As credit unions and other financial institutions continue to brace for breaches similar to what happened with Target, experts warn that even more cyberthreats are popping up.
One of the scariest outcomes is that through a few mouse clicks, thieves can copy millions of financial records.
So, what potential perils are now keeping financial services security experts up at night? Here are their top five cyberthreats.
Employee Phishing Attacks. Criminals have long tempted consumers with so-called phishing emails. Click on a link and malware such as the keylogger Zeus is downloaded to the victim machine. The result can be account takeover. But, lately, that threat is upped, where credit union employees are specifically targeted with phishing emails, said Paul Wisniewski, information security officer with the $1.6 billion GTE Financial in Tampa, Fla.
If the employee clicks, a compromise of member records could result, Wisniewski said, adding this threat has become so widespread that every credit union needs protections in place.
At GTE Financial, member data is safeguarded against phishing via a sophisticated desktop virtualization setup, according to Wisniewski. The details get complicated but, in effect, the employee cannot click on an Internet link, including to popular sites such as ESPN or CNN, while looking at member records. Going to the web necessitates exiting the desktop where member data resides and entering a new, virtual desktop, all of which happens in seconds in the credit union’s setup. This arrangement results in solid protection for member data, Wisniewski said.
While it’s not the only way to protect against employee-facing phishing, every financial institution now needs protection, experts advise.
“This phishing threat just seems to get greater,” Wisniewski said.
DDoS. Distributed Denial of Service may not have been in the headlines lately but it is still considered a threat to credit unions.
“There is a tremendous amount of DDoS occurring,” said Carl Herberger, vice president of security solutions at Radware, a DDoS mitigation company in Mahwah, N.J., its North American headquarters.
Underlining the enormity of the DDoS threat is that on April 2, the FFIEC issued a warning explicitly urging financial institutions to develop response systems. That’s easier said than done, said Chris Risley, CEO of Defense.net, a Belmont, Calif.-based DDoS mitigation firm. The shape of DDoS continues to morph, so yesterday’s attack is different from today’s infiltration as attackers find new vulnerabilities about as fast as security teams patch old ones.
The cost of unleashing a DDoS attack also tumbles. Risley described a simple method which costs no more than $20 that would deliver a devastating DDoS payload of several hundred gigabytes of nonsense traffic aimed at any website of choice. Few credit unions are adequately defended against these new attacks and most would instantly be knocked offline, he said. Even when they are protected, newer attacks can still emerge, Risley noted.
Experts also stressed that there are many known instances where DDoS is used as camouflage for other criminal cyberattacks aimed at stealing money from financial institutions. The bottom line is credit unions are strongly encouraged to pursue DDoS response strategies, which is the essence of the FFIEC’s guidance issued last month.
The Myth of the Perimeter. For some years, many credit unions have focused on perimeter cyberdefenses, such as firewalls, as the way to stay safe from cybercriminals. However, a growing recognition today is that the perimeter is porous, said Jonathan Cogley, CEO of Thycotic Software, a Washington-based developer of IT management tools.
“There is no perimeter anymore,” he warned.
The core idea is that highly skilled hackers, including those working for state-sponsored organizations or criminal cartels, have the talent to penetrate just about any perimeter defense.
“The elephant in the room is the lack of continuous monitoring,” said Vincent Berk, CEO of FlowTraq, a network security company in Lebanon, N.H.
Once hackers penetrate a network or perhaps an insider goes rogue, the damage is done by exfiltration of data, which means transmitting it outside the network. Experts say this is where monitoring tools come in, and sophisticated ones will detect an attempt to access large amounts of credit card data or other sensitive account details and terminate the operation.
“You can’t rely on a firewall. Network defense is active,” Berk said.
Do most credit unions have reliable network monitoring? Some security experts believe deployment is sketchy, with only the biggest financial institutions usually having the protective tools in place.
BYOD. Known as Bring Your Own Device, this threat is an issue that continues to plague many credit unions. Wisniewski said it’s a big concern. Employees put their personal smartphones and tablets on the credit union network. The problem is those devices are insecure and the credit union does not know if they have the latest patches or are infected with malware.
GTE Financial is in the early stages of addressing BYOD. Wisniewski said plans are in the works to allow employees to access the institution’s WiFi network. Further down the road might be allowing them to access credit union email and files on the credit union network, he added.
Meanwhile, solutions are hard to come by right now because employees want convenience through their personal devices but the credit union’s data still has to be protected.
“We are taking this a step at a time,” Wisniewski said.
ATMs Under Attack. Another April FFIEC warning pertained to an uptick in attacks on web-connected ATMs. According to the FFIEC’s guidance, “Cyberattacks on financial institutions to gain access to, and alter the settings on web-based ATM control panels used by small- to medium-sized institutions are on the rise. The members (regulators that comprise the FFIEC) expect financial institutions to take steps to address this threat by reviewing the adequacy of their controls over information technology networks, card issuer authorization systems, ATM usage parameters and fraud detection processes. In addition, the members expect financial institutions to have effective response programs to manage this type of incident.”
“ATM cash-out schemes are a continuing threat,” said John Buzzard, manager of product management and fraud operations with FICO, the San Jose, Calif.-based credit scoring company.
In the ATM cash-out schemes the FFIEC warned about, criminals take control of vulnerable web-facing ATMs and reset withdrawal limits along with card balances that allow them to empty out a machine.
The remedy for this, according to the FFIEC, is to test and continually monitor ATMs for vulnerabilities. Buzzard stressed the checking has to be ongoing.
As big as those five threats may be, there may be a bigger one facing credit unions, said Siva Narendra, CEO of mobile platform company Tyfone in Portland, Ore.
“The herd mentality that assumes someone else will solve the problem. In this vein, it is absolutely essential for the credit union to ask the right questions,” Narendra said. “It requires credit unions to spend quality time on cybersecurity and know that if it is too easy to be solved, it is too easy to be hacked. You need to ask the right questions. That is how you get the right security answers.”