There is now so much personally identifiable informationavailable on the dark web that fraudsters are shopping the bargainbin for card data but are willing to pay more for completeprofiles.

“Legitimate businesses are not the only ones undergoing adigital transformation,” John Buzzard, industry fraud specialistfor the Rancho Cucamonga, Calif.-based CO-OP Financial Services,said. He observed the largest amassing of worldwide PII data tookplace from 2013 to 2015, according to Forbes. “Not only is the data ripe for picking, it is sitting theresometimes unprotected.”

Buzzard suggested credit unions and card issuers continuallyprovide a cautionary tale to staff and consumers in terms ofprotecting member data. “We want to emphasize to credit unions theycan be stronger and more secure.”

Gartner forecasted there will be 20.4 billion connected devicesglobally by 2020; Forbes estimated some 1.7 megabytes ofnew information will be created every second for every human on theplanet by 2020.

“Criminals are out there adopting how they can use those piecesof information,” Buzzard warned. “It is far worse than peoplerealize.” He added criminals have exploited, for profit, virtuallyevery technological milestone involving some form of financialvalue, from phone cards in the 1980s to home equity loans andonline credentials in the late 2000s.

The biggest shift more recently is toward stolen dataaggregation. “We tend to fixate on payment card breaches likeChipotle due to the millions of consumer payment cards that are inplay at retailers, but the truly valuable information to be stolenis richer,” Buzzard said. “Criminals tend to pay more for completesets of PII and less for single payment card info.”

He pointed out there is just so much stolen card data in thewild, the fraud market is oversaturated. “The more you have, thecheaper it is.”

Buzzard explained, “There is a vast reselling market via thedark web where criminals offer up stolen payment cards, crimewareand crimeware-as-a-service in virtual stores.” They even providecustomer service and custom-designed malware. Faster payments could also lead to more fraudwithout proper authentication of the payment initiators. To combatthis, Buzzard suggested organizations consider multi-layerauthentication like RSA and one-time passwords.

CO-OP disclosed it made a $25 million-dollar investment inpeople, infrastructure and processes to improve and innovate withinthe fraud-prevention space. That investment includedmachine-learning technology, which CO-OP plans to implement to helpfight fraud on multiple CO-OP business platforms. Buzzard said thegoal is to make everyone stronger in their awareness of fraud scamsand how they can play a role in preventing its growth.

The $1.44 billion, Indianapolis-based Elements Financial FederalCredit Union, which is part of the CO-OP Network, in the past yearmade a demonstrated commitment to educate employees and membersabout cyber-threats such as data breaches and phishingattacks.

For employees, the credit union utilizes a monthly phishingtest, online learning, and ongoing sharing of the latestcybersecurity alerts and news through meetings, the intranet,emails and Yammer.

“What we are doing, and continue to do, is test our employeesmonthly to protect against social engineering,” Chris Sibila, EVP,payments and technology at Elements.

Elements utilizes a phishing security test from the Tampa Bay,Fla.-based cybersecurity firm KnowBe4. “They have a nice tool thatlets you queue up varying types of social engineering tests thatyou send through email,” Sibila explained.

Stu Sjouwerman, CEO of KnowBe4, stated, “Credit unions, ingeneral, have an enormous amount of PII and stiff regulatoryrequirements they have to adhere to. KnowBe4 helps them manage theongoing problem of social engineering in a very economic fashion.Credit unions are expected to compete with larger banks with thesame regulatory restrictions but without the big budgets toaccompany the requirements.”

The Elements security team sends suspect email, without advancedwarning, and tries to trick staffers into clicking on links oropening attachments they shouldn't.

When Elements started these tests in December2016, about 30% of their people failed. From that point forwardthey educated employees and continued to share examples of what istaking place in the threat world. Plus, they received onlinelearning to help them recognize and understand the devastatingorganizational effects of social engineering.

“At six months into the year, we're staying under 10% of peopleclicking on it. Usually it's one, two or three people out of 180who are falling for it,” Sibila said. He added they are doing areally nice job of either not clicking at all or clicking moreoften on the Report Phishing button in Microsoft Outlook.

Elements also partnered with the Chicago-based West MonroePartners, a managed service provider that helps with overallsecurity operations such as network penetration and firewallmonitoring, as well as infrastructure management to ensure everyserver and virtual desktop deploys timely updates and patches.

“We reinforce that we don't want the bad guys to win here,”Sibila maintained.

The credit union, which is a SEG-based credit union known as EliLilly Federal Credit Union until 2005, works with 100 companiesnow. Elements also educates members through 30-minutelunch-and-learn seminars, alerts, blogs and other communityoutlets.

Sibila revealed, “It's been incredible, the stuff that we haveseen even as we try to educate our members.” He recounted a socialengineering case on the member side in which a retiree scam victim,convinced he had won a lottery, was in the process of taking outmore cash. An Elements employee spotted it and informed the creditunion fraud department. “He had already lost $18,000 of his ownmoney and was about ready to go big with these guys and send themmore money. We talked him out of it and filed all the informationabout the event.” The credit union later learned from a DEA agentin Thailand the member was one of about 30 individuals duped by acybertheft ring, which used the ill-gotten gains to fundterrorists.

Buzzard suggested these cybersecurity best practices for creditunions and members:

• Ask, “How can we show the member a near real-time snapshot oftheir accounts however and whenever they want it?” The answer maysimply be lining up amenities like card control products, accountalerts, email notifications and SMS messaging that the membercontrols.

• When criminals repeatedly victimizemembers, it's important to note their computers may containkeyloggers and malware.

• Corporate entities need to exercise thesame care in educating their workforce on cybersecurity. “Thedangers of ransomware show that normally cautious professionalscan make a simple mistake by clicking on highly suspiciousattachments,” he said.

• Procure cyber-crime preventionprofessionals to aid in penetration testing and risk assessments onan annual basis.

“I continue to stress with our staff, anything where we havepeople touching members, you just have to keep it top of mind,”Sibila said.

He advised credit union personnel to think a little moresuspiciously before diving in and helping. “Especially in thecredit union space where we are always talking about great memberservice, and going above and beyond, sometimes that works againstus. Because the bad guys are trying to trick you into giving greatservice to a crook.”