As phishers lick their chops over credit unions, four CIOs and anti-phishing vendor Cyota sat down last week to survey the e-mail fraud landscape for The Credit Union Journal.
Cyota's FraudAction anti-phishing and anti-pharming solution has attracted more than 30 CUs over the past five months as phishers turn their attention to smaller financial institutions, according to the provider's CEO, Naftali Bennett.
Patelco CU and Capital Communications FCU have recently announced that they are deploying FraudAction. And while FraudAction can't stop phishing attacks, it is an ounce of prevention, said these credit unions.
The roundtable revealed how online fraud could snowball in the coming year and what credit unions can do to react.
At issue was phising, in which fraudulent yet realistic emails lure members to counterfeit websites to enter financial and personal data, and "pharming," in which hackers hijack the credit union's domain name, surreptitiously redirecting members from the credit union website to a fraudulent site.
Below the five members of the panel (biographies can be found on page 18) respond to questions from The Credit Union Journal:
How vulnerable are credit unions to phishing?
Naftali Bennett, CEO, Cyota: Banks have already implemented anti-phishing measures and their customers are becoming sensitized to phishing. So phishing is declining for banks. But for credit unions and small banks, there is a consistent growth rate since January, when there were seven phishing attacks, according to Cyota's Anti-Fraud Command Center. In June there were 54 attacks,
By shutting down phishing sites, FraudAction has shortened the duration of an attack from six days, which is the industry average, to five hours, which is the Cyota average.
How do you expect FraudAction to change the phishing and pharming scene at your credit union?
Rick Rhoads, senior vice president, E-Services, SECU: Previously we spent days taking down phishing sites. Cyota is taking down sites in hours. Cyota has a monstrous black book with ISPs and websites that we just don't have access to. The shorter the amount of time after an attack, the less chance that a member will divulge personal information.
And now that attacks come bouncing in from overseas on a daily basis, its' harder to take down the sites. You've got the barriers of languages and time zones as you work to shut down a site.
Robert Roemer, vice president, Information Systems, Capital Communications FCU: I don't know that any solution is 100% guaranteed against phishing, but you need to position yourself so that you're minimizing your risk as much as possible.
Kevin Doyle, Information Security Officer, PSECU: Fraud- Action has already helped us in the battle against pharming by scanning the Internet for domain names that are variants of our domain name. We already found six URLs registered as variants.
John Shields, vice president, Information Security, Patelco CU: Cyota has reported several registered Patelco-like domain names, which we have taken legal action against and transferring the domain name to our control.
Which of Fraud- Action's features is the slam-dunk against phishing?
Doyle: Cyota's response time to an attack is the slam-dunk.
Rhoads: The trigger for me was the number of fraud analysts that Cyota has. We looked at five different companies. Some of them had five or six analysts. Cyota has 45 analysts. Of all the companies we looked at, Cyota was the 800-pound gorilla. To me it's all about the contacts and how much coverage the company has.
Why has FraudAction attracted so many CUs-nearly 40-in the past four months?
Doyle: We're certainly getting a lot of calls from other credit unions referencing the service. I think phishing is now coming to credit unions. Just the April attack on the NCUA affected thousands of credit unions.
Rhoads: A phisher's dream is to tackle something like the NCUA, because the NCUA is listing more than 1,100 individual state- and federally-chartered credit unions on a drop-down at its website.
Each credit union has had to evaluate how hard it is to internally fight these attacks with their own labor and for long durations of time.
What are the complementary technologies you're considering in the fight against phishing and online fraud?
Doyle: We're looking at different options to improve authentication. One of them is Cyota's eSphinx, a two-factor authentication that uses a challenge-response or phone verification. eSphinx is a better solution than smart cards or tokens, which require consumers to have a different physical device for each bank account they have.
We also believe that member education is important.
We have a link on our homepage so that a member can directly report phishing.
Rhoads: Another complementary product is a fraud detection service similar to Cyota's eVision. We can review all of our online log files and risk categorize them as to where the activity is coming from and what the user is trying to do.
Within 12 or 18 months we'll also have new online authentication on our website.
We may also secure all of our websites with digital certificates. We'll make sure that every site is HTTPs. That's just one more step to make it more difficult, timely and costly for fraudsters if they have to obtain a digital certificate to create a fraudulent site.
What trends do you see in the next year as phishing matures?
Bennett: The first trend is that phishing is moving downstream to small banks and credit unions.
Second, phishers are migrating abroad. It's harder to shut down phishers from abroad.
Third, phishers are using a second element of false identity, such as personal information stolen from a CD-ROM, and then inserting that data into a fraudulent email to gain greater credibility.
Finally, next year will bring more sinister forms of attack-hijack Trojans. This type of spyware waits for you to log in online with a token or a password.
Once you're in the website, the spyware piggybacks on top of you and runs fraudulent transactions.
PARTICIPANTS IN THE ROUNDTABLE
Capital Communications FCU, $415-million in assets, Albany, NY
Robert Roemer, vice president, Information Systems
Phishing Attacks: 0
Cyota FraudAction launch: August
"We're keeping our eyes and ears 24/7 on any phisher who attempts to compromise the credit union brand we've tried to build for the past 50 years."
Patelco CU $3.6-billion in assets, San Francisco
John Shields, vice president, Information Security
Phishing Attacks: 0
Cyota FraudAction launched: June
"If we ever are phished, we hope to have Cyota down the site as quickly as possible."
Pennyslvania State Employees CU $2.3-billion in assets,
Harrisburg, Penn.
Kevin Doyle, Information Security officer
Phishing Attacks: 0
Cyota FraudAction launched: March
"Cyota can shut down a phishing site more effectively and quickly than we ever could."
State Employees' CU $12.6-billion in assets, Raleigh, NC
Rick Rhoads, senior vice president, E-Services
Phishing Attacks: 2
Cyota FraudAction launched: May
"We've got peace of mind knowing that Cyota is the 800-pound gorilla out there stopping some of these people."
Cyota New York
Naftali Bennett, CEO
Provides: anti-phishing and anti-fraud solutions, including Fraud- Action with real-time attack detection, alerts, fraudulent site shutdown, ISP blocking, and forensic work.
"Phishing is growing at a consistent rate for credit unions, whereas it is declining for banks. But FraudAction will not make online fraud go away. It's a prevention mechanism that can reduce the amount of members who might divulge their information as part of a phishing attack."
For more info on this story: Capital Communications FCU at www.capcomfcu.org; Patelco at www.patelco.org; Pennsylvania SECU at www.psecu.com; SECU at www.ncsecu.org, and Cyota at www.cyota.com
