Advances in Electronic Fraud Require New Techniques to Protect Credit Unions

CUNA Mutual Group
July 6, 2009 | COMMENTS

Credit unions, their members, and third-party providers of electronic funds transfer services need to improve their online security due to advances in online fraud involving personal and financial institution computer systems. Electronic fraud losses are caused primarily by consumer account compromises through online banking systems and system intrusions at third-party providers of electronic services.

“Phishing scams have become a mainstream activity for fraudsters,” says CUNA Mutual Group risk manager Ken Otsuka. “Consumers continue to be duped by this e-mail scam and provide their account numbers and online banking passwords.” Account compromises occur when members respond to phishing e-mails by clicking on embedded links that take them to bogus websites that imitate the credit union's website.

“The branding is remarkably good, and consumers are fooled into providing their account numbers and online banking passwords,” he adds. “In addition, they might also provide other personal information that would allow the fraudsters to open accounts using their victim's personal information.”

Other contributing factors to account compromises include 1) successful social engineering attempts by fraudsters to have consumers' online banking passwords reset, and 2) consumers' computers infected with malicious keyloggers, which monitor keystrokes and return the data to the fraudsters. Otsuka urges credit unions to increase controls over requests for password resets and to notify members of the importance of using up-to-date antivirus and anti-malware security programs to protect their computers.

Once a fraudster hacks into a consumer's account, funds are transferred to accounts at other financial institutions using the bill pay, ACH, or wire transfer service offered through online banking.

“It's important for credit unions, corporate credit unions and third-party providers of electronic funds transfer services to adopt suitable authentication methods to prevent costly unauthorized transactions,” he says.

The common multifactor authentication method that involves a computer's Internet Protocol (IP) address and challenge questions is no longer reliable due to the risk of malicious software infecting the computer or an entire system. For example, if the keylogger resided on the member's computer at the time they enrolled for online banking, it would return the member's username, password, and answers to the member's challenge questions.

Credit unions should to take the following steps to help reduce electronic fraud:

• Take advantage of the authentication method third-party providers of electronic funds transfer services offer.
• Restrict IP addresses of credit union users with third-party vendors.
• Adopt multifactor authentication, such as tokens.
• Implement monetary transaction limits for third-party ACH credit files and wires.
• Implement monetary transaction limits for online payment services.
• Avoid resetting member online banking passwords based on telephone requests from members.

Members also play an important role in reducing fraud. Otsuka recommends credit unions pass along these tips to members:

• Install up-to-date software on home computers to prevent infection from viruses, spyware and malware.
• Use strong passwords with a minimum of seven characters, alphanumeric, and include special symbols (such as, !,@,#,$,%,<,/).
• Never use computers accessible to the public, such as in libraries and hotels, to access accounts.
• Be careful when using a wireless network—make sure it's secure before accessing accounts online.

Additional loss mitigation and prevention information, guidelines and RISK Alerts are available to CUNA Mutual policyholders in the company's  Protection Resource Center.

CUNA Mutual Group provides financial services to credit unions and their members. For more information contact Rick Uhlmann at 608-231-8940 or rick.uhlmann@cunamutual.com.