My adviceis that they work with a specialist firm that can take care of allthat,” he said.