LAS VEGAS (10/29/14)--Cyber attacks consist of more than just identity theft and stealing personal data--they are constantly evolving, both in the approach of criminals committing the crimes and how the stolen information is used. That was the consensus of a compliance officer, information technology (IT) security professional and a police detective who spoke at the Credit Union National Association Bank Secrecy Act (BSA) Conference Tuesday.
Tom Schauer, an IT security professional who regularly performs security examinations on behalf of the National Credit Union Administration, said that of 4,403 total data breaches since 2005, only 160 (3.6%) have occurred at credit unions and banks.
Instead, hackers often use third-party vendors to access larger retailers, as was the case in the Target breach that occurred last holiday season. The responsible parties gained access through Target's HVAC contractor, via social engineering, giving remote access to all Target facilities and deploying malware attacks on Target's point-of-sale (POS) systems.
|Tom Schauer, an IT security professional, left, and Detective Mark Solomon of the Greenwich, Conn., Police Department discuss ways criminals steal personal information, and how financial institutions can help prevent it. (CUNA Photo)|
"The Target breach followed a pattern that's very common and very frightening," said Schauer, whose business "hacks" into financial institutions to demonstrate weaknesses in their security. "Now, Target has the very best intrusion detection system available, designed to detect when attackers are on their network ... it alerted them five times, starting two days into the attack, that malware was present in their POS systems, but their internal security team failed to respond to those alerts."
In 2012, 16.6 million people were victims of identity theft, leading to $24.7 billion in losses. Approximately 85% of those cases involved the fraudulent use of credit and debit cards and other financial information, according to Detective Mark Solomon of the Greenwich, Conn., Police Department.
"Forty-five percent of those victims were notified of the theft by their financial institution," he said. "It is our financial institutions that are discovering this, protecting information and hopefully putting an end to the fraudulent use."
Solomon said that less than 10% of victims ever contact law enforcement, and only 5% of those cases end with the arrest of the suspect. This can have consequences for financial institutions of all types.
"Your reputation is on the line. If your credit union is the target of one of these scams, it's going to put fear into members," he said. "A recent poll asked customers, 'If your card was compromised once, would you consider going to a different financial institution?' Around 74% said yes."
Solomon said that identity theft and other cybercrimes are starting to evolve past a simple "white collar crime." He pointed to instances of gangs such as the Hell's Angels, the Crips and the Bloods increasingly turning to these types of crimes to finance other criminal activities.
"There's no new way to sell drugs. But what's evolving, changing and growing are financial crimes, and quite honestly, law enforcement is a little behind the curve," he said.
Intelligence sharing between financial institutions and law enforcement is the "most critical tool" to combat these types of crimes, Solomon said.
From a financial institution's point of view, this includes timely notification of fraud, filing of suspicious activity reports and notification to law enforcement, other financial institutions and card issuers such as Visa and MasterCard.
The BSA Conference is sponored jointly by CUNA and the National Association of State Credit Union Supervisors, and sessions continue today.