Special Report: America's CU Conference

Business Services Offer Potential for Growth, Risk

Expect greater impact from online fraud in the business services arena.

June 22, 2011

Credit unions looking to expand membership by adding business accounts and related services such as online banking and depository services must perform proper due diligence and be wary of potential losses that may be uninsurable.

That’s the word from Ken Otsuka, senior consultant, Credit Union Protection Risk Management for CUNA Mutual Group. He addressed an America’s Credit Union Conference Discovery breakout session audience Tuesday.

Many credit unions find that merely offering business loans isn’t enough to attract new business members who want more than a source of financing, Otsuka says.

“Credit unions are introducing additional services to enhance their service portfolio and be a one-stop source for a business’ needs,” he says. “But failure to adopt sound banking practices and important loss controls exposes credit unions to significant losses.”

Business checking accounts and online banking services pose unique risks.

Before opening a new business checking account, credit unions should first perform a risk assessment to:

  1. Verify the existence of the business entity to comply with Customer Identification Program rules; and
  2. Determine the entity’s financial condition to qualify the business for various services.

Some of the largest check-related losses have involved unauthorized accounts opened at credit unions by dishonest employees of businesses to aid in their embezzlement schemes against those companies. The severity of losses could be significant due to the volume and dollar amount of check transactions.

“The embezzlements can take place over several years before they are discovered, and these losses may not be insurable,” Otsuka adds.

Otsuka addressed the alarming escalation of online banking fraud in the financial services industry. The root of the problem has been Trojan keyloggers, primarily the Zeus Trojan, which monitors and captures keystrokes, logs them to a file, and sends them to cyber thieves.

The Trojan resides on users’ computers without their knowledge and is primarily used to capture online banking login credentials.

Trojans like Zeus are spread through phishing e-mails, generally targeting an organization’s key employees. Users of popular social networking websites such as Facebook have also been targeted.

Thousands of computers infected with customizable Trojans like Zeus form a botnet, allowing cyber thieves to control the infected machines through command and control centers. Attacks can infiltrate computers at credit unions and the business members they serve.

Zeus is also used in man-in-the-browser (MITB) attacks, whereby the victim’s browser is infected with the Trojan, which sits patiently for the user to access online banking websites.

“When the user visits a targeted online banking website, Zeus silently springs to life,” Otsuka explains. “After the user is successfully authenticated—even with two-factor authentication such as a one-time-password generated by a token—Zeus ‘piggybacks’ on the user’s session. It intercepts and modifies details of a transaction entered by the user and initiates new transactions without the user’s knowledge.”

To better protect themselves and member accounts, Otsuka urged credit unions to implement:

  • Stronger two-factor authentication method, rather than the common method of computer recognition (using cookies) combined with challenge questions;
  • Out-of-band authentication (e.g., by telephone) to authenticate members through a separate communication channel;
  • Fraud detection tools to monitor user access behavior and individual transactions; and
  • Out-of-band transaction verification for large dollar transfers.

For more information, visit CUNA Mutual Group’s Protection Resource Center.