Online Fraud: CUs’ Luck Could End

CUs have been less susceptible to online fraud than banks.

April 1, 2011

Compared to banks, credit unions have been “lucky” when it comes to online fraud, says Ken Otsuka, senior analyst, risk management, for CUNA Mutual Group.

Don’t expect that good fortune to continue.

“Credit unions could soon be affected on a widespread basis” by online banking fraud, he says.

The root of the problem: Trojan keyloggers, primarily the Zeus Trojan, Otsuka explains. A Trojan keylogger monitors and captures keystrokes, logs them to a file, and sends them to cyber thieves.

The Trojan resides on users’ computers without their knowledge and is used primarily to capture online banking login credentials.

Trojans such as Zeus are spread through phishing e-mails, generally targeting credit unions’ key employees, he says. Users of popular social networking websites such as Facebook have also been targeted.

To better protect member accounts, Otsuka advises credit unions to implement:

  • Stronger two-factor authentication, rather than the common method of computer recognition (using cookies) combined with challenge questions;
  • Out-of-band authentication (e.g., by telephone) to authenticate members through a separate communication channel;
  • Fraud detection tools to monitor user access behavior and individual transactions; and
  • Out-of-band transaction verification for large dollar transfers.