Beware the Inside Job

Core processors warn CUs about the threat of internal fraud.

September 2, 2011

Core processors are well aware of the need for security against fraud and theft—whether committed by employees, members, or outside scammers.

Of those three, internal employee fraud—often done in conjunction with international criminal rings—remains the greatest threat to your credit union.

“Internal employee fraud forms the highest percentage of security risks,” says John Messier, vice president of core product strategy at Open Solutions Inc. Ironically, he says, employees who commit fraud are usually the last people you’d suspect.

“There’s no real profile of who might commit internal fraud,” says Ron Young, Open Solutions’ vice president of product strategy and management. “Opportunities for fraud are different than before—there’s a market out there for account and credit card numbers among national and international criminal rings.”

Messier says it’s easy for credit unions to catch on to employees who are selling data simply by mining their own databases and asking, “Who’s engaging in an extreme amount of activity?”

It also helps, Young says, that some credit unions have put cameras on their computers to record who’s looking at what.

Daryl Tanner, president/CEO of Share One Inc., says the top threats to credit union security now are cyber attacks and employees tapping into dormant accounts or selling account information.

Fortunately, he says, such activities are discoverable. “Employees who engage in data theft usually began doing it before there were systems in place that could detect them. One factor in credit unions’ favor is that crooks usually don’t think others are as smart as they are, and this is often their downfall.”

Scott Bush, Share One’s vice president of technical services, says the danger from cyber attacks is well-known. “This is why we recommend regular, exhaustive audits to protect against and detect possible tampering.”

He doesn’t predict any letdown in the threat from internal fraud. “Internal threats will continue because it’s easier to gather data from the inside and sell it than it is to hack in or divert from the outside. Externally, criminal organizations will always be with us, especially in the Internet era.”

In fact, Bush believes threats from external sources will continue to increase and, at some point, could become so disruptive to the infrastructure of online financial dealings that they force rule changes in how the Internet is used or accessed.

Bundled security

Generally speaking, core processors bundle security and anti-fraud capabilities into their overall offerings. “Within the core system’s DNA are advanced rules about what employees can or can’t do,” Young says.

He says Open Solutions focuses on:

  • Knowing the member. Is it the real member who’s conducting a transaction, and what is he or she allowed to transact?
  • Transactional risks, including employee actions;
  • Authentication and authorization; and
  • Internal fraud.

One question that’s directed more often at core processors relates to cloud computing (“Core operations to the cloud,” p. 34). “The demand for technical change from credit unions usually comes from leading edge institutions,” says Tanner, “and there’s lots of curiosity among them about cloud computing. We’re cautious about it. Some very big institutions have been taken down while using it—Sony, Amazon, Google—because they couldn’t secure it. That’s why we think that for now the thin client/VPN approach is better.”

For credit unions looking to have a core processor take on security functions, there’s no need to reinvent the wheel. “We have best practices based on years of hands-on experience by credit union clients,” says Messier. “Also, when we take on a new client, we go into the credit union and evaluate all of its processes, including security, and then make recommendations.”

Bush says Share One spends a great deal of time on processes and controls when dealing with credit union clients. “Many of them don’t have controls in place that prevent employees from performing certain functions without explicit permission from their superiors.”

Another potential security breach, says Young, is when credit unions rely heavily on member identification numbers for multiple purposes, and then put them in easy-to-access places.

Messier says the security advice he gives credit unions goes beyond just installing the means to detect fraudulent activity.

He offers three rules of thumb:

  1. Keep up with your core processor’s security services. Ask about new applications designed to address emerging threats.
  2. Stay current with the technology in general. “We stay current with Oracle, Microsoft, and others who are reliable, innovative third-party providers,” Messier says. “Some vendors, however, are still selling legacy systems that are falling behind technologically.”
  3. Outsource when necessary. Many credit unions, he says, shouldn’t tackle risk management in-house—it can be too big a task. It’s sometimes better to outsource the function to someone who knows risk from a macro point of view.

“No one has to go it alone,” Messier says. “Share information and develop a strong community. Nobody can think of everything, which is why collaboration can be so helpful. We have discussion groups and sessions on our website that are very helpful.”

Next:  Mobile safety

Mobile safety

Looking at potential new security concerns, Messier says credit unions should keep an eye on remote deposit capture and the expanding number of channels for financial transactions.

“The good news is that some channels will actually decrease the amount of fraud,” he says. “For example, mobile is a strong point of authentication so we could see less fraud with that channel. Also, it’s easier and faster for mobile users to get alerts about their accounts—minutes versus hours or even days.”

Messier says, however, that credit unions should not forget:

  • Text is notoriously unsecure;
  • Websites are in the middle regarding security; and
  • Downloadable apps are the best and most secure way to do mobile banking. The apps are free and the proliferation of smart phones means they’re getting out there quickly and abundantly.

One problem, however, is that people include personal information on social networking sites that can be used against them, Messier notes. “Some members, for example, casually let slip answers to the challenge questions credit unions ask to authenticate users such as ‘What was your mother’s maiden name’ or ‘What street did you grow up on?’ ”

Wire transfer scams

There was a “significant resurgence” in wire transfer scams in 2010, particularly those involving home equity lines of credit (HELOC), says Brad Mundine, senior manager, credit union protection risk management, for CUNA Mutual Group. And he expects that trend to continue.

Typically with this type of fraud, transfers are requested over the phone, a portion of the funds are pulled from the member’s HELOC, and the wire is sent to a foreign bank, Mundine explains.

Credit unions can reduce wire transfer risks through a variety of mechanisms, says Dave Selina, Fiserv segment executive. He cites Fiserv’s WireXchange solution for completing end-to-end wire transfers.

WireXchange offers both multifactor and multilayered solutions that improve security, with options customizable to the credit union’s specific security policies and requirements, Selina explains.

It also provides a variety of tools to help minimize fraud, including the ability to red-flag transactions for review prior to release; reports that monitor activity in real-time; various security authorization options; and scanning of all wires for Office of Foreign Assets Control compliance.

“To reduce internal fraud risks, dual controls are required to complete select wire-related tasks,” he says.

Tanner says core processors have been good about disseminating best practices, listening