Years ago, fraud consisted mainly of paper-based checking account schemes. Today, fraud is electronic in nature—and over many channels, says Theran Colwell, director of risk management commercial products at CUNA Mutual Group.
“Whereas credit unions once had one branch as the focal point for transactions, now there are multiple delivery channels,” he says. “As new channels and tracks emerge, it takes time for security to catch up. Fraudsters tend to quickly jump channels and tracks.”
The move toward digital scams is the biggest fraud trend Colwell sees today, although he distinguishes between external and internal threats. “External threats get more media attention, such as the Target malware attack at the point of sale,” he says. “The ultimate cost of fraud is a function of frequency and severity. Frequent incidents of a particular type of fraud may not be as severe as rarer types in terms of money lost.”
Other fraud trends credit unions and members face today, according to Colwell:
Colwell says fraudsters’ chief means of penetration include malware and “social engineering,” where a crook amasses personal information by visiting a victim’s social media accounts and then taking over his or her financial accounts.SIDEBAR:
These are all threats in the here and now. But there’s a threat looming that could give credit unions and members major headaches: Social Security number fraud, says Jim Stickley, cofounder/chief technology officer for TraceSecurity, a CUNA Strategic Services alliance provider.
“The biggest fraud threat is still attacks against members via phishing and identity theft —the same old things we’ve been seeing forever,” he says. “But that is about to radically change. The next threat is an assault on Social Security numbers.”
Fraudsters will obtain these numbers by designing malware that targets a specific core processing system— no more creating just general attacks on Windows, Stickley says.
CUNA Strategic Services alliance providers:
“This malware can find its way into a credit union’s core system and then mine it for credit card numbers, Social Security numbers, and other personal information,” he says. “All it takes is one teller browsing in the wrong place and the malware has its point of entry.”
Credit unions can counter such attacks with “throttling,” a practice that inserts default transaction limits to thwart fraudulent access to the database, he says.
“A teller typically might access the database 10 or 20 times an hour to retrieve member information. But if the number suddenly increases to 20,000 records in five minutes, that’s a clear sign of fraud,” Stickley says.
He calls stolen Social Security numbers “the gift that keeps on giving. You can easily change credit card numbers, but it is incredibly difficult to get a new Social Security number. Theft of the number means nothing—you have to prove actual damage, and even then it’s a two-year process to get a new number. Even then, you still keep your old number alongside the new.”
Target breach lessons
Stickley says credit union executives should keep this ratio in mind when considering the Target breach and subsequent incidents: Despite an estimated 80 million to 100 million credit card numbers being accessed, only a minute number of fraudulent credit card actions occurred as a result.
“Criminals are not stupid,” he says. “The Target breach, which was huge, was a supposed success, but it produced an amazingly low return for all the effort put into it.
“Still, credit unions have to eat the costs of these scams,” Stickley continues. “They never get back all of what they lose. In the meantime, there’s a massive amount of man hours devoted to dealing with and reassuring members. Even though Target provided lists of credit union members whose cards were compromised, those financial institutions still had to wade through those lists to cull out their own members.”SIDEBAR:
Colwell sees pros and cons to today’s amped-up speed of information distribution. “The con is the increased vulnerability to attacks like the Target breach. The pro is that victims’ institutions can react quickly to stop the fraud.”
Member education has emerged as a key element in thwarting fraud, Stickley says, although such information can’t be basic or static. “It has to be dynamic and continuously updated.”
Stickley’s other company, Stickley on Security, addresses this need.
“We offer a video library,” he says, “that can be branded with a credit union’s look that members can access. We also offer a ‘What Are Your Risks Today?’ website feature that pushes up new content daily and is specifically written for credit union members. We describe the new scams and the measures members can take to protect themselves.”
Colwell has a list of antifraud best practices that, although not exhaustive, makes for a good start: Be aware of fraud trends, stay in touch with how they’re affecting the financial services industry, and implement policies and procedures that:
Above all, Colwell says, “Educate your staff and members. The more alert eyes and ears, the better.”
PATRICK TOTTY is a freelance writer based in Larkspur, Calif.