Quantcast
Go Search
 
Home Sections News Research Careers Podcasts Directory Web Seminars Calendar Subscriptions
NCUA Chastises Computer Security Test 
8/28/2009 

The NCUA has discovered that the situation prompting the Fraud Alert it issued on Tuesday was a credit union’s effort to test its security systems.

 

An unnamed credit union created a fax of an NCUA Fraud Alert designed to test its security system. “This was an unauthorized and improper use of the NCUA logo, and also included a falsified signature of then-Chairman Michael Fryzel,” the agency said. The bogus alert was forwarded to NCUA, which prompted NCUA’s action.

 

“Credit unions are not authorized to create facsimile documents bearing NCUA logos or signatures, or to improperly represent communications from NCUA, even during the legitimate conduct of business such as a computer security assessment,” the agency stated.

Readers Comments

Name:
Email (will not be published):
Subject:
Comment:

    • 8/31/2009 10:33:32 AM
    • Dale
    • NCUA Fraud Alert
    • Very interesting. We've had examiners physically dig through desk to find member files to demonstrate our vulnerabilities. Sounds like the same kind of childish behavior. Turn about seems fair.
    • 9/1/2009 5:33:52 PM
    • JRC
    • not sure on that one
    • While I agree that the use of the logo and such in the assessment may have been against policy (the signed waivers to the pen testers would need to be examined. The interesting thing is that most attackers will quickly ignore such policies.
    • 9/1/2009 5:34:48 PM
    • Jeff
    • NCUA Fraud Alert
    • The NCUA doesn't get it, do they? Attackers aren't going to refrain from making an "unauthorized and improper use" of logos and signatures. Far from it -- they will do all they can to make their deceptive communications look as good as they possibly can. Why not make a rule requiring all attackers to include "Warning: This is A Fraud" on all their communications? It's about as likely to be honored as a request not to use an official logo or signature.
    • 9/3/2009 1:35:57 AM
    • Bob Bridges
    • Yeah, seems the NCUA blew this one
    • I gotta agree. The test went beautifully; the attackers did their best to reveal flaws in their client's security, and the CU personnel reacted properly to a human-engineering attack that they spotted. It doesn't even matter whether the CU personnel recognized that the attack was part of the test; whether they did or didn't, reporting it was the right response. In other words, everyone did what they should...except the NCUA, if I understand the story correctly.
    • 9/16/2009 7:18:21 PM
    • Rico
    • Fraud Alert
    • I received a fraud alert form your organization, they electronic operator requested my credit info, after stating that I might be a victim of a Nigerian fraud scheem.Do you have such a warning going out?
    • 9/17/2009 8:28:25 AM
    • Sarah Cooke
    • Rico's comment
    • Credit Union Times is a magazine and never requests credit information.