MADISON, Wis. – Credit unions better be wary of account takeover and hacker break-ins if they want to maintain members' trust. According to Roger Nettie, risk specialist for CUNA Mutual, these are the two biggest information security issues CUNA Mutual is seeing. In the account takeover scenario, someone presents themselves as a particular member; gets access to that member's accounts; and then uses either home banking or audio response to transfer money to another account at the credit union. "Most of the claims have been falling for home banking or just plain-old audio response," said Nettie. The way to limit risk, he said, is to make more robust passwords. Often CUs allow members access to their accounts electronically by simply using the last four digits of their social security number as the PIN/password. Nettie said that just won't cut it in today's world. He recommends following industry standards which call for alpha-numeric PIN/passwords of six to eight characters. "Unfortunately a lot of financials see the social security number as a very easy way for members to sign up because they already know it. We recommend a random PIN generation sent in a sealed envelope," said Nettie, which is similar to what credit card companies do for their PINs. The other biggest threat right now is hacker break-ins. Nettie said CUNA Mutual has seen two major ones this year and they both involved Web servers that were housed at the credit unions. He's sure in one case the CU was using a Microsoft operating system, and thinks that was the case in the other attack as well. Microsoft is obviously a prime target for hackers said Nettie. In one of the attacks the perpetrator was able to obtain ID and password information. "To the credit union's knowledge none of that information was used for any fraud yet. We believe because of where the source of the exploit was coming from, the former Soviet Union, that they were after credit cards," said Nettie. In the other attack the perpetrator again hacked into a CU where the Web server was housed at the CU, but this time they were able to pull off lots of other information, including completed loan and membership applications, which would provide plenty of information to commit identity theft. When information like this is stolen, Nettie, said it's not uncommon for the thief to use it in extorting the victim. It can force the financial to pay a sum of money, or else it will distribute the information for not-so-nice purposes, such as identity theft. Nettie said in both these break-ins, the victimized CUs weren't exactly small, demolishing the myth that small CUs are the most at risk. Member data are gold these days for crooks. Nettie also highlighted a case in Pennsylvania where a CU employee was selling member data for $300 a piece for someone to use to pull of identity theft. Nettie said he's concerned that not enough CUs are getting third-party assistance in securing their systems, specifically their online systems. It is strongly recommended in reg 748, but it's not required. "I'm hearing that some credit unions that haven't been getting third-party help are finally doing so at the urging of their regulator. The regulators know this is an issue," said Nettie. Just looking at CUMIS' new types of coverage shows how much the world has changed for CUs. For example, one CU put in a claim for extra PR expenses related to a security breach. The CU had to inform members that someone broke into their system and their member info was stolen and could potentially be used in fraud. That type of claim falls under CUMIS' computer crisis management coverage. The protection CUs need today has changed as well. No longer can they feel safe just because they have a firewall. "Now you need a firewall, intrusion detection, virus software and vulnerability assessments performed on a regular basis," said Nettie, and don't forget about an annual security audit. Virus claims are also on the rise. Nettie said today's viruses are more damaging than ever. A virus that hit some CUs late last year caused a number of them to lose data. CUMIS has coverage to help CUs restore lost data. Virus claims can also be costly. Nettie said there has been some claims already this year in excess of $100,000. "I've seen reports that viruses are down, but the ones that have come out more recently have caused more damage," said Nettie. [email protected]