This isn’t child’s play, it definitely isn’t funny and it very well can cost your institution money. Cyber crooks are busily scheming up ways to separate your credit union’s assets from the institution. Here we have rounded up the top five things to really worry about.
* Patience May Win Out - for the Crooks
After a breach is detected, experts pore over Internet traffic logs and, according to new research from Verizon, with financial institutions, the perpetrators often have proven themselves to be remarkably patient. “We see cases where they have probed for weeks and months before they find a way in,” said Jay Jacobs, a Verizon spokesperson.
“In one case, they probed for a year.”
That makes financial institutions very different. Other sectors studied by Verizon such as healthcare and retail do not exhibit anywhere near that level of patience on the part of the crooks.
The bad news: because they are willing to keep probing, if there is a vulnerability, no matter how arcane, they will find it.
Worse news: Jacobs said the crooks’ cyber-fingerprints can be traced backwards after an attack but he doubted that even vigilant study of logs beforehand would have alerted victim institutions that an attack was coming. “It’d be like looking for the needle in a haystack,” he said.
It’s already come to cellphones, said Ryan Disraeli, vice president of fraud services at Telesign.
Disraeli elaborated: “SMS mobile attacks are now being seen more often by users. A fraudster sends an SMS spam message to a user's mobile phone and it appears to be a message from their bank or credit union. These messages almost always include links, which the target will click and it will exploit the device to collect various types of information from a site that looks just like the credit union's own website. These attacks can be so sophisticated that it looks as though the bank is sending the message themselves as an alert or notification.”
* Credit Union Employees Are Under Attack
Considerable cyber crook focus now is on finding ways to take control of employees’ computers, tablets and smartphones. Get inside the firewall, the thinking goes, and a cyber crook can find numerous ways to loot institutional accounts.
Matters apparently are so grave the FBI has issued a warning about the rising incidence of attacks on financial institution employees.
According to many experts, training of financial institution employees to recognize and avoid cyber attacks has not always been rigorous. Even though they are high-value targets, credit union employees may fall victim to the same fairly simple phishing attacks that fool consumers. Stepped up training, said the experts, is the must here.
A reality is that most attacks aimed at employees are easily sidestepped – but employees need to be taught the dangers.
Steve Santorelli, a spokesperson for security firm Team Cymru, said in his opinion the biggest current worry is: “Zombies in your machine – drive by downloads that appear as adverts on major, legit websites, that are essentially cross platform. You can't avoid the global pandemic unless you quarantine yourself: use a dedicated machine for nothing other than online banking.”
The backdrop is that security experts report that malicious Spam is increasingly ineffective. Filters are catching it and putting it in isolation before it can do harm. Cyber-criminals consequently are on the hunt for new attack vectors and contaminated advertisements are increasingly popular.
Called “malvertising,” it’s not a small problem. Literally millions of machines are already contaminated, said experts.
A problem: a lot of this malware is so cleverly written it appears to dodge most anti-virus screening. Much of it also now is written to infect both Windows and Apple computers.
Santorelli’s advice to restrict one computer to nothing but online banking – meaning no email, no web surfing, no gaming – may seem extreme. But he insists it’s the one way to keep sensitive sessions safe.
* We Are The Enemy
“The real threats to remote banking, quite frankly, are the users themselves,” said Pierluigi Stella, chief technology officer of Network Box USA, a security company based in Houston.
He added: “Too many end users/home users don’t deploy proper protections on their computers and access their online banking information without any form of a safety net.”
Many steps are very simple: PIN protect smartphones, for instance. Password protect home WiFi networks. Be very cautious about using public WiFi – at coffee shops or hotels or airports for instance – and whatever you do, don’t use those networks for financial transactions.
A reality: credit unions could do much more in terms of advising members on simple security precautions to take. Setting up a PIN on a phone literally takes seconds. But such steps pay huge dividends.