Weak Link In Security? Your Members. Here's What You Can Do
Credit unions have been beefing up security on their side in an attempt to validate that it is, in fact the member who is trying to make an online transaction, not a criminal who has stolen the member's identity. Many have added a "challenge question" to the login process. Here are three reasons why credit unions need to change their focus from, "How do we know it's the member?" to "How does the member know it's us?"
Continuous Partial Attention
Do you really pay complete attention when someone is speaking to you? Or, are you constantly scanning incoming alerts to better opportunities: the phone, the PDA, Instant Messaging, e-mail, other people?
Former Microsoft vice president Linda Stone coined the term "continuous partial attention" to describe the way we cope with the barrage of communication coming at us. With a continuous partial attention mindset, we rarely pay complete attention to anyone or anything. And with this mindset, we sit down at our computers, only partially mindful that criminals can use highly refined technical deception and social engineering techniques to lure us into disclosing sensitive data for purposes of identity theft.
The member who is checking e-mail, listening to music, surfing, chatting and making a phone call more or less simultaneously is not sufficiently focused to determine if a website is potentially a malicious one. Experienced, "power-users" of the Internet are unable to identify fraudulent Web sites 100% of the time, even when they have been primed to look for them.
The Appliance Mindset
When was the last time you updated your refrigerator to optimize its performance? What kind of maintenance do you perform on your stereo when you turn it on?
The ubiquity of computers, particularly home computers, has led users to regard them as appliances, and treat them as such. When we buy an appliance, we plug it in, make some initial settings, and use it until it breaks or until we want a different set of features. Robust computer security includes a firewall, anti-virus, anti-spyware, and phishing protection.
All of this software needs to be updated continually with the latest definitions, and users need to make sure their browsers and operating systems are running the latest security patches provided by the manufacturers. Rare is the home user who has all of the right software and keeps it updated.
As such they are targets for criminals who exploit the vulnerabilities in software to access their computers via some backdoor or new technology.
How does it work? Who knows? How many users know how computers work? Their refrigerators? CD players?
Although the argument can be made for the importance of knowing how things work, it is generally agreed that criminals are not making concerted efforts to steal or poison the food in our refrigerators from remote locations, and the absence of music does not put us at substantial risk.
Continuous partial attention to the task at hand, inattention to computer security and lack of knowledge about the portal to the world that we open every day: These factors create the perfect environment for online fraud.
Worldwide, online theft is the fastest growing crime. It presents an immediate threat to credit unions by making members wary of using your websites. It diminishes your ability to maintain a Web-based connection with members; it lowers member satisfaction and hampers efforts to promote an expanded range of online services available to members. Long term, it serves to undermine your members' and the general public's confidence in the Web-based commerce that benefit credit unions with low-cost, high-touch transactions
A Disruptive Technology
Online fraud, like the Internet itself, is a disruptive technology: an innovation that changed the fundamental way in which we do business and caused us to re-think basic assumptions about "the way things work."
Despite the obvious need for effective preventive action, the credit union industry has been responding to this "disruptive technology" with actions based in "sustaining technology." They have made incremental moves, such as member education.
Yet, as the complexity and sophistication of online theft scams increase, consumer education becomes less impactful. Consumer education and recovery services after the fact are even less impactful.
Among law enforcement, business, consumer groups and academia, all agree that the weak link in the chain is the end-user; in credit union parlance, your member. Right or wrong, members count on their credit unions to ensure that their financial transactions are safe.
In the information age, we count on experts to filter for us. An effective defense must be implemented on the member's side and credit unions would be wise to help their members defend themselves against online fraud... before it occurs.
Jess Kalish is the director of corporate and technical communications for iS3, makers of STOPzilla anti-spyware and ANTIfraud. She can be reached at jkalish
LETTERS TO THE EDITOR
Credit Union Journal encourages reader feedback. Letters to the Editor can be sent to Managing Editor Lisa Freeman at lfreeman