When he sifted the data oncyber-attacks on financial institutions, Charles Burckmyer,president at Sage Data Security in Portland, Maine, came up with aterrifying factoid. In 2012 there was a 52% chance that any givenlarge financial institution reported a cyber breach, said Burckmyerwho indicated that, if anything, numbers for 2013 will be higherstill.

Credit unions are in the crosshairs of an enemy that knows nogeographic boundaries, in many instances is beyond the reach of USlaw enforcement, and which is equipped with smart minds andpowerful computing technology, both aimed at emptying the coffersof financial institutions.

That means you.

So, what are the five biggest cyber threats securityprofessionals finger as the prime worries for 2014? Experts readilyidentify the threats credit union executives need to be losingsleep over.

Next Page: Clouding the Issue

Cloud computing is a topworry for Chad Burney,chief information officer at GTE Financial, a $1.6 billion creditunion in Tampa, Fla. Burney conceded that the appeal of cloud – where data is housed offsite, in remote servers,typically owned and maintained by third-party storage companies –is real.

It delivers cost savings and cloud usually also means all datais accessible by all authorized devices, no matter where they are,because in cloud computing information typically is deviceindependent.

All wonderful, said Burney, who indicated that at the highestlevels of his organization there is substantial enthusiasm forcloud.

Burney's worry: the safety of that data. “Data being stored inthe cloud without any type of security beyond what is provided bythe cloud storage vendor is certainly a threat,” he said.

Burney added that, inherent in many cloud offerings, there seemsto be “a trade-off between security andfunctionality/efficiency.”

Realistically, Burney acknowledged, cloud probably is coming atmany credit unions, probably soon, as the push for IT efficiencymounts. But, he said, he will be closely eyeing the securitydeliverables of any cloud offerings in which GTE Financial isinvolved and he will be thoroughly vetting cloud providers on thesecurity they offer.

Sage's Burckmyer added that in his conversations with financialinstitutions – and Sage provides security to several hundred, manycredit unions included – cloud has emerged as a prime topic. Somecloud vendors are very good about security, others less so, saidBurckmyer, and it becomes the credit union's job to sort throughthe differences. That is not an easy task.

But it will likely loom as a must-do in 2014.

Next Page: Account Takeovers On the Move Account takeover moving to thevictim's device. This is a bold-faced warning fromsecurity firm Trusteer, and what the company is saying is that muchof the present device authentication techniques used to validate amember's banking session may be on the verge of being outwitted bycrooks.

George Tubin, spokesman for Trusteer, explained that in this gambitthe criminal – be he in Kiev or Shanghai or Mumbai or New Jersey –briefly seizes control of the target's computer and uses it to loginto the victim's own accounts, where big payouts are orderedup.

The detection software that looks to verify that this member'scomputer is in Union City, N.J., check, using Comcast ISP, check,using such and such a computer, check, set to Eastern StandardTime, check. All checks pass, so why interfere with thetransaction?

“The criminals know financial institutions are implementingdevice ID checks and now they are finding ways around that,” saidTubin.

And that means savvy institutions will need to find yet newerverification tools because today's criminals are never farbehind.

Next Page: The Spear That Phishes

Spear-phishing continuesto menace financial institutions, said Scott Goldman, CEO ofTextPower, a developer of SMS innovations. He added that, daily,most employees see multiple targeted phishing emails, manymasquerading as missives from their boss or their boss's boss (theso-called spear-phishing variety because they are more pinpointedthan the mass-mailed generic phishing mails). And it is not easy toignore an email that shouts “Urgent: Immediate Action Required” andwhich purports to be from a higher-up.

Click on the link in that email and many bad things can happen,from a malware download to the victim's device through conning thevictim into giving up his/her log-in credentials.

Added Goldman: “Some of the latest 'spear-phishing' efforts havebeen stunningly sophisticated. While there is little that you cando to prevent users from behaving in a dangerous manner you shouldeducate them as much as possible.”

