Fraud Fight Just Gets Fiercer: Onsite Coverage
LAS VEGAS — The fight against cybercriminals just gets harder. Call that the theme of the pre-conference sessions at the 14th annual CU InfoSecurity conference, held this year at the Red Rock Resort in Las Vegas.
A conference organizer estimated that some 50 credit unions were in attendance. Included were the $656 million Amoco Federal Credit Union from Texas City, Texas; the $821 million Clearview Federal Credit Union in Moon Township, Pa.; the $1 billion Tennessee Valley Federal Credit Union in Chattanooga, Tenn.; and the $401 million Hoosier Hills in Bedford, Ind.
The pre-conference illustrated how much interest there is in the security focus, as dozens of credit union executives showed up Wednesday afternoon for pre-conference sessions before the official conference got underway.
Many dozens of credit union executives came to the pre-conference sessions.
All came because a fact has become inescapable: the fraudsters keep getting better at their work but, said opening speaker Bryan Jardine, a product manager at Sunrise, Fla.-based anti- fraud company Easy Solutions, they also are lazy. “They look for the weak links,” Jardine said.
“Make it hard for them to exploit you and they will go elsewhere,” he said.
“We need to get people schooled up in fighting fraud,” pronounced Jardine who added that in many credit unions – especially smaller ones – fraud fighting is just one of many hats worn by busy employees.
That makes their challenge tougher because criminals are on the hunt for credit unions with less than professional fraud fighting campaigns, he suggested.
He added, “Some financial institutions will say, we don’t have fraud issues. I guarantee they do.”
And maybe their biggest problem is that they just don’t know it.
The next speaker, Rene Thibault, a vice president at anti-phishing company Savant Protection in Hudson, N.H., threw out a zinger at his talk’s start: “There is no firewall against stupidity.”
His point: employees, increasingly, are personally targeted in what Thibaut called “phishing 2.0” – campaigns that are much more targeted than were first-generation phishing. Often the emails will seem to come from fellow credit union employees.
The bad news: some of those emails contain so-called executables – small programs that can provide fulltime monitoring of an employee’s computer. In short order the criminal has login credentials, passwords and more, all unwittingly provided by employees who clicked on things they shouldn’t.
At Savant the solution is technology that “white lists” what an employee can open. The downside is inconvenience – the employee may be denied the ability to update a particular application that may be harmless but it is not on the white list.
The upside: it becomes highly unlikely that fraudsters will sneak by a toxic executable, Thibault said.
His opinion: as more credit unions find themselves under attack by highly skilled phishing 2.0 criminals, more will embrace whitelisting in order to keep their systems free of malware.
A third speaker, Rama Iyer, CEO of Aliso Viejo, Calif.-based DirectRM, gave an impassioned pitch for broader adoption of two-factor authentication where logins require “something you know” and “something you have.”
He argued that in the present talks about EMV as a security solution what is overlooked is that EMV is a possible cure for card-present fraud, but it does nothing for card-not-present fraud (typically purchases made over the Internet).
Assuming the MasterCard and Visa mandates for adopting EMV by late 2015 have teeth, it is inevitable, Iyer said, that card-not-present fraud will skyrocket.
That ups the ante on financial institutions to take steps to roll out two-factor authentication because it, he suggested, is a fast way to combat card-not-present fraud.