5 Ways to Rob a Credit Union: 2014 Edition
What a difference a year makes.
The top five ways to rob a credit union outlined here a year ago remain worrisome. But, ask the experts, and only one method of theft identified last year remains top of mind in 2014.
Zeus, ATM skimming and identity theft, which made last year’s list, certainly are concerns inside credit union security groups. However, more current attacks are winning notice today.
Old fashioned bank robberies did not make the cut again this year. In 2011, the most recent year for which FBI statistics are available, there were 398 robberies of credit unions, and 5,014 robberies of all kinds of financial institutions. The total amount taken, from all financial institutions, was $38,343,501.96. Monies recovered amounted to $8,070,886.97.
That puts the net loss at around $30 million.
So called “clearance rates”, also known as arrests, for bank and credit union robberies remain high, mainly because there almost always is extensive video of the event.
Takeovers and holdups, unquestionably, are terrifying. But they are no threat to the financial stability of most credit unions. It’s the new kinds of theft that can pose big threats.
Read on for the 2014 roundup of the five best ways to rob a credit union.
Read more: Targeting the corner office ...
“The candy store – that’s what cybercriminals call CEOs,” said Neal O’Farrell, CEO of San Francisco based Privide, a company that is specifically focused on what O’Farrell said is sharply rising interest in CEOs on the part of savvy criminals.
The reason? A typical credit union CEO may have far more access to network data than other employees. He or she may also have been too busy to attend mandatory all-staff cybersecurity awareness trainings.
By nature, a CEO also is curious, extroverted and a networker.
O’Farrell said cybercriminals send the CEO a personalized, targeted phish. It may appear to come from a trade group executive, a regulator or possibly a journalist. It will be well written, without misspellings, and may include intimacies (For example: “I haven’t seen you since GAC, hope all is well.”).
It will set off no alarm bells and, almost certainly and unlike other credit union employees, the CEO has no prohibitions that limit his or her ability to click on links.
“Nine out of 10 times, this will succeed,” O’Farrell said.
In the bargain, the crook will also get the CEO’s network login credentials.
“It is very hard to protect the CEO against these phishes,” said O’Farrell, who stressed that it is rare traditional antivirus protection will successfully block such an attack.
He insisted CEOs are penetrated by cybercriminals more than people realize and certainly more than CEOs acknowledge.
“Why would they tell you,” O’Farrell asked. “And how would they know they had been penetrated?”
That’s the scariest part.
Slick attacks aimed at CEOs do not loudly announce their presence. The strategy is to stay quiet and keep the CEO unaware that anything happened at all. That gives the criminal more time to harvest the rewards.
Read more: Undercover intruder ...
“We are successful gaining entry 95% of the time,” said Tom DeSot, chief information officer at San Antonio security company Digital Defense.
DeSot referred to unauthorized entry into credit unions and banks on assignments where Digital Defense was contracted to attempt to get in.
The hiring organization usually thinks its defenses are unassailable, but DeSot said they almost always are wrong,
Here is how DeSot’s team did it. First, they found out who manufactured the credit union’s multifunction machines, which usually only takes a quick call or two.
Then, the security firm purchased a logo shirt from the manufacturer on eBay.
Employees wore khaki chinos, carried a tool kit and presented themselves at a credit union entry point.
“We never attempt to go through the front door,” DeSot said. “We’ll go through an employee entrance or a backdoor.”
Front door employees usually have better training. At the back door, a smile and a dose of bonhomie was good enough to get in.
At first, workers approached the multifunction machine, but then veered off, looking for vulnerable computers. After they planted malware on them, the mission was accomplished. A crooks could have slave computers inside the credit union for months before the intrusion was detected.
“We have done this in organizations with 25 employees and we have done it in organizations with 2,500,” DeSot said.
In most organizations, outside repairmen were simply invisible; they weren’t watched.
Can’t a badge be checked for authenticity?
“I wish I had to make a bogus badge. Nobody looks at them,” said Tim Gallagher, senior network security engineer at Nuspire Networks. “The logo shirt is enough, even though you can get them at thrift stores.”
What if an intruder gets caught?
That rarely happens in his simulations, DeSot said.
Read more: Exploiting the tiny screen ...
Members, many of them, have wised up about email phishing. Most consumers have developed skills to sniff out this evil spam. They hover their cursors over the link to see if it goes to their credit union or a webpage hosted in Vladivostok. They note misspelled words and tangled grammar, and then hit delete.
Bill Nelson, CEO of the Financial Services Information Sharing and Analysis Center, suggested credit unions refrain from popping corks in celebration.
That’s because he said he is seeing early signs of what could develop into an avalanche of phishing email that specifically targets users on mobile devices, especially phones.
The logic is that mobile users look at email on a phone in a hurry. Often they are multi-tasking, eating lunch at a fast food restaurant, on a subway heading home or taking the dog for a walk. It’s not so easy to use tactics like a mouse hover to see full addresses in mobile. And the tiny screen means users aren’t seeing as much, as well.
“There is an uptick in the amount of phishing attacks. A lot of credit unions have been targets,” McAfee Research Scientist Irfan Asrar said. “It’s hard to spot a fake on a small screen. If you are not paying attention you can caught.”
Most smartphones continue to ship without apps designed to detect and shut down phishes. Member must practice DIY security, and for many, that is a tall order.
Read more: International espionage ...
Could it already be happening inside credit unions? Could elite hackers – perhaps working on behalf of foreign governments – be quietly observing transactions?
Transactions tell a lot about people, such as their marital status, length of their work day and ability to stay within their budget or wildly overspend.
In past times, spies gathered that data with feet on the street. Now it can be remotely harvested by skilled hackers and, suggested multiple experts, it is far from certain that most credit unions are well defended against data eavesdroppers who have no intention of stealing even a dime.
New York Times recently reported that hundreds of the biggest U.S. oil and gas companies have been infiltrated for some time by hackers funded by what appears to be Russian interests. The goal was industrial espionage.
Experts said similar espionage may be occurring at financial institutions.
“This has been long in coming but it is coming. There are elite hackers whose intent is not to steal money from financial institutions, just information,” said Tom Kellermann, chef cyber security officer at Japanese firm Trend Micro.
“These hackers are good at hiding,” said Bob Foley of Indiana security company Matrix Global Partners.
Guarding against information exfiltration may not have been a top priority at many financial institutions, but that may soon change, the experts said.
Read more: The path to insolvency ...
This was the one carryover from the 2013 list because employee theft remains a big, embarrassing problem.
In Tucson, Ariz., $423 million Pima Federal Credit Union Member Services Representative Jessica Vidal was accused of looting $23,000 from five member accounts. She got that money by telling credit union co-workers that the members, allegedly victims of fraud, asked her to withdraw funds from their accounts.
She is also accused of obtaining $54,000 in fraudulent loans using member Social Security numbers.
In Lynchburg, Va., the federal government recently indicted Linda Sue Newcomb, onetime general manager of the failed Lynrocten Credit Union. She is accused of stealing millions by misappropriating member personal information and taking out loans in their names.
In Lawrence, Kan., onetime Jayhawk Federal Credit Union manager Karolyn Stattelman recently pled guilty to stealing $175,000.
Jayhawk was merged out of existence earlier this year.
Seemingly weekly a credit union employee is arrested, or confesses to embezzlement or other misuse of member funds and personal information. In many cases, the embezzler is a trusted, longtime employee with significant seniority.
Many are caught. How many aren’t?
Nobody really knows, and that is why this threat is real.