A sure sign the war against hackers and the like has gone on for a while is when one of their tactics can be termed as “classic.” That’s how a Dell SecureWorks security expert termed ATM skimming in his rundown of threats that credit unions will face in 2015.
Jeff Williams, director of security strategy in the operations’ Counter Threat Unit, also sees database attacks continuing as cyberthieves purloin personal account data to make cards from or sell. He says ransomware and DDoS attacks also will likely be an issue for some financial institutions in the year ahead.
Criminals also will continue to move downstream to smaller financial institutions that are less likely to have alerts and protections in place, Williams says. “The majority of these attacks have countermeasures well known in the financial industry,” he says, “but the difficulty of implementing all countermeasures can be a challenge for IT and anti-fraud departments, which already find their resources stretched thin.”
While cyberattacks have been around since script kiddies turned sinister, relatively new are the massive card breaches that really got traction in 2014, up 26% over 2013, according to Fiserv.
Patrick Davie, vice president of risk solutions for card services at the tech giant, says issuers who have been lulled into a false sense of security can no longer assume they’ll fly under the radar, “no matter how small or how local the credit union is, or how well they know their members.”
Along with breaches that force expensive card replacements, card fraud at the point of sale also is expected to continue in the year ahead. EMV technology and tokenization techniques such as in Apple Pay will have some effect, but as usual, the criminals will find another way to strike.
“As EMV becomes more widely adopted in the U.S. by both merchants and issuers, fraudsters will shift their efforts to card-not-present channels,” Davie says. “Card-not-present fraud is expected to spike over the next three years.”
Another area that doesn’t get much press but does net the bad guys plenty of loot is wire transfer fraud. That and thefts from HELOC accounts were callouts by Roger Nettie, senior consultant for risk management at CUNA Mutual Group.
Nettie says fraudsters in the past couple of months have been aggressively taking what he called preliminary steps to target member accounts, including forwarding member phone lines to defeat callback security.
More recently they started requesting that wires be sent to destinations that appear to be construction companies, to make it appear that those are legitimate home improvement payments, Nettie says.
He says embezzlement by employees continues to be the insurer’s biggest area of loss but that he expects “future areas of fraud growth to be external in nature.”
“The resurgence of wire transfer HELOC fraud was a surprise,” the CUNA Mutual risk management consultant says. “The last risk alert we did was July 2012, and then the problem seemed to die down for a while. The changing tactics used by thieves is scary, because it shows how determined they continue to be.”
Some Gain, More Pain
While frequently pinned as a problem, government in the case of cybersecurity did prove to be part of the solution in 2014. “Law enforcement has had some unexpected success in breaking up large carding rings and arresting the parties involved,” says Williams at Dell SecureWorks.
Williams thinks the arrest themselves and the chilling effect through word-of-mouth among underground forums will help reduce “to a degree” the scale of such attacks.
Regulators also ramped up their participation in the war on cybercrime. The Federal Financial Institutions Examinations Council, for instance, just released a revised Bank Secrecy Act/Anti-Money Laundering (BSA/AML) examination manual. The new manual updates reg changes since 2010 and “clarifies supervisory expectations,” the FFIEC says.
The FFIEC, of which the NCUA is a part, also recently released the first findings of its “cybersecurity pilot assessment” conducted as part of regular examinations earlier this year. Formal guidance will follow, but the regulators say they did find varying levels of risk and recommended that financial institutions pay more attention to their vendors and participate in information-sharing consortiums such as FS-ISAC.
New in the consortium game this year is the U.S. Payments Security Task Force (PST). Comprising issuers and acquirers, networks and merchants, the PST is working to find a way to protect data at the point of sale, in the store or online. PYMNTS.com says the group is about to issue its first white paper, which will include recommendations on how to secure the payments system.
PYMNTS.com says, “The report itself is long on thoughtful recommendations but short, by design, on silver bullets. … There’s simply no single strategy or tactic that can fix payments security and the PST acknowledges that point right up front.”
At least one credit union executive doesn’t mind the extra attention. “We are up against some formidable opponents in protecting the funds and data of credit union members and need all the help we can find,” says Robert Reh, chief information officer at Nassau Financial Federal Credit Union ($388.8M, Westbury, NY).
Reh says he sees FS-ISAC and related agencies as sources of timely information from outside threats, but says the security threat is just as real inside the walls of a typical credit union.
“Our greatest vulnerability remains with the trusted access given to our employees, which can be compromised if they fall prey to social engineering,” says the veteran IT executive and former CUNA Technology Council executive committee member. “Email and WiFi are also serious threats. Employees and members can unknowingly provide access to confidential data or introduce malware that will very likely involve considerable resources to recover from.
Seven Ideas For A Cyber Safe 2015
Here are some cybersecurity recommendations from Jeff Williams, director of security strategy for the Counter Threat Unit at Dell SecureWorks.
Continue to apply security holistically across the entire set of environments. Do this in a manner related to cohesive threat modeling, not from some checklist of items. Understand your enemies, understand your risks and how an attacker would approach their goals, and then apply preventative measures to mitigate those risks.
Recognize that it is not just your corporate and ATM networks that are at risk. Partners, vendors, and others who have access (including network taps in semi-public locations such as branches) represent risk that must be managed.
Understand that it may not be possible to prevent all potential attackers from gaining access to the network, but there are many points during an attack when detection and response to the attack can prevent the larger-scale damage of a breach of customer data. Build and rehearse your incident response process. Ensure you have detection capability and that you understand what "normal" looks like on the network and in transaction flows so you can identify abnormal for investigation.
Not all members require the ability to do wire transfers. Make the default of each account "no wires" and help educate the customer of risks associated with changing this.
Control physical access to ATMs and IT assets. Monitoring of sensitive hosts should be the norm both on the network and from a physical perspective (e.g., cameras and not allowing unattended access).
Educate staff, vendors, and partners against the risk of spear-phishing. Ensure that there is a robust reporting mechanism for suspected attempts so that response in near-real time is possible.
Understand that attackers already recognize that they have a lower likelihood of being detected by a smaller financial institution than by a large one, which may have hundreds of dedicated security and anti-fraud staff and technology solutions to quickly identify patterns of fraud. This increases the likelihood of a smaller financial institution being a target due to the reduced risk to the attacker.