Expansion into new areas like business services and new channelslike P2P and mobile present new opportunities for credit unions andfraudsters alike.

Compounding the possible problems for technologists committed tofighting fraud are people problems inside the brick and firewallsof credit unions, who might knowingly or unknowingly help criminalsdo their deeds.

Inside jobs are nothing new, but the unwitting part is a growingconcern, according to one industry participant, who said shrinkingfee income and margins are tempting loan officers and others toengage in “risk-seeking behavior.”

“There's a shrunken pool of profitable, viable customers outthere, so churn and avoiding turnover have become real keys,” saidKeir Breitenfeld, a product manager with Experian's DecisionAnalytics team. “What we've been seeing since about the middle oflast year is more risk-seeking behavior from both a fraud andcredit perspective.”

The credit crunch of the past couple years had made it “hard foreven the fraudsters to get credit,” Breitenfeld said, but he seesthat now “we're seeing more risk tolerance as the financialinstitutions understand they have to go into high-risk customersegments to win business.”

That means Experian, which is in the business of providing fraudand risk analytics, recommends using strong risk-assessment toolsto prevent a spike in fraud rates, “which really have held quitesteady” the past few years, he said.

He said existing accounts are an area of particular concernbecause that's where the money already is, and other industryplayers note that new communication channels–both transactional andsocial–could be opening the door.

“I know you hear this all the time, but education of your staffstill remains vitally important,” said Mary Landesman, a seniorsecurity researcher at networking giant Cisco. “One of the worstthings that can happen to your credit union would be for a machineto get infected in-house. There are some very surreptitious malwarethat can scan your network and very quickly morph into a persistentthreat and in some cases, a very finely tuned missile aimed at yourenterprise.”

Landesman, co-author of Cisco's 2010 annual security report,noted that “getting scammed has been happening since communicationswere developed,” and that social networks are raising the stakeselectronically.

For instance, the LinkedIn professional networking site attractsa large amount of spam and scam, according to Cisco's analysis, andthen there's Facebook.

“Promiscuous friending is a problem,” Landesman said. “As personafter person gets linked, a legitimate friend can give access toinfiltrators who make their way deeper and deeper into their socialnetworks, gathering personal information about a target forspear-phishing attacks against high-level people, for instance, atyour credit union.” People with access to Treasury accounts, forexample, have become known targets for such attacks.

That's the unwitting factor. Willing participants also are aproblem, especially those who have access to the multiple,disparate channels of money movement in their organizations.“Organized crime rings, sometimes in collusion with insiders, arelaunching more complex attacks, resulting high-dollar fraud eventsand moving the money quickly offshore, where it's much harder torecover the loss,” said Karen Van Ness, a senior manager forproduct management at Oracle who focuses on compliance, moneylaundering and fraud in the financial services sector.

Van Ness said the need continues to grow for sophisticatedsolutions that scan the enterprise for anomalous transactions inany channel and correlate those with other events. “You then needto couple that with really robust case management that can handlesuch things as AML alerts and lead and information sharing,” shesaid. “At a lot of our clients, we've seen situations that didn'tlook like money laundering at first, but then the data wasshared.”

Sharing data is something that Don Jackson, director of threatintelligence at Dell SecureWorks, does daily in the global networksof companies like his and their clients that scan the globe formalware and the deeds of those who create them.

He agreed that the growing number of delivery channels is nowincreasing the threat of fraud. Bill pay applications, forinstance, are typically sourced to third parties, and the growingmobile channel is creating a whole new field of opportunity, hesaid.

“People creating these sophisticated malware programs also havemade their tools available on the black market and the fraudstersusing them only have to concentrate on a few hosted applicationslike bill pay or checking account management,” Jackson said. “Andthen there are the app stores where people are downloading mobilebanking software. Credit unions and banks are pushing mobilebanking and trusting it as a controlled environment but it couldbecome uncontrolled very easily.”

While companies like his continue to work to keep up or stayahead of the fraudsters, Jackson said, he noted that DellSecureWorks includes a large number of smaller financialinstitutions on its client list, and said that their growing use ofthe same channels and applications to serve a growing list ofproducts and services as the big banks is further increasing theirvulnerability to cyber fraud.

Van Ness at Oracle also noted the downstream flow of fraud.“We're seeing some anecdotal evidence now that credit unions are nolonger any safer than banks. Many of our client credit unions havevery sophisticated business models with the same kinds ofconveniences and channels that would let me go into there and getthe same services I would from a bank. Those increased servicesincrease vulnerability.”