Core processors are well aware of the need for security against fraud and theft—whether committed by employees, members, or outside scammers.
Of those three, internal employee fraud—often done in conjunction with international criminal rings—remains the greatest threat to your credit union.
“Internal employee fraud forms the highest percentage of security risks,” says John Messier, vice president of core product strategy at Open Solutions Inc. Ironically, he says, employees who commit fraud are usually the last people you’d suspect.
“There’s no real profile of who might commit internal fraud,” says Ron Young, Open Solutions’ vice president of product strategy and management. “Opportunities for fraud are different than before—there’s a market out there for account and credit card numbers among national and international criminal rings.”
Messier says it’s easy for credit unions to catch on to employees who are selling data simply by mining their own databases and asking, “Who’s engaging in an extreme amount of activity?”
It also helps, Young says, that some credit unions have put cameras on their computers to record who’s looking at what.
Daryl Tanner, president/CEO of Share One Inc., says the top threats to credit union security now are cyber attacks and employees tapping into dormant accounts or selling account information.
Fortunately, he says, such activities are discoverable. “Employees who engage in data theft usually began doing it before there were systems in place that could detect them. One factor in credit unions’ favor is that crooks usually don’t think others are as smart as they are, and this is often their downfall.”
Scott Bush, Share One’s vice president of technical services, says the danger from cyber attacks is well-known. “This is why we recommend regular, exhaustive audits to protect against and detect possible tampering.”
He doesn’t predict any letdown in the threat from internal fraud. “Internal threats will continue because it’s easier to gather data from the inside and sell it than it is to hack in or divert from the outside. Externally, criminal organizations will always be with us, especially in the Internet era.”
In fact, Bush believes threats from external sources will continue to increase and, at some point, could become so disruptive to the infrastructure of online financial dealings that they force rule changes in how the Internet is used or accessed.
Generally speaking, core processors bundle security and anti-fraud capabilities into their overall offerings. “Within the core system’s DNA are advanced rules about what employees can or can’t do,” Young says.
He says Open Solutions focuses on:
- Knowing the member. Is it the real member who’s conducting a transaction, and what is he or she allowed to transact?
- Transactional risks, including employee actions;
- Authentication and authorization; and
- Internal fraud.
One question that’s directed more often at core processors relates to cloud computing (“Core operations to the cloud,” p. 34). “The demand for technical change from credit unions usually comes from leading edge institutions,” says Tanner, “and there’s lots of curiosity among them about cloud computing. We’re cautious about it. Some very big institutions have been taken down while using it—Sony, Amazon, Google—because they couldn’t secure it. That’s why we think that for now the thin client/VPN approach is better.”
For credit unions looking to have a core processor take on security functions, there’s no need to reinvent the wheel. “We have best practices based on years of hands-on experience by credit union clients,” says Messier. “Also, when we take on a new client, we go into the credit union and evaluate all of its processes, including security, and then make recommendations.”
Bush says Share One spends a great deal of time on processes and controls when dealing with credit union clients. “Many of them don’t have controls in place that prevent employees from performing certain functions without explicit permission from their superiors.”
Another potential security breach, says Young, is when credit unions rely heavily on member identification numbers for multiple purposes, and then put them in easy-to-access places.
Messier says the security advice he gives credit unions goes beyond just installing the means to detect fraudulent activity.
He offers three rules of thumb:
- Keep up with your core processor’s security services. Ask about new applications designed to address emerging threats.
- Stay current with the technology in general. “We stay current with Oracle, Microsoft, and others who are reliable, innovative third-party providers,” Messier says. “Some vendors, however, are still selling legacy systems that are falling behind technologically.”
- Outsource when necessary. Many credit unions, he says, shouldn’t tackle risk management in-house—it can be too big a task. It’s sometimes better to outsource the function to someone who knows risk from a macro point of view.
“No one has to go it alone,” Messier says. “Share information and develop a strong community. Nobody can think of everything, which is why collaboration can be so helpful. We have discussion groups and sessions on our website that are very helpful.”
Next: Mobile safety