Tech Time: Counter-Espionage Measures

White and blue digital image of firewall shield activated on server room data center
Contributing Writer
member of Bellco Credit Union

4 minutes

Today’s security threats—whether sophisticated cyberattacks or old-school phone-based fraud—necessitate high-tech defenses and careful monitoring.

Most cyberattacks are, essentially, espionage and call for such counter-espionage defenses as penetration testing, spying on the dark web and guarding against a ransomware attack.

Penetration testing and rotating testing companies is now routine for most credit unions, observes Mark Arnold, VP/advisory services for Denver-based Lares, a credit union-focused data security firm. What’s emerging as a best practice is staging something like a war game where a red team attacks the security barriers and a blue team defends them. Then they blend into a purple team and share what they’ve learned. The teams can be staffed by vendor security pros or by the credit union if it has the resources, he notes. “We offer ride-alongs where we do the attacking and show credit union staff how it’s done,” he explains.

$4.9 billion Veridian Credit Union, Waterloo, Iowa, regularly runs penetration tests, changing testers at least every two years. In addition to attacking networks and servers, testers try to lure staff into compromises like accepting a fake delivery or responding to a fake call from IT, notes CUES member Brett Engstrom, CIO. After five years of trying to compromise staff, the success rate has fallen to almost zero, he adds.

Penetration testing continues to be useful but limited, suggests Paul Love, chief information security and privacy officer for CUES Supplier member CO-OP Financial Services, Rancho Cucamonga, California. Traditional penetration testing is like someone outside a building probing for ways to get in. Something called “compromise testing” has emerged to take a broader assessment, looking for indications that an attacker “is now or has been on your network,” he explains.

Meanwhile, credit unions like Veridian CU have found ways to make attacks via ransomware difficult and unprofitable for hackers. “If they can’t get the data, they can’t get the ransom,” Engstrom points out. “We protect our systems, and we have a co-located data center with the information synched in almost real time, so the most we could lose would be a few minutes.”

Ransomware is a significant threat, agrees CUES member Murshid Khan, CIE, SVP/CIO of $3.8 billion TDECU, Lake Jackson, Texas. TDECU has built its security technology in a layered defense model that has been effective at preventing ransomware and other threats, he reports. Though the first layer of defense prevents the vast majority of attacks from becoming an issue, occasionally a threat will make it to deeper layers of the security stack, he concedes. “We blocked an attempt last summer that made it to our last level of defense,” he reports, “but we had the right measures in place.”

The dark web has become a settled, commoditized marketplace, Arnold observes. Monitoring it for your credit union and members’ information is part of a full penetration testing package, but it’s usually not full of surprises, he reports. Ransomware has also become a managed threat, with monitoring and a multifactor wall of barriers to discourage most attackers, but he warns that ransomware crooks are well-financed and are after relatively large rewards.

Voice Authentication Improves Protection

It’s possible for a cybercriminal, through identity theft, to gain enough information to pass all of a financial institution’s information-based authentication tests, which is why Veridian CU is considering implementing voice authentication.

A fraudster could find and purchase all the information the member would know on the dark web, “but he can’t sound like the member,” observes Nick Evens, president of the Veridian Group, the credit union’s wholly owned innovation credit union service organization.

When deploying such a solution, the CU would try to enroll all members and get them to record a test sentence. That recording would work in the background at the call center, and all callers would say the sentence while the system made the match or found no match, he explains.

In the vetting process, Veridian CU has found that the voice authentication systems are accurate more than 90% of the time, maybe even topping 95%. “They are extremely accurate, about the best authentication tool you can get,” Evens says.

Like many credit unions, Veridian CU’s call center has experienced increased call volume during the pandemic. “The calls are really growing, and we’re trying to keep up by hiring and streamlining,” says Engstrom. Voice authentication will help with both streamlining and fraud detection. “There’s plenty of friction in authentication, particularly with older members who sometimes have trouble remembering some of the test information. With voice authentication, the time per call could drop from as much as 90 seconds to as little as 10,” he reports. “Even if you can shave 15-20 seconds off thousands of calls, that’s a breakthrough.”

Veridian CU and TDECU have invested in voice authentication provider Illuma Shield, says Khan. He expects to implement voice authentication early next year at TDECU to make authentication safer, more efficient for the credit union and more agreeable to the member. Alone, it’s not a fraud-stopper, he suggests, but it is one piece in a more secure process.

Biometric authentication is effective, commonplace and generally required by regulators today, notes Arnold. What’s critical is not that the authentication factor is biometric but that it is part of a multifactor deck that makes it harder for cyberfraudsters to crack. cues icon

Richard H. Gamble writes from Grand Junction, Colorado.

Compass Subscription