What's the next big cybersecurity threat for credit unions?
October 30, 2018 8:13 AM
As Cybersecurity Awareness Month draws to a close, Credit Union Journal turned to a panel of experts to get their take on a simple question with no easy answers: What's the next big cybersecurity threat for credit unions – and why? Read on for a sampling of their responses.
This slideshow was updated at 1:28 P.M. on Oct. 30, 2018.
This slideshow was updated at 1:28 P.M. on Oct. 30, 2018.
Carlos Molina, senior consultant in risk and compliance solutions at CUNA Mutual Group
According to recent estimates, there will be as many as 3.5 million unfilled cyber security positions in by 2021. The lack of experienced cyber security professionals needed to keep pace with the constant rise in cybercrime is a risk sure to affect the credit union industry.
Cybercrime is predicted to cost the world $6 trillion annually by 2021. Cybercriminals are poised to take advantage of understaffed, and inexperienced cyber security personnel. This high-risk vulnerability potentially places credit unions directly in the crosshairs of a cyber-attack resulting in a data breach which could have devasting financial, and reputational impact.
The rate of technological advancement will continue to place more focus on skills and resources of credit union employees, including cybersecurity personnel. The impact and disruption caused by emerging technologies emphasizes the need to recruit and cultivate talented people to help mitigate the constant emergence of risk.
Credit unions need to be creative in their recruitment strategies to confront this shortage of talent head on. Executive leadership, human resource departments and existing information security employees should create a collaborative, compelling approach toward not only attracting top talent, but also retention and cultivation from within.
Historically, candidates for cybersecurity positions were judged solely on formal degrees, certifications and definitive experience timelines. While all these factors are important, they do not always translate into a good fit for a credit union. Assessing a candidate’s soft skills such as commitment to personal development, an understanding for analytics and process, and ability to collaborate may reveal more about that individual’s potential to excel within the role.
Finally, credit unions should not ignore their current employee base when searching for cybersecurity talent. Leveraging existing skillsets, interest in the subject matter, and an understanding of the credit unions culture and core business objectives may uncover an employee’s willingness to seek a new career path.
Cybercrime is predicted to cost the world $6 trillion annually by 2021. Cybercriminals are poised to take advantage of understaffed, and inexperienced cyber security personnel. This high-risk vulnerability potentially places credit unions directly in the crosshairs of a cyber-attack resulting in a data breach which could have devasting financial, and reputational impact.
The rate of technological advancement will continue to place more focus on skills and resources of credit union employees, including cybersecurity personnel. The impact and disruption caused by emerging technologies emphasizes the need to recruit and cultivate talented people to help mitigate the constant emergence of risk.
Credit unions need to be creative in their recruitment strategies to confront this shortage of talent head on. Executive leadership, human resource departments and existing information security employees should create a collaborative, compelling approach toward not only attracting top talent, but also retention and cultivation from within.
Historically, candidates for cybersecurity positions were judged solely on formal degrees, certifications and definitive experience timelines. While all these factors are important, they do not always translate into a good fit for a credit union. Assessing a candidate’s soft skills such as commitment to personal development, an understanding for analytics and process, and ability to collaborate may reveal more about that individual’s potential to excel within the role.
Finally, credit unions should not ignore their current employee base when searching for cybersecurity talent. Leveraging existing skillsets, interest in the subject matter, and an understanding of the credit unions culture and core business objectives may uncover an employee’s willingness to seek a new career path.
Julie Esser, chief engagement officer at CULedger
In 2017, there were 16.7 million fraud victims in the United States, which cost more than $16.8 billion in losses across all industries. Within the financial industry, Cornerstone Advisors found that 46 percent of bank and credit union CEOs ranked cybersecurity as their number one concern for 2018. Positive authentication through any member interactions is one of the most crucial elements of a strong cybersecurity program.
