Avoid creating complexity while keeping up on the latest fraud-prevention techniques.
Fighting cybercrime is a headache that threatens to become a migraine. It can’t be avoided. It can’t be confined because it keeps evolving. It can be fought, and credit unions have a growing number of tools and allies to help in the fight. They don’t have to fight alone, but they do have to keep up with the latest tactics criminals are using.
One tactic is to use tiny tools, notes Paul Love, chief information security officer at CO-OP Financial Services, a CUES Supplier member based in Rancho Cucamonga, California. Thieves have produced a charging cable that looks exactly like an Apple charging cable, he says. “If thieves can ... get an unsuspecting person to use it, they can steal information with a built-in, invisible capturing tool.”
Or they can hide an eavesdropper in a charging station or a power strip. “Anything with a useful-looking USB port could contain a wireless spy, and you’d never suspect it,” he explains.
Cyberattacks occur in cycles, and a strategy that’s in vogue is to go after business email, get access to one account and then leverage that to enter the larger system, Love says. Once in, the thief could impersonate the CEO and send a message to the CFO that looks completely legitimate, telling the CFO to wire money to a foreign account to facilitate an acquisition. The fraudster might even ask the CFO to keep it all confidential.
That example really happened, notes Brad Garland, CEO and head of business development at Vala Secure, Plano, Texas. “At the fake CEO’s request, the transfer was expedited without the usual verification. The CU was out a six-figure amount, some of which was recovered,” he reports.
Another point of attack is escrow services. “People break into those and change the wire destination for a deposit,” Love explains.
As criminals find new lines of attack, vendors are coming up with high-tech tools to stop them, but CUs might not need to build an arsenal of cyberfraud-fighting weapons. Niche products for fighting cyberattacks carry their own risks, Love points out.
“Complexity hurts security,” he insists. “With multiple tools, you lose visibility. You want to be able to see across a whole platform. Rather than add a product, first try to expand the use of products you already have. Many have functionality that wasn’t your original priority and may include features you can turn on to expand protection.”
The cybersecurity challenge lies primarily in the chinks in a credit union’s armor, explains Richard Crone, founder and principal of Crone Consulting LLC, San Carlos, California. Within its physical dimensions, a sturdy shield can be nearly impenetrable, but a suit of armor with many moving parts has chinks. And CUs, he points out, have built flexible, competitive, convenient member services by assembling multiple parts from multiple vendors and getting them to work together. Cybersecurity today consists, to a considerable degree, of inspecting and protecting those chinks, he says.
All these chinks call for a high order of due diligence, Crone insists. “It’s necessary, for starters, that CUs follow NCUA guidelines about supplier review,” he says. And you need independent, third-party reviews—by the CU, by the core processor—and reviews of the core processor’s reviews.
“You can’t take their word for it,” he warns. “And just because an application has passed a proof-of-concept test in a Visa or Mastercard sandbox environment doesn’t mean it’s ready to stop real cyber criminals.”
Complying with security regulations is a good start, says Ray Murphy, chief information security officer at LEO Cyber Security, Dallas, but only that.
“You need to build and evolve an information security program so you’re in a position to respond to new threats as they occur,” he recommends. “You need to be agile.”
The weakest link in cybersecurity is still gullible people, Garland points out. “The attackers hit a CU employee or member with a good story, and too often they are able to get confidential member information from the customer service rep or the member,” he explains.
A particularly weak spot could be the small-business member, he warns. “CUs could offer businesses some pretty robust connectivity, and those businesses are not regulated or examined and often are much less secure than the CU but offer a way into the CU. CUs need to target small businesses with security education.”
That’s not a problem for $900 million Ventura County Credit Union, Ventura, California, reports Clint Lovinger, VP/member services. “We have one platform for individual and business members, so the exposure is the same,” he says.
Compartmentalizing data is one way to limit the damage of a cyberattack, Murphy notes. “If you have a flat, wide-open network where a single login can get you anywhere, the damage can be severe if a threat actor gets in,” he points out. “You can separate your most critical assets from the rest. Or you can segment data that is only available to inbound requests. You can do a lot to segment your network to create secure pathways to discrete sets of data.“There’s always a balancing act between security and the best member experience,” Murphy adds. “You have to please the member, so you try to deploy security that works in the background as much as possible, identifying deviations from normal member behavior without making members take additional security steps.” But members are aware of data breaches and the need for their information to be kept secure, so they will accept higher levels of authentication around particularly sensitive transactions, he notes.
The cybersecurity threat is serious but hardly existential, Garland says. CU executives should be concerned and attentive but not alarmed, he advises. All the buzz about the unprecedented threats of cybercrime and cyberwarfare have some vendors capitalizing on fear to sell solutions that might not be justified, he warns.
“The reality is that many FIs can’t afford the best protection but don’t need the best protection—they just need to avoid having the worst,” he says.
Still, small- to mid-size CUs can no longer fly under the radar, assuming that dedicated cybercriminals are looking for bigger rewards than their organizations can provide, Murphy points out. “The criminals have refined and automated their efforts, so any business or financial institution is now a target,” he notes.
“The big banks will always be targets because of the potential reward,” Garland observes, “but a lot of the bad guys are looking for low-hanging fruit where they can get money with less work, and that’s often the small banks and credit unions. We see a lot of wire fraud and email phishing.”
Some thieves troll financial institutions, Love points out, looking for an unlocked door, and then take advantage when they find one. Others target a particular financial institution and put a lot of research and observation into their attack, hoping for a big score, he says. So smaller CUs aren’t immune from cyber incursions, he notes. Because most thieves are looking for an easy way in, victims usually have neglected to keep basic locks in place.
CUs often are more reactive than proactive. “After a CU is hit,” Garland observes, “the security budget goes up. That’s when they’re ready to spend more on security.”
Cybercrime is no respecter of borders, so Canadian and U.S. CUs share the same concerns and use pretty much the same tactics.
As a central credit union, Stabilization Central Credit Union, Vancouver, British Columbia, does not have retail operations, so the general public does not introduce exposure to the assets through compromised access points, reports CUES member Doug Eveneshen, president/CEO of the $49 million CUs’ CU. Nevertheless, cybercrime is a key risk for Stabilization Central CU and its CU and government members throughout British Columbia.
“SCCU’s mandate is to support and strengthen B.C. credit unions and provide solutions to manage risks for these participants,” he explains. So, it has an SVP for finance and risk who oversees the fidelity insurance and bonding for B.C. credit unions. “Risk mitigation is the key role for SCCU within the framework of the financial services sector in B.C.,” he adds.
Although Stabilization Corporate CU’s financial transactions are limited, it holds confidential data and reporting of support activities for CUs, so protecting that data is critical, he says. The CU outsources its IT management but owns the exposure, so monitoring IT and data exposure is ongoing.
In Crone’s view, CUs in Canada are safer because so much fraud occurs around payments and Canadian FIs are more advanced in their use of biometrics and multifactor authentication.
U.S. CUs appear to have a greater propensity for using insurance to transfer the risk of cybercrimes, Eveneshen observes. “This has been slow to come to Canada, but more credit unions are now exploring options in this area.”
Expertise is a challenge. Most CUs can’t find staff who are as crafty at preventing cyberfraud as the criminals are at inventing it. CUs can get help from well-chosen vendors.
Still, it’s easier to buy the expertise a credit union needs than a cooperative mindset,
“It’s hard to find people with the technical skills who will embrace the business strategy and work well with the business leaders,” he says. cues icon
Richard H. Gamble writes from Grand Junction, Colorado.