DENVER — Credit unions need to adjust how they communicate with members and work with them on card fraud issues, say cyber security experts who expect the number of data breaches to increase.
Data security analysts and credit union executives agree that a growing number of cyber attacks will place more work on the backs of financial institutions — requiring a closer relationship with members and customers to combat and cope with fraud.
Analysts say the recent
They predict retailers will face more breaches in 2014, and beyond, until the U.S. —
Path Of Least Card Security Resistance
Chris Gates, a partner at LARES, a cyber security consulting firm, told Credit Union Journal that the U.S. lacks card security today, which is sending cyber thieves down the path of least resistance.
"I think we will see breaches pick up this year because thieves know that the window of opportunity is closing," said Gates, pointing to Visa and MasterCard's October 2015 EMV liability shift deadline.
He said that among major markets, thieves find it easiest to monetize stolen data in the U.S., since mag stripe cards are easily counterfeited, whereas chip cards are not.
David Kennedy, founder of TrustedSec, a Strongsville, Ohio-based cyber security consulting firm that works with some of the largest retailers, said in a published report to expect a "wave of attacks on the retail industry throughout the year. The Target hack exposed how vulnerable the industry is."
CUs execs weighed in, telling Credit Union Journal the situation requires delivering more detailed messages to members before and after fraud attacks, collecting more member e-mail addresses and cell phone numbers and encouraging members to partner with the credit union to detect and stop fraud.
Adjusting Member Communications
Henry Wirz, CEO at the $2 billion SAFE CU in North Highlands, Calif., said his CU is adjusting its member communications.
"I have asked that we include a letter with each reissue to the member explaining to them why we have this reissue problem. Most of the public doesn't fully understand the genesis of these breaches. I want to share with our members, whenever the rules allow us to share, the name of the merchant that was breached."
Wirz also wants to get the word out that the frequency of breaches is increasing and that SAFE thinks that's because merchants do not have the same level of data security that credit unions and other card issuers have.
"We want to emphasize that all of the recent breaches have happened at merchants or their processors," he said.
The letters will also marshal member support for legislation requiring retailers to improve their data security. "We will suggest that members contact their elected representatives and ask them for legislation that requires a certain level of data security at merchants," said Wirz. "We will remind them that credit unions sponsored legislation that passed both houses of the legislature but was vetoed by [former California Gov. Arnold] Schwarzenegger after lobbying pressure from the merchants and their trade associations."
SAFE also plans to suggest that members ask retailers to safeguard their data. "We will remind members that even though we reimburse them for unauthorized withdrawals, any data breach that results in a reissue will mean they have to get a new account number, and that may be inconvenient. The best way to fix this problem is to increase security at merchants or to avoid those merchants who don't have adequate security."
Good Contact Info Is Key
Kevin Shull, CIO at the $767 million 3Rivers FCU in Fort Wayne, Ind., knows that for the credit union to communicate effectively and quickly with affected members following a data breach, it has to have good contact information. "This means gathering more e-mail addresses and cell phone numbers."
The $315 million Sharefax CU in Cincinnati saw trouble coming last year and has made changes.
"The U.S. is a relatively easy mark and these attacks will only escalate since the latest prevention tools have not been implemented," said CEO Arthur Kremer, who noted that data security is one of the credit union's top two priorities in 2014.
"We recently committed to invest in a highly intuitive system through Vantiv to fine tune our blocking response when fraud and data breaches occur. And, when fraud is detected on a particular card, electronic alerts or a phone call are made immediately to alert members that the card is being blocked."
Kremer pointed out that if the decision is made to block, an explanatory letter and a new card are sent immediately. Existing cards are not blocked until the new card is received.
Thomas O'Shea, CEO at Aspire FCU in Clark, N.J., said its process for managing fraud worked well at the $180- million asset institution following the Target breach.
"We upgraded our fraud monitoring tools in the middle of 2013. We ran reports in-house to identify Target transactions and increased our security monitoring on these accounts. To date we have suffered no fraud losses from the breach."
Last year Aspire FCU invested in instant issue, and because of its fraud monitoring system, Aspire didn't have to immediately shut down compromised cards.
"We did finally close all affected cards on Jan. 6," said O'Shea. "These two tools allowed our members to have uninterrupted card usage through a critical holiday shopping weekend. Our members were very appreciative of our proactive posture and immediate action that considered their personal situation."
Craig Hoffman, Partner at
Hoffman said that he is uncertain whether the latest data breaches signal a wave of cyber attacks are heading toward the U.S. this year.
Stephen Boyer, co-founder of the Cambridge, Mass.-based BitSight, a tech firm that rates companies on security breaches, pointed out that data security in the retail sector declined last year.
According to the
That analysis included Fortune 200 retailers primarily in the brick-and-mortar business, including Target, Walmart, CVS, Safeway and others. BitSight also observed more malicious activity on the retail sector's networks in the second half of 2013.
"We saw an increase in the number of computers that were compromised by an external adversary, with malware that can steal data fields, log keyboard strokes and run arbitrary programs," said Boyer. "We saw an increase in the number of computers compromised in October and November, just prior to some of these breaches."
Boyer emphasized the tough task facing huge retailers with expansive organizations. "It's very difficult to protect every weakness. The retailer, the defender, has to be perfect and close every weakness. The attacker has to exploit only one."
Connie Trudgeon, VP of operations at CO-OP Financial Services in Rancho-Cucamonga, Calif., said the growing number of cyber attacks requires CUs to do a good job communicating to members, as well as establishing 24/7 channels to receive information about compromised cards.
"We are talking about member confidence," said Trudgeon. "When members notice fraud on their accounts, they want to report it immediately to the credit union. I think more CUs need to have some way to accept this information, maybe through their website or home banking, or a call center. It's an issue that needs to be addressed. No matter what people predict is or isn't going to happen, or the fraud prevention solutions that are developed, one thing is certain, fraud is not going away."