As credit unions explore authentication as a cybersecurity initiative, one of the most important areas to focus is digital identity, since confirming a member’s identity is the first step of any transaction. Distributed ledger technology (DLT), commonly known as blockchain, can verify identity through digital channels using a self-sovereign digital identity through the consumer’s financial institution. This use of DLT gives individual members control over their personal identifiable information and can create a truly secure and private flow of information, eliminating the current siloed identity method.
A primary advantage of DLT is its inoperability; information or transactions conducted through a ledger cannot be changed. The ledger is a database that is spread across several nodes or computing devices, each replicating and saving an identical copy of the ledger, updating independently. In order to corrupt a ledger, hackers would have to corrupt more than half of its nodes simultaneously, which makes systems based in DLT unattractive targets for fraudsters. Credit unions should look into using private ledgers particularly, since these are secure networks to use for sensitive transactions. Distributed ledgers based on permissioned access are fundamentally different than permission-less or proof-of-work ledgers, such as the ledger supporting Bitcoin. The security, low cost, inoperability and convenience make DLT a valuable technology for financial institutions to use when developing digital identity solutions.
As credit unions explore authentication as a cybersecurity initiative, one of the most important areas to focus is digital identity, since confirming a member’s identity is the first step of any transaction. Distributed ledger technology (DLT), commonly known as blockchain, can verify identity through digital channels using a self-sovereign digital identity through the consumer’s financial institution. This use of DLT gives individual members control over their personal identifiable information and can create a truly secure and private flow of information, eliminating the current siloed identity method.
A primary advantage of DLT is its inoperability; information or transactions conducted through a ledger cannot be changed. The ledger is a database that is spread across several nodes or computing devices, each replicating and saving an identical copy of the ledger, updating independently. In order to corrupt a ledger, hackers would have to corrupt more than half of its nodes simultaneously, which makes systems based in DLT unattractive targets for fraudsters. Credit unions should look into using private ledgers particularly, since these are secure networks to use for sensitive transactions. Distributed ledgers based on permissioned access are fundamentally different than permission-less or proof-of-work ledgers, such as the ledger supporting Bitcoin. The security, low cost, inoperability and convenience make DLT a valuable technology for financial institutions to use when developing digital identity solutions.
Keaton Tanzer, business development manager at Rivial Data Security
With the advent of Amazon Web Services (AWS), credit unions across the country have chosen Amazon’s platform as their preferred outsourced data center host. Many are using AWS to host their servers, their data or build web applications – and AWS is quickly becoming one of the largest organizations responsible for sensitive data.
As we’ve seen with every cyber criminal trend, attackers generally select their targets based on where the most sensitive data is. With so much critical data hosted by AWS, I can imagine we’re going to see heightened attack levels against these servers – both in quantity and sophistication.
Luckily, there’s a lot credit unions can do to ensure Amazon is taking the proper measures to keep their data secure.
· It starts with having a good vendor management program in place. As you would with any other vendor, request a SOC report and have a qualified security personnel member review it for your organization. Make sure Amazon and other vendors are holding up their end of security.
· Don’t assume security is managed by Amazon and make sure you understand your institution’s responsibilities for security as an AWS customer. For example, MFA and encryption are not turned on by default. These are protections you, the customer, are responsible for enabling.
· Ensure AWS accounts are managed securely. Concepts like role-based access, least privilege, account reviews, all still apply in AWS.
· Turn on monitoring and event logging, using services like CloudTrail. Enabling logging for S3 buckets, file validation, etc across geographic regions will give you a fighting chance at identifying nefarious activity.
· Lastly, you not only want to make sure your data is safe, but available whenever you need it. Use SLAs to ensure there are minimal service disruptions. This way, if there is a disaster, your data is not unavailable for long.
As we’ve seen with every cyber criminal trend, attackers generally select their targets based on where the most sensitive data is. With so much critical data hosted by AWS, I can imagine we’re going to see heightened attack levels against these servers – both in quantity and sophistication.
Luckily, there’s a lot credit unions can do to ensure Amazon is taking the proper measures to keep their data secure.
· It starts with having a good vendor management program in place. As you would with any other vendor, request a SOC report and have a qualified security personnel member review it for your organization. Make sure Amazon and other vendors are holding up their end of security.
