Fraud—the intent to trick people out of their wealth—is as old as humanity. The means for achieving it, however, are becoming ever more sophisticated.
“While phishing remains a typical fraud technique in the online world, where fraudsters collect confidential information by luring people to legitimate- looking bank or credit union websites, other techniques have improved,” says Jim Fenton, chief security officer at OneID, a CUNA Strategic Services alliance provider. “For one thing, fraudsters are creating better-craft ed messages. Early fraudulent messages were easy to detect because of bad grammar and syntax. That’s not the case now.
“Other forms of attack,” he continues, “include ‘man in the browser’ malware where a user is induced to install a browser add-on or extension that positions itself invisibly in the middle of a transaction and diverts funds. Users can’t see it happening and aren’t aware of it until it’s too late.”
Still, technology is only as good as the keen insights into human nature effective fraudsters use to get their way.
“The main thing fraudsters continue to do is catch people off guard,” says Jim Stickley, chief technology officer at TraceSecurity, a CUNA Strategic Services alliance provider. “They trick people before their common sense kicks in. People have to stop and take a deep breath before giving out confidential information.”
Stickley, who has extensive media experience, recalls a “Today” show segment he helped produce where he got a Washington credit union to let him approach some of its members to demonstrate how easy it is to scam people.
“I bought an 800 number online—it’s pretty cheap—and made it go straight to my cell phone,” he explains. “Then I called various members and left messages with the 800 number. Later, at my hotel, the return calls started coming in. I said that a data corruption had occurred and the credit union needed to update addresses. For security purposes, I also needed Social Security and account numbers.” When the credit union later revealed Stickley’s deception, it was shocked at how easily members had given out sensitive information.
Stickley says people usually think of criminals in stereotypical terms— scruffy, shady-looking guys, “and not some affable guy like me joking on the phone and putting them at ease. ‘He seemed so nice’ is one of the most common comments you’ll hear from somebody who has just been swindled.”
Where CUs are vulnerable
Fraud doesn’t just cost members, Stickley says. He cites research indicating that one of every five identity theft victims will change his or her financial institution even though the institution wasn’t responsible for the theft .
“But even if you retain the victimized member,” he says, “you incur the costs of staff time spent addressing the theft, issuing new cards and account numbers, and, in some cases, mounting a legal defense if the member decides the theft is somehow your fault.”
Credit unions must also pay attention to the fact that while fraudsters used to target members only, they’re increasingly focusing on credit unions.
“Malware is so much better now than before. It’s capable of bypassing the many layers of authentication that credit unions have set up to protect themselves and members,” says Stickley.
“Sharp criminals can write bypass codes, so now the risk is of fraudsters going straight at core processors using a Trojan to hijack the core processor’s data to a second site,” he continues. “For example, a Trojan can make it appear as though a teller is the one doing the data search, thus diverting suspicion.”
The ease with which a credit union’s attention can be diverted oft en is the result of what Stickley calls “an outdated, reactionary approach to security, where financial institutions do the bare minimum to meet regulatory requirements but do not make security a living, continuous process.”
His advice is to continuously evaluate security policies. “If everybody on your staff can go almost anywhere on the Internet, Trojans can easily come in through malicious Web pages that appear to be perfectly legitimate,” Stickley warns.
The answer, he says, is to “reduce the number of employees who can browse and restrict who can access information on the core processing system. If you see a teller downloading 50,000 records, that should sound a huge alarm.”
New approaches to security
OneID offers an approach to online security that gives users a means of verifying that their online transactions are legitimate.
The technology employs “repositories,” data storehouses that receive encrypted data from consumers’ mobile devices but can’t be accessed or tampered with except from those devices.
When independent confirmation is required, the repositories relay transaction descriptions to users’ mobile devices, describing and obtaining confirmation that what is happening is, indeed, what the user intends.
OneID uses public/private key pairs to generate signatures. Upon user approval, signatures from the user’s browser, the repository, and (if required) the user’s mobile device are sent. These can be verified independently by the credit union.
OneID repositories don’t store any data on the transaction that can be reverse-engineered, such as account numbers or personal financial data.
Here’s how it works:
Users’ browsers display the credit union home page.
Users click a button that says “sign in with OneID.” Depending on user and credit union security requirements, the OneID mobile app may also prompt the user to confirm the same request. This “out-of-band confirmation” makes it harder to defraud the user.
Users perform their desired transactions. Depending on the type of transaction, the user may receive a prompt from their OneID remote application to approve it. Once approved, the transaction takes place.
“Typical mobile device keyboards make it hard to input password and code entries, especially complex ones where the sequence must be exact,” Fenton says.
Because OneID depends primarily on stored information, the only identification that might be required is a personal identification number (PIN).
The PIN is combined with keying information in the user’s mobile device before being passed on to a repository for verification, and the repositories limit how many password guesses may be made in a day. Users can enable or disable any browsers from their mobile devices for extra security.
“Most financial institutions start out operating OneID alongside their current user authentication modes, usually user name and password,” Fenton explains. “They’ll do this until most users see OneID as a more convenient and secure way to transact business.”
To communicate risks: show, don’t tell
“Everybody has a YouTube mindset,” says Jim Stickley, an insight that led him to found Stickley on Security, a small company that produces educational videos on consumer fraud avoidance that credit unions can embed on their websites.
“The typical credit union website has a page on security that’s all text,” he says. “Nobody, especially older members who find it more difficult to read, will wade through all that text. Credit unions are missing the point: Don’t kill people with text, put the lessons in pictures. Show, don’t tell.”
The videos feature Stickley acting out typical situations members might experience with scammers. In a “red light” scam, for example, fraudsters send fake bills to people saying they’ve been ticketed for running a red light, as caught on camera.
Victims fill out their credit card information to pay the fake bill, he explains. “Criminals depend on people’s willingness to believe the bill and desire to avoid further hassle: Make it go away.”
CUNA’s final rule analysis of the CFPB changes to the TRID rule is now available. The rule, published in the Federal Register this week is effective Oct. 10, with a mandatory compliance date of Oct. 1, 2018.
While proposed changes to the CFPB prepaid accounts rule provide some clarity, it will not be helpful for most prepaid card users and CUNA remains opposed to the rule’s application of Regulation Z to certain prepaid cards.