An important warning for 2014: It is harder to eye links inemails and check them for credibility on a mobile phone, andcriminals see the same studies everybody else does that say,increasingly, many of us look at half or more of our emails onsmartphones. Expect them to up their phishing attempts because theyjust may be seeing more results.

That is why ongoing employee education is key

Next Page: The Catch WithInterceptions

SMS InterceptionsGrowing. Another Trusteer warning, this one throws intoquestion exactly how long credit unions can look to two-factorauthentication built around SMS as a good fraud- preventiontool.

According to Tubin, Trusteer has seen a growing number of cases– so far mainly in Europe, he admits – where cyber criminals infecta smartphone (typically an Android) with malware that forwardsincoming SMS to the thieves.

Send the member an SMS – “Your verification code is123456” – and brilliant as that seemed at one point, if that SMSimmediately lands on the criminal's phone, it is game over becausenow he not only has the victim's username and password, he has thesecond authentication piece too.

Warns Trusteer: “Mobile SMS verification is rendered all butuseless as an out-of-band authentication method” as theseintercepts grow in number.

Trusteer also pointed out an obvious byproduct of theseintercepts: “Enterprises must be wary of the real potential for SMScommunication compromise with the increasing popularity ofBYOD.”

Those employee-owned phones may not be subject to regularinspection for security and cleanliness and therein lies anemerging threat.

Which brings us to threat #5:

Next Page: Bring Your Own Threat
BYOD. Resistance is futile.BYOD (bring your own device) has swept into credit unions and,said GTE Financial's Burney, it brings innumerable security risksthat are not easy to solve.

The big issue: If sensitive credit union data is on the phone ortablet, how can it be secured in the event the device is lost orstolen? Ditto, how can it be protected in the event malware gainsaccess to the device?

“BYOD is a cost savings for us. It's also what employees want,”said Burney. “I totally support it. But device management is achallenge.”

Wiping devices actually is simple. Apple for instance hasprovided administrator remote wipe privileges for some years oniPhone and iPad. The problem is how to wipe all and only creditunion data (no employee baby pictures, no personal emails). Thirdparties provide more finely calibrated wipes but, said Burney,picking exactly the right tool for this particular credit union andits precise needs is not that easy.

At GTE Financial, Burney said BYOD likely will be rolled outinstitution-wide in Q2 2014 but getting there has taken a lot ofresearch and a deliberate build-out of precautions andinfrastructure. His point: only fools would rush into this, becausethe dangers are very real.

Next Page: DDoS Pops Up Bonus Threat: DDoS

DDoS – Distributed Denial ofService – won recurrent headlines throughout 2013 and, saidBurckmyer at Sage Data Security, “DDoS has become a perennial.“That is, do not assume this threat has passed because there hasbeen quiet for a few months.

Burckmyer also stressed that there are more and more instanceswhere DDoS is used to distract security staff while criminals busythemselves looting the institution via wire transfers and otherstaple cyber thefts.

Said Stephen Gates, chief security evangelist at Corero NetworkSecurity, a maker of anti-DDoS weapons, “There are a lot of playersin the field, and the tools (to perform DDoS) are so easy to useand so widely available. They are very effective. And the attackswork. That is why DDoS is not going away.”

Gates recounted the 2013 DDoS history where, initially, the bigattacks were so-called volumetric attacks, meaning the perpetratorssought to drown a target with a tidal wave of meaningless data.

Various defense companies quickly developed techniques to wardoff these attacks and, poof, the DDoS attackers shifted format andunleashed application layer attacks that in effect let the victimcomputers wear themselves out dealing with nonsensical requests(password reset requests for non-members, for instance).Thoseattacks necessitated yet other kinds of defenses.

In all probability, DDoS attackers are already working up yetnewer attack vectors, to unleash as defenses for present attackstighten.

Bottom line: In 2014 every institution needs a DDoS responseplan, said Gates, and it should be in writing and spell out whatsteps are to be taken in the event the institution falls underassault.

Because exactly that may happen, be the attacker an employeewith a grudge, an unhappy member, a hacktivist group, or a criminalcartel. They all are using DDoS now and that's why every creditunion needs to know what it will do when attacked.