They’re No Butch and Sundance

Today’s criminals target the weakest parts of an institution’s security. Where can credit unions better protect themselves?

Aaron Pugh


Security for customers and employees is a top priority at any institution, and credit unions have set the bar high in deploying the latest prevention and protection methods. Standard practices such as insurance and fraud detection services limit the financial damage such crimes inflict, but credit unions must defend multiple fronts to maintain their information security as well as their funds.

Physical Crimes
As the economy gains a strong footing once more, the rate of physical crimes at financial institutions reported to the FBI has increased annually (1,310 in 3Q10 from 1,184 in 3Q09). Credit unions bucked this trend with a decrease in crime from  2009 levels, but their smaller size has not completely shielded the industry from risk. Roughly one credit union was still the victim of a robbery for every 12 commercial banks robbed during the third quarter.

One way to minimize risk? Nontraditional branch structures such as remote teller units have an advantage; only 24 in-store and three remote/other facilities were robbed compared to more than 1,200 branch offices. 

Cyber Crime
Levels of cyber crime committed through phishing, Trojans, rogue programs, and crimeware has skyrocketed in recent years, with perpetrators often acting from overseas locations. “Cyber crime is organized crime” says Banktech in Three Ways to Deter Cyber Crime. “Internet fraudsters have created an end-to-end supply chain to advance malware attacks and the online vector used to efficiently deploy them.”

To counter these efforts, financial institutions must update technologies and analyze weaknesses as often as the criminals who seek to exploit them. Such criminals use “trojans and other malware, like man-in-the-browser attacks that are difficult to detect, hijack the transaction inside of a browser session, and subsequently attack the application and database on the server." A majority of the top 100 banks in the United States have experienced these types of attacks before, but credit unions are also likely targets.

E Tu, Brute?
The largest U.S. banking security breach in history, according to, is also an extreme example of the most common threat many financial institutions face: internal risk from employees.

In the aforementioned case, “suspects manually built a database of the 676,000 accounts using names and Social Security numbers obtained by the bank employees while they were at work.

“The information was then allegedly sold to more than 40 collection agencies and law firms. Suspects pulled up the account data while working inside their banks, then printed out screen captures of the information or wrote it out by hand.”


March 3, 2011


  • Your article might have pointed Credit Unions to processes and standards for helping them implement security programs actually based on risk, current and anticipated threat models and sound rational controls. Items in the information security world, like the SANS Consensus Audit Guidelines (CAG) and the MicroSolved 80/20 rule of Information Security are great, easy to leverage and effective tools for designing CU infosec plans that actually work.

    CU's today should not be worrying so much about outlier threats and yesterday's breaches, as much as getting the basics right and doing the basics in repeatable, ongoing fashion. The basic controls and security processes will have a far better payoff for their risk reduction than being focused on outlier threats. If they don't have or don't know how to properly use basic controls (which many do not), then they have little to no chance of combatting outlier, bleeding edge threats.

    Get the basics down right. Get help getting them right. Test repeatedly to make sure they are right. That's the CU path forward.
    Brent Huston