· Don’t assume security is managed by Amazon and make sure you understand your institution’s responsibilities for security as an AWS customer. For example, MFA and encryption are not turned on by default. These are protections you, the customer, are responsible for enabling.
· Ensure AWS accounts are managed securely. Concepts like role-based access, least privilege, account reviews, all still apply in AWS.
· Turn on monitoring and event logging, using services like CloudTrail. Enabling logging for S3 buckets, file validation, etc across geographic regions will give you a fighting chance at identifying nefarious activity.
· Lastly, you not only want to make sure your data is safe, but available whenever you need it. Use SLAs to ensure there are minimal service disruptions. This way, if there is a disaster, your data is not unavailable for long.
Kimberly Little Sutherland, senior director, fraud and identity management strategy, LexisNexis Risk Solutions
The next big cybersecurity threat that will cause more fraud to occur at credit unions is “money mules.” A money mule is defined as a person either intentionally or unwittingly opening an account that can be used to exit illicit funds. This activity represents a significant type of fraud occurring globally. The U.K. National Crime Agency estimates the value of this problem this problem to be in the hundreds of billions of pounds in the U.K. and two to three times that much globally. Credit unions are just as susceptible as any other type of financial institution, and may be at even higher risk because this concept appears to be less of a focus in the U.S. Credit unions are targeting younger and more diverse clientele – the same audience that is at higher risk of being involved, often unknowingly, in this criminal activity. A money mule activity is equal parts fraud, cybersecurity and money laundering risks, which makes it hard to detect and prevent. Credit unions can step up their game in detecting hidden fraud that may only be uncovered through forensic analysis of entity networks in the combined physical and digital world.
Vijay Pullur, CEO of ThumbSignIn
Credit unions face a unique challenge when it comes to protecting consumer data and financial information. The uniqueness comes from the fact that they possess the same kind of sensitive customer information as large banks and other financial institutions, but operate on limited IT budgets and resources. Credit unions have flown under the radar of attackers primarily because the volume of data they carry is limited compared to larger institutions. However, this may not remain the case for much long due to sophisticated technologies being deployed and the cost of hacking systems by rogue actors being significantly decreased. CIOs and CISOs are constantly making trade-off choices when it comes to deploying security software.
The good news is new technology innovations based on behavioral analysis, machine learning, AI and biometric security gives them hope for achieving highest levels of security under constrained budgets. The key to successfully preventing future attacks is a three-step process:
1. Categorizing threats originating from – network and infrastructure, third-party software and custom developed applications, compromise in employee laptops and devices, and breaches due to poor password practices of consumers. Conducting audits and assessment of internal systems and process with respect to each of the above and creating a readiness scorecard
2. Creating a stepwise improvement roadmap starting from weakest to strongest system based on the scorecard
3. Adopting newer intelligent technologies and deploying them in stages to prevent attacks pro-actively
The cyber security threats looming on credit unions is more than ever now. Pro-actively adopting new technology innovations is a key to success in preventing these attacks.
The good news is new technology innovations based on behavioral analysis, machine learning, AI and biometric security gives them hope for achieving highest levels of security under constrained budgets. The key to successfully preventing future attacks is a three-step process:
1. Categorizing threats originating from – network and infrastructure, third-party software and custom developed applications, compromise in employee laptops and devices, and breaches due to poor password practices of consumers. Conducting audits and assessment of internal systems and process with respect to each of the above and creating a readiness scorecard
2. Creating a stepwise improvement roadmap starting from weakest to strongest system based on the scorecard
3. Adopting newer intelligent technologies and deploying them in stages to prevent attacks pro-actively
The cyber security threats looming on credit unions is more than ever now. Pro-actively adopting new technology innovations is a key to success in preventing these attacks.
