How Social Media Can Compromise Your Company’s Security Posture

Jenn Miller
August 31, 2010

The unbridled use of social media in the workplace represents a growing area of risk to an organization's information security posture. Social media networks present two distinct attack vectors: information leakage and false trust.

Hackers, red teams and experienced penetration testers have used OSINT (open source intelligence style information gathering) for years. But now that social media use has reached critical mass, it is relatively simple to garner information about your company's employees, your organization and even your IT infrastructure. Using social profiles, information parsed from tweets, business directories, job postings, etc., cybercriminals can put together a complete dossier on employees of a target company without any ‘real' hacking.

Employees most often use social media both at home and at the workplace without differentiating between the two. On social media networks, users create profiles, manage privacy settings, and grant permission to who can and can't view their profiles. This creates a false sense of trust, where an individual feels comfortable disclosing detailed personal information about their life whether it be regarding relationships, issues at work, contact info, travels plans, likes and dislikes.

In addition, because they believe they are within a “walled garden,” they are more apt to click on unknown links (because they are recommended by a “friend.”) Link shorteners can heighten the risk as a full executable string can hide behind what appears to be an innocuous link. Clicking on an unverified link is a risk that could lead to a full system compromise if a malicious website is behind it and there is potential for the introduction of viruses and malware to the organization's network.

The complete list of threats and vulnerabilities from social media in the workplace is long. Other examples include: phishing attacks, disclosure of private company info, brand/reputational damage, harassment and privacy violations.

Social media is not going away. More likely, the number of users and time spent on social networks will continue to rise exponentially, and your security risk will rise with it. Here's what you can do about it.

Five Tips to Improve Security against Social Media Threats

1. Determine if social media use is necessary for your business. The security risk that social media presents for a company is significant. Whether or not to allow its use in the workplace is really a question of risk vs. benefit. If banning it outright seems too Draconian, consider limiting use to only the people that need it to perform their job function.
2. Provide training and security awareness to employees. This should include policies and procedures such as personal use in/out of the workplace, business use, nondisclosure of business content, and disallowed activities (installing apps, playing games, etc).
3. Use content monitoring technologies.
4. Encourage URL lengthening tools like TinyURL to decode and verify shortened links.
5. Keep your hardware, software, anti-virus, and critical security patches up to date.

Redspin offers penetration testing, security assessment and IT audit services to banks and credit unions. Miller's blogpost may be viewed at www.redspin.com/blog. Reprinted with permission.

Remote Deposit Capture is Focus of New Tech Council White Paper

CUNA Councils
August 24, 2010

Remote Deposit Capture (RDC) promises to extend greater convenience to members while at the same time potentially reducing operational costs and investment in building infrastructure, according to a new white paper from the CUNA Technology Council.

RDC is when a member or business account holder utilizes an optical scanning device, such as a home-office scanner or mobile cell phone camera, to capture (scan) images of checks for deposit, upload them to a computer on site, and through a software application, edit and send the front and back images securely over the Internet to the credit union for processing and deposit.

As noted in “Remote Deposit Capture: Thinking Out of the Branch To Better Serve Members,” RDC is a valuable tool for credit unions that have:

• members who reside some distance away from a branch
• members who frequently travel or are stationed in other countries
• members whose college-age children are in a location without a branch
• members who wish or need to make deposits during non-business hours

RDC may also prove useful to credit unions that have a small number of branches in comparison to a large field of membership, as is the case with some select employee group (SEG)-based credit unions.

The new white paper covers key points related to RDC and RDC application development, including:

• the business rationale for offering Remote Deposit Capture
• eligibility criteria and deposit limits
• hardware and software considerations, including functionality and platform expansion
• image correction concerns
• vendor partnership
• fraud detection and risk management controls, including duplicate detection
• the importance of member education and trained back-up support

In addition, four credit unions are profiled through in-depth case studies, providing the reader with an understanding of how remote deposit capture functions as well as its primary challenges and advantages.

CUNA Council members are entitled to complimentary copies of these and more than 200 white papers; non-members may purchase the white papers for a price of $50 per copy.

The paper is available online in the white paper section of each council site – select the “Tech” tab.

Study: Financial Management Tools Drive Returns, Relationships

Ray Birch
August 23, 2010

A study reveals that online financial-management tools drive deeper relationships, attract younger members, and return about $40 annually in additional revenue per user.

Cathy Graeber, founder of the Swimming Upstream consulting firm, came to that conclusion after studying the habits of consumers using an online financial management tool and the impact the service has on the financial's bottom line. Graeber studied five credit unions and three banks that use Intuit's FinanceWorks, but believes the results apply to any online financial-management program.

Graeber contended that the key finding from her white paper, titled "The Bottom-Line Impact of Offering Online Financial Management," is that an online financial management tool brings an additional $40 in revenue per user, compared with those members using only online banking. "When we looked at the attrition rates and product ownership and did the calculation, we found there was a $40 variance in net product profit between members that use FinanceWorks compared with online users that do not use FinanceWorks," she said.

With credit unions' limited budgets, that's an important number to know, suggested Graeber. "With all of the online tools to consider adding, like bill pay and mobile, you really want to know the bottom-line benefit before adding a solution."

Crerdit unions in the study ranged from $1.2 billion to $4 billion in assets, banks from $1.6 billion to $4.3 billion. The case study often refers to data from a $1.2-billion credit union, but Graeber said findings at the credit union were consistent across the seven other financials in the study. Intuit commissioned Graeber to perform the analysis.

