Thoughts on the future of IT fraud and how best to combat it
By Jamie McMahon
June 12, 2009
As the struggling economy forces credit unions to cut security budgets and also drives more people to criminal activity, credit unions need to be as vigilant as ever against IT fraud committed with increasingly sophisticated tools.
While new security technology may prove too expensive in the current climate, credit unions can reduce their risk in inexpensive ways, according to Kelly Dowell, executive director of the Credit Union Information Security Professionals Association, Austin, Texas. Dowell laid out several ways to stay a step ahead of fraudsters in the segment of the CUES Experience Webinar series, "IT Security-What Comes Next?"
"When it comes to information security, the financial services business is right there at the top of the list of key critical targets for criminals," Dowell says. "For them it's all about finding data that brings them to the cash, and they do that through a number of different channels."
As IT security systems have become more airtight, many criminals have turned away from exploiting vulnerabilities in the systems and instead are looking for ways around them. Dowell says fraudsters have done their homework about how to gain a better understanding of credit union processes and their soft spots -whether it be sifting through public records or tricking employees into giving them information.
As an example, Dowell cited a recent attempt at a credit union to commit online check fraud. The offender opened a new checking account, had another individual transfer money to that account on line, then quickly withdrew the cash as the second individual complained that he had never requested the transfer.
"It's an old type of fraud, but they're using online banking and the delays in that channel to really manipulate the processes," Dowell says.
Ways to Protect Your
CU and Your Members
A recent survey conducted by CUISPA revealed that about 90 percent of credit unions don't plan on adding to their security budgets in 2009, and a third of those said they've actually made cuts. He offered these suggestions to cheaply improve your CU's defenses:
1. Raise awareness. Though it may seem simple, educating members and especially employees is one of the most important and effective ways to prevent fraud. Dowell says the key is to make sure the education remains both interesting and ongoing.
"There's no intent to do wrong, but by employees' actions it's easy to do the wrong things-visiting the wrong sites that could bring malware back into the institution, transferring some piece of confidential information in a conversation they may have with a member, you name it."
2. Keep a close eye on your vendors. Unlike credit unions, most vendors are not regulated, and CUs should make sure suppliers are being as careful as they can with sensitive information.
"The SAS-70 has become the de facto request in holding vendors accountable," Dowell notes. "They provide some good information, but it's not really what we need to know to evaluate the risk in our relationship with our partner. There needs to be some more consideration of what those vendor management programs are really requesting-try making this something more than just a checklist for the vendor."
3. Think "enterprise risk management." "Think company processes, not just vulnerabilities," Dowell says. "How can you reduce the chances of fraud throughout a whole process? This involves people throughout the process-CEOs, department heads, tellers, you name it, but if you distribute the responsibility of information security, everybody now has a keener focus of what's going on."
4. Refine existing strategies. Fine-tune technologies you already have, and decommission those that are ineffective and time-consuming.
5. Raise "situational" awareness. Have an all-encompassing strategy with which you strive to "know your enemy" as best you can.
"The concept of situational awareness has roots in the history of military theory. It's difficult to determine how to effectively protect yourself without comprehension of your own situation," Dowell explains. "Situational awareness has to do with knowing your surroundings, knowing your business, your position in the market, and knowing your adversaries-at least thinking about what their focus may be and who their focus may be on."
This can only be achieved by teamwork, according to Dowell. A credit union's IT staff must be fully engaged with other departments if they're to effectively protect the institution. Also, credit unions should collaborate with each other to exchange security strategies and even share education programs.
"This is all about teamwork, and there's tremendous benefit in the world of security in leveraging teamwork," Dowell says.
Jamie McMahon is a CUES intern.
- Go to the current issue of Credit Union Management magazine.