Frances Zelazny, chief strategy and marketing officer at BioCatch
Credit unions are not dissimilar from banks when it comes to cybersecurity risk – regardless of their obvious organizational differences. They too will have to pivot their strategies in order to keep up with the challenges associated with managing digital identity, preventing fraud and offering good user experiences to their customers online. The cyber threat landscape is very dynamic, making it difficult to find the right balance. The largest threats today - synthetic ID and account takeover - are driven by the continuous data breaches. And faster payments will make the problem even worse. We know from our experience in the UK that faster payments equals faster fraud. Putting this all together means that credit unions, like banks, need to adopt real-time techniques for distinguishing between legitimate users and fraudsters, techniques that don’t rely on static means of authentication, or tactics that are easily bypassed or replicated. This requires a different way of thinking because today’s fraudsters have figured out how to circumvent the login barriers. Credit unions should heed the lessons learned from the banks and quickly adapt.
Derek Laczniak, director of cyber liability at M3 Insurance Solutions
Cybersecurity continues to be an evolving threat that affects organizations of all shapes and sizes. Unlike any other area of risk management, cyber breaches have what appear to be a never-ending climate of sources and threat areas. As risk management professionals across the world look to predict what will be next, one area that appears ripe for increased exposure comes from a source that is not new.
Data security is governed by individual states through legislation that has been passed by all 50 states. State laws have been popping up in states dating back to 2003 when California passed the initial data security law. Since then, all remaining 49 states have passed similar laws with varying degrees of governance and oversight. The one common component of these state laws is that the majority contain a requirement that data breaches by organizations, both public and private, must notify the state’s attorney general in the event of a data breach. Further, the laws all apply to affected individuals within that state, without any concern for where the organization that suffered the data breach is actually located. These laws provide almost exclusive regulatory authority to the state’s attorney general in investigating these matters and grant them the ability to fine and penalize as a result of these investigations.
In the last three years there has been an alarming amount of notifications taken up by states’ attorneys general investigating reports of data breaches. Landmark settlements with attorneys general in some of the larger more public data breaches (such as Target, Yahoo and Equifax) suggest that state’s attorney generals are becoming increasingly active in this area and looking to enforce the regulatory authority they have been granted.
Data security is governed by individual states through legislation that has been passed by all 50 states. State laws have been popping up in states dating back to 2003 when California passed the initial data security law. Since then, all remaining 49 states have passed similar laws with varying degrees of governance and oversight. The one common component of these state laws is that the majority contain a requirement that data breaches by organizations, both public and private, must notify the state’s attorney general in the event of a data breach. Further, the laws all apply to affected individuals within that state, without any concern for where the organization that suffered the data breach is actually located. These laws provide almost exclusive regulatory authority to the state’s attorney general in investigating these matters and grant them the ability to fine and penalize as a result of these investigations.
In the last three years there has been an alarming amount of notifications taken up by states’ attorneys general investigating reports of data breaches. Landmark settlements with attorneys general in some of the larger more public data breaches (such as Target, Yahoo and Equifax) suggest that state’s attorney generals are becoming increasingly active in this area and looking to enforce the regulatory authority they have been granted.
Giles Ring, cybersecurity operations manager at Virginia Credit Union
Looking forward, credit unions and other financial institutions should expect to see no slowdown of cyber attacks, and the threat is certainly not limited to the financial sector. All organizations must keep cybersecurity and the threat landscape top of mind. While attackers will continuously adapt their techniques and improve the efficacy of their tools, their motives – financial, political,or otherwise – will likely remain unchanged. This is evidenced by the success of recent ATM jackpotting campaigns, SWIFT attacks, business email compromise/CEO fraud, and continued ransomware and crypto jacking campaigns. The financial impact of these attacks is staggering, but the techniques used often involve just more sophisticated delivery of known techniques, such as social engineering or vulnerability exploitation. This level of skill combined with an evolving attacker mindset – of being more patient, evading detection and becoming increasingly familiar with target organizations’ environments – makes them an even greater challenge to defend against. Credit unions looking to protect themselves and their members from these ever-evolving adversaries must keep abreast of current threats and trends in cyber attacks. Ultimately, the manifestation of the “next big threat” may be unpredictable, but the means by which our adversaries carry out their operations are likely to be more of the same, with a continued increase in sophistication and efficacy of attack.
Tim Mielak, chief information security officer at Michigan State University Federal Credit Union
A few things that are early in their lifecycles, with respect to credit unions, but may emerge as more significant threats in the future are synthetic identity fraud, internet of things (IoT) malware and services related to right of access.
Credit unions may face an uptick in the frequency and amount of credit fraud using synthetic identities in the near future. Traditional point-of-sale fraud committed with stolen credit card information is effective, but can have a high failure rate because of modern anti-fraud capabilities. Account services and loans using synthetic identities, constructed with real and typically stolen social security numbers, can be more difficult to detect and result in higher losses for credit unions.
Wearable payment options and voice-controlled personal assistant services will likely increase the public’s comfort with and general usage of IoT devices. The primary risk with IoT is weak default security. If the adoption of these devices outpaces the maturation of IoT security measures, the value of developing IoT malware for purposes such as account takeover and personal data theft will be high enough to make it attractive to financially motivated threat actors. As a result, credit unions may see an uptick in IoT-related fraud and data theft.
With new legislation beginning to emerge in the United States similar to the European Union’s Global Data Protection Regulation, credit unions may be required to provide right-of-access services to third parties that do not have established or regulated cybersecurity programs. As a result, there may be an increased risk of data loss through these inexperienced third parties and their services.
Credit unions may face an uptick in the frequency and amount of credit fraud using synthetic identities in the near future. Traditional point-of-sale fraud committed with stolen credit card information is effective, but can have a high failure rate because of modern anti-fraud capabilities. Account services and loans using synthetic identities, constructed with real and typically stolen social security numbers, can be more difficult to detect and result in higher losses for credit unions.
Wearable payment options and voice-controlled personal assistant services will likely increase the public’s comfort with and general usage of IoT devices. The primary risk with IoT is weak default security. If the adoption of these devices outpaces the maturation of IoT security measures, the value of developing IoT malware for purposes such as account takeover and personal data theft will be high enough to make it attractive to financially motivated threat actors. As a result, credit unions may see an uptick in IoT-related fraud and data theft.
With new legislation beginning to emerge in the United States similar to the European Union’s Global Data Protection Regulation, credit unions may be required to provide right-of-access services to third parties that do not have established or regulated cybersecurity programs. As a result, there may be an increased risk of data loss through these inexperienced third parties and their services.
Alissa Knight, senior analyst at Aite Group
As credit unions integrate with third-party cloud applications, this creates a new attack surface that many credit unions are unaware of as they focus their attentions on traditional cybersecurity controls, such as firewalls and intrusion detection systems. Many credit unions are developing application program interfaces (APIs) for integration with third-party suppliers, ultimately underpinning their new connected business models and delivering on new initiatives, such as open banking. APIs enable developers to create applications that can interact with third-party proprietary applications. APIs are effectively a “middle man” that allow third-parties to insert, modify or read data from the proprietary application. Because this is a relatively obscure and rare attack vector for credit unions, it can leave them unknowingly exposed that can effectively result in a backdoor into their network and customer account data.
As credit unions secure the other more traditional attack vectors, hackers are increasingly shifting their focus to exploitation of poorly secured APIs – many of which don’t even require authentication. That was the case in the compromise of Panera, which resulted in a breach impacting more than 37 million payment cards.
Exploitation of APIs typically affect:
As credit unions secure the other more traditional attack vectors, hackers are increasingly shifting their focus to exploitation of poorly secured APIs – many of which don’t even require authentication. That was the case in the compromise of Panera, which resulted in a breach impacting more than 37 million payment cards.
Exploitation of APIs typically affect:
- Availability through denial-of-service attacks as a result of developers failing to sanitize user input
- Malicious code injection using JSON web tokens
- Data leaks or man-in-the-middle (MiTM) attacks as a result of no encryption being used between the API and server
- Session cookie hijacking