Other important findings:

• Users log into FinanceWorks twice as often as users just using online banking (18 times per month versus nine).
• Financial-management tool users present a 98% retention rate, 53% higher than offline members, and 4% higher than online members not using FinanceWorks.
• FinanceWorks drove deeper relationships. The average FinanceWorks user owns 3.7 accounts, offline members 3.1, and online members not using FinanceWorks own 3.4.
• FinanceWorks users have nearly 30% higher loan balances than those not using FinanceWorks.

"The main thing we saw is that the use of an online financial-management tool made much more active members," Graeber said. "That's important because every opportunity to get members into your website is a chance to cross-sell. And it gives them the ability to serve themselves, which lowers your costs to serve."

Graeber also pointed out that Gens X and Y consistently, across all eight financials in the study, made up at least half the users of the financial-management program, and in some cases comprised two-thirds of users.

Not only does the study show the advantages of a financial management tool to generate business, it also can be a sound defensive strategy, concluded Graeber. "Besides some of your competitors offering the service, you face third-party sites like Mint and Wesabe who say, 'Don't worry about the bank or credit union and come to us.'"

The white paper can be downloaded at http://www.swimmingupstream.com/.

This article appeared at www.cujournal.com and is reprinted with permission.

Effective Strategies for Credit Card Pricing is Subject of Latest OpSS Council White Paper

CUNA Councils
August 19, 2010

Credit unions have a real opportunity to gain credit card market share from banks today, according to a new white paper by the CUNA Operations, Sales & Service (OpSS) Council. Even before the Credit Card Accountability Responsibility and Disclosure Act of 2009 (CARD Act) took effect, big banks were drawing consumers' ire, between the bailouts, their reactions to the economy's effects on their credit card programs and their preparations for the new regulatory environment.

The new paper, “Credit Card Pricing: Effective Strategies for a Post-CARD Act Market,” notes that with a well-designed, competitive value proposition—including pricing strategies that make their cards attractive without posing excessive risk—and a comprehensive marketing/communications plan that trumpets the credit union difference, credit cards can still be a credit union's highest-yielding asset.

This white paper for the CUNA OpSS Council specifically discusses:

• Significant CARD Act provisions and pricing implications
• Effective pricing strategies
• Credit union advantages
• Metrics
• Marketplace forecasts

It also includes three case studies showing how credit unions' pricing has evolved to fit today's marketplace.

CUNA Council members are entitled to complimentary copies of these and more than 200 white papers; non-members may purchase the white papers for a price of $50 per copy.

The paper is available online in the white paper section of each council site – select the “OpSS” tab.

Regulatory Comment Calls & a Final Rule Analysis

CUNA
August 19, 2010

COMMENT CALLS:

NCUA Proposed Rule on Golden Parachute and Indemnification Payments

The National Credit Union Administration (NCUA) Board has issued a proposed rule for comments on prohibited golden parachute and indemnification payments for all federally insured credit unions (FICUs), including both natural person and corporate credit unions.  Under the proposed rule, FICUs, regardless of their financial condition, may not make indemnification payments to an institution-affiliated party (IAP) for legal and other professional expenses in administrative and civil proceedings by NCUA or a state regulatory agency where the IAP is assessed a civil money penalty, removed from office or made subject to a cease and desist order.  IAPs are defined under section 206(r) of the Federal Credit Union Act (FCU Act) and include a committee member, director, officer, or employee of or agent for an insured credit union and certain consultants and independent contractors that have knowingly violated a law or regulation and caused a financial loss to the credit union.

In addition, FICUs may not generally make golden parachute payments to an IAP if the FICU is: insolvent, in conservatorship, rated CAMEL 4 or 5, or in an otherwise troubled condition.  A credit union that has received assistance under sections 208 or 216 of the FCU Act would be considered in a ‘‘troubled condition.'' 

> View Full Comment Call at CUNA.org

Interim Final Rule: Low-Income Definition

The National Credit Union Administration recently adopted an interim final rule.  NCUA amended the definition of "low-income members" to clarify that, in determining a credit union's low-income designation, the comparison of credit union data (whether individual or family data) must utilize statistical data in the same category.  This means, for example, an individual's income must be compared to median individual income and not to median family income.  Comments are due to CUNA on September 20, 2011 and due to NCUA on October 4, 2011.

> View Full Comment Call at CUNA.org

NCUA Interim Final Rule Clarifies Regulation DD Overdraft Protection Rules

The National Credit Union Administration has issued an interim final rule that clarifies the recent final rules amending Regulation DD, the Truth in Savings Act, that changed the disclosure requirements for overdraft protection plans.

> View Full Comment Call at CUNA.org

Interim Final Rule that Extends the Effective Date for Certain Provisions of the CARD Act Gift Card Rules

The Federal Reserve Board has issued an interim final rule that implements an amendment to the Credit Card Accountability, Responsibility and Disclosure Act of 2009 (CARD Act) that was signed by President Obama on July 27, 2010.  This amendment delays the August 22, 2010 effective date of certain provisions of the CARD Act rules that impose restrictions on the fees and expiration dates for gift certificates, store gift cards, and general-use prepaid cards.

> View Full Comment Call at CUNA.org

 

FINAL RULE ANALYSIS:

Fed Adjusts the Amount of Mortgage Fees that Trigger Additional Disclosures Under Truth in Lending

The Federal Reserve Board has announced its annual adjustment of the dollar amount of points and fees that trigger additional disclosures and prohibitions under the Truth in Lending Act for certain mortgage loans.  The dollar amount will be adjusted from $579 for 2010 to $592 for 2011, which is based on the Consumer Price Index.  More info:

> View Full Final Rule Analysis at CUNA.org

 

> Regulatory & Legislative Resources for Council Members