When he sifted the data on cyber-attacks on financial institutions, Charles Burckmyer, president at Sage Data Security in Portland, Maine, came up with a terrifying factoid. In 2012 there was a 52% chance that any given large financial institution reported a cyber breach, said Burckmyer who indicated that, if anything, numbers for 2013 will be higher still.
Credit unions are in the crosshairs of an enemy that knows no geographic boundaries, in many instances is beyond the reach of US law enforcement, and which is equipped with smart minds and powerful computing technology, both aimed at emptying the coffers of financial institutions.
That means you.
So, what are the five biggest cyber threats security professionals finger as the prime worries for 2014? Experts readily identify the threats credit union executives need to be losing sleep over.
Next Page: Clouding the Issue
Cloud computing is a top worry for Chad Burney, chief information officer at GTE Financial, a $1.6 billion credit union in Tampa, Fla. Burney conceded that the appeal of cloud – where data is housed offsite, in remote servers, typically owned and maintained by third-party storage companies - is real.
It delivers cost savings and cloud usually also means all data is accessible by all authorized devices, no matter where they are, because in cloud computing information typically is device independent.
All wonderful, said Burney, who indicated that at the highest levels of his organization there is substantial enthusiasm for cloud.
Burney’s worry: the safety of that data. “Data being stored in the cloud without any type of security beyond what is provided by the cloud storage vendor is certainly a threat,” he said.
Burney added that, inherent in many cloud offerings, there seems to be “a trade-off between security and functionality/efficiency.”
Realistically, Burney acknowledged, cloud probably is coming at many credit unions, probably soon, as the push for IT efficiency mounts. But, he said, he will be closely eyeing the security deliverables of any cloud offerings in which GTE Financial is involved and he will be thoroughly vetting cloud providers on the security they offer.
Sage’s Burckmyer added that in his conversations with financial institutions – and Sage provides security to several hundred, many credit unions included – cloud has emerged as a prime topic. Some cloud vendors are very good about security, others less so, said Burckmyer, and it becomes the credit union’s job to sort through the differences. That is not an easy task.
But it will likely loom as a must-do in 2014.
Next Page: Account Takeovers On the Move
George Tubin, spokesman for Trusteer, explained that in this gambit the criminal – be he in Kiev or Shanghai or Mumbai or New Jersey – briefly seizes control of the target’s computer and uses it to log into the victim’s own accounts, where big payouts are ordered up.
The detection software that looks to verify that this member’s computer is in Union City, N.J., check, using Comcast ISP, check, using such and such a computer, check, set to Eastern Standard Time, check. All checks pass, so why interfere with the transaction?
“The criminals know financial institutions are implementing device ID checks and now they are finding ways around that,” said Tubin.
And that means savvy institutions will need to find yet newer verification tools because today’s criminals are never far behind.
Next Page: The Spear That Phishes
Spear-phishing continues to menace financial institutions, said Scott Goldman, CEO of TextPower, a developer of SMS innovations. He added that, daily, most employees see multiple targeted phishing emails, many masquerading as missives from their boss or their boss’s boss (the so-called spear-phishing variety because they are more pinpointed than the mass-mailed generic phishing mails). And it is not easy to ignore an email that shouts “Urgent: Immediate Action Required” and which purports to be from a higher-up.
Click on the link in that email and many bad things can happen, from a malware download to the victim’s device through conning the victim into giving up his/her log-in credentials.
Added Goldman: “Some of the latest ‘spear-phishing’ efforts have been stunningly sophisticated. While there is little that you can do to prevent users from behaving in a dangerous manner you should educate them as much as possible.”
An important warning for 2014: It is harder to eye links in emails and check them for credibility on a mobile phone, and criminals see the same studies everybody else does that say, increasingly, many of us look at half or more of our emails on smartphones. Expect them to up their phishing attempts because they just may be seeing more results.
That is why ongoing employee education is key
Next Page: The Catch With Interceptions
SMS Interceptions Growing. Another Trusteer warning, this one throws into question exactly how long credit unions can look to two-factor authentication built around SMS as a good fraud- prevention tool.
According to Tubin, Trusteer has seen a growing number of cases – so far mainly in Europe, he admits – where cyber criminals infect a smartphone (typically an Android) with malware that forwards incoming SMS to the thieves.
Send the member an SMS – “Your verification code is 123456” – and brilliant as that seemed at one point, if that SMS immediately lands on the criminal’s phone, it is game over because now he not only has the victim’s username and password, he has the second authentication piece too.
Warns Trusteer: “Mobile SMS verification is rendered all but useless as an out-of-band authentication method” as these intercepts grow in number.
Trusteer also pointed out an obvious byproduct of these intercepts: “Enterprises must be wary of the real potential for SMS communication compromise with the increasing popularity of BYOD.”
Those employee-owned phones may not be subject to regular inspection for security and cleanliness and therein lies an emerging threat.
Which brings us to threat #5:
Next Page: Bring Your Own Threat
The big issue: If sensitive credit union data is on the phone or tablet, how can it be secured in the event the device is lost or stolen? Ditto, how can it be protected in the event malware gains access to the device?
“BYOD is a cost savings for us. It’s also what employees want,” said Burney. “I totally support it. But device management is a challenge.”
Wiping devices actually is simple. Apple for instance has provided administrator remote wipe privileges for some years on iPhone and iPad. The problem is how to wipe all and only credit union data (no employee baby pictures, no personal emails). Third parties provide more finely calibrated wipes but, said Burney, picking exactly the right tool for this particular credit union and its precise needs is not that easy.
At GTE Financial, Burney said BYOD likely will be rolled out institution-wide in Q2 2014 but getting there has taken a lot of research and a deliberate build-out of precautions and infrastructure. His point: only fools would rush into this, because the dangers are very real.
Next Page: DDoS Pops Up
DDoS – Distributed Denial of Service – won recurrent headlines throughout 2013 and, said Burckmyer at Sage Data Security, “DDoS has become a perennial. “That is, do not assume this threat has passed because there has been quiet for a few months.
Burckmyer also stressed that there are more and more instances where DDoS is used to distract security staff while criminals busy themselves looting the institution via wire transfers and other staple cyber thefts.
Said Stephen Gates, chief security evangelist at Corero Network Security, a maker of anti-DDoS weapons, “There are a lot of players in the field, and the tools (to perform DDoS) are so easy to use and so widely available. They are very effective. And the attacks work. That is why DDoS is not going away.”
Gates recounted the 2013 DDoS history where, initially, the big attacks were so-called volumetric attacks, meaning the perpetrators sought to drown a target with a tidal wave of meaningless data.
Various defense companies quickly developed techniques to ward off these attacks and, poof, the DDoS attackers shifted format and unleashed application layer attacks that in effect let the victim computers wear themselves out dealing with nonsensical requests (password reset requests for non-members, for instance).Those attacks necessitated yet other kinds of defenses.
In all probability, DDoS attackers are already working up yet newer attack vectors, to unleash as defenses for present attacks tighten.
Bottom line: In 2014 every institution needs a DDoS response plan, said Gates, and it should be in writing and spell out what steps are to be taken in the event the institution falls under assault.
Because exactly that may happen, be the attacker an employee with a grudge, an unhappy member, a hacktivist group, or a criminal cartel. They all are using DDoS now and that’s why every credit union needs to know what it will do when attacked.