Are Credit Unions Prepared for Maturing Fraud Threats?

(From Credit Union Journal) – As credit unions head into strategic planning season, one topic that might not be getting enough attention is the threat of account takeover fraud.

Account takeover, or ATO, fraud has been around for centuries. People have long been pretending to be someone’s financial advisor or spouse to gain access to the victim’s accounts, but what has made the threat dramatically different today is digital access. Criminals are becoming more sophisticated in their attacks, forcing credit unions to more proactively protect their members.

“If I am a criminal and I can compromise an email account, I can accomplish a lot, starting with changing bank or credit union passwords,” said Jeremiah Cruit, Director of the Cyber Threat Center at DefenseStorm, a cybersecurity firm based in Seattle. “I might not be targeting a credit union account, but once I start reading someone’s email I can find information that leads to the account.”

Account takeover fraud is on the rise. The number of people who had a mobile phone account taken over increased by more than 78% from 2017 to last year, according to Javelin Strategy & Research.

While many FIs are using multifactor authentication, including sending text messages, Cruit said such a step is becoming less secure because a cellphone number can be changed by the bad guys. Email is “the key to everything,” Cruit said. If someone’s email account is compromised, from it criminals can figure out phone numbers, account numbers, types of accounts and how to change passwords.

“I can call the credit union’s phone bank, request a phone number change and/or a password reset. Once one is changed, it becomes much easier to take over an account,” Cruit explained.

John Buzzard, an industry fraud specialist for CO-OP Financial Services, said online banking is a common target for ATO fraud. Taking over a member’s account could be as simple as a brute force “credential stuffing” attack, during which cybercriminals direct a stream of potential passwords against a known user ID until the correct password is derived.

Consumers often also select easily hacked passwords or use the same passwords for their bank account as other sites, experts said.

“This is not that difficult, considering how many consumers are using abysmal password choices such as ‘11111111’ or similarly unsecure choices,” Buzzard said.

Once criminals have identified login credentials that work, they next move on to actually taking over the account, said Trace Fooshee, Senior Analyst in Aite Group’s fraud and anti-money-laundering practice.

Sean Murphy, Chief Information Security Officer for the $20 billion-asset BECU in Tukwila, Wash., said from an information security perspective, the difference between ATO fraud and other forms of fraud is the “targeted nature” of the attack.

“Many cybersecurity criminals use attack strategies that cast a wide net,” he noted. “Once the attacker gets a set of valid credentials, or just a part of a set, they may take on a more targeted attack against an individual.”

Fighting Back

Credit unions can take certain steps to combat account takeover fraud. Fooshee recommended investing in authentication and identity verification controls.

“While many financial institutions have pretty robust control frameworks already in place, I am afraid we are in an a new era in which we are going to have to pay much more attention to keeping current on the latest tools and practices that help to compensate for the increase in fraud stemming from stolen, altered, or synthetic identities,” Fooshee said.

CO-OP’s Buzzard advised CUs to be aware that takeover fraud usually has a “rhythm” to it. Criminals gain access and then change the member mailing address, followed by a new card and PIN request.

“Being able to recognize this cadence is incredibly helpful in slowing down criminals through the use of stronger verification practices,” Buzzard said.

In terms of technology, Buzzard said it is always a good idea to “marry” practices and technology tools together, such as device and IP profiling with biometrics.

“The idea is to find some strong workhorse products that validate as many data points as possible before you even have to perform a manual review,” he added.

Cruit of DefenseStorm recommended viewing attacks from the perspective of multiple systems – including online banking and transaction data – and then linking the patterns. Cruit said many larger CUs are able to track such trends in-house, but many smaller CUs need a vendor partner.

CUs should be pushing for stronger multifactor authentication, Cruit continued. He recommends having the mobile app send pop-up alerts rather than a text to a cellphone number.

“Too many credit unions rely on text messages to phone numbers,” he said. “The mobile app is linked to the cellphone itself, while SMS can be redirected to a different number.”

BECU’s Murphy said like all financial institutions, his credit union faces “constant attack” with employees as the first line of defense. The credit union trains its teams to be on the lookout for suspicious emails and social engineering attempts over the phone.

“We back up our employees with tools and technology that help identify account creation that is considered risky based on an industry-recognized scoring system,” he said. “Those accounts that reach an undesired threshold risk score are investigated or prevented from opening.”

BECU maintains “stringent” verification policies and processes, Murphy said, along with controls on what information may be shared via certain channels. It also controls which employees have access to specific data.

According to Murphy, CU strategic planning sessions must address all aspects of ATO fraud: people, processes and technology.

“The caution is: technology alone cannot stop the attacker,” he said. “Next-gen technologies will be necessary as systems, which have been reliable for years, become obsolete. Phone call location analytics, biometrics, and device intelligence with machine learning will be powerful tools going forward.”