Multifactor authentication laws are a red herring that are distracting credit unions from critical fraud threats, say some credit unions and analysts.
"We've not had one dispute nor instance of fraud in the four years we've offered online banking, bill payment and account-to-account transfers," said Vonda Burkhart, CFO at the $51-million Employees CU in Dallas.
"It's true that most identity fraud occurs in the offline world," added Tripp Johnson, a senior director at Scottsdale, Ariz.-based Cornerstone Advisors.
Less than 10% of identity theft starts at online retail and banking sites, according to last year's consumer poll conducted by Pleasanton, Calif.-based Javelin Strategy & Research and sponsored by CheckFree, Visa, and Wells Fargo.
Yet most credit unions are racing to implement layered authentication in efforts to meet FFIEC and NCUA year-end security deadlines, according to surveys by Callahan & Associates and the CU Information Security Professionals Association. "Everybody is panicking about multifactor authentication when maybe there's no reason to," said Burkhart.
The real problem is plastic, not the Internet, said Charles Bruen, CEO at $600-million First Entertainment CU in Hollywood, Calif. "I'm taking hundreds of thousands in losses on debit cards," Bruen explained. "Meanwhile, fraud on credit union homebanking sites is almost non-existent. Our focus should be on these debit card losses rather than the distraction of authentication."
The FFIEC and NCUA guidance is misguided, Bruen continued. "The regulators are telling me to spend my time on multi-layered authentication, but this issue seems to be another case of wrong-headed regulatory involvement. They have everyone focused on a non-problem while the building is burning elsewhere."
Burkhart echoed Bruen's sentiments. "Our members are scared about all the card losses, not online services theft," she said. "My first task next week is to file with my bonding company all the losses I've taken with my cards. I still don't have one loss with bill payment or account to account transfers."
NCUA declined to comment. CUNA Mutual Group has repeatedly noted in recent months it is seeing significant losses from plastic fraud.
The $35-million Retail Employees CU figured that implementing layered authentication couldn't hurt, according to Karyl Boyd, website administrator at the Atlanta-based CU. "In times when identity theft is burgeoning, I would rather have extra security than too little when extra cost-effective methods are available," Boyd said.
Retail Employees CU has controlled log-ins with the Cavion Plus Software Token Authentication since March.
In contrast, Employees CU "isn't doing a thing" this year to meet the authentication guidance, said Burkhart. "I'm taking the simple, stupid approach-I don't make it complicated if it doesn't have to be. We beat security to death here. We already have strong controls and parameters in place for online services. I feel that I'm in compliance with the NCUA guidance right now. Other credit unions might not be thinking of what they already have in place that meets the requirements."
ECU may consider additional online authentication as the market matures, she added.
CUJ Resources
For info on this story:
* Employees CU at www.ecudallas.org
* First Entertainment CU at www.firstent.org
* Retail Employees CU at www.recu.org
* Cornerstone Advisors at www.crnrstone.com
* Cavion Plus at www.cavionplus.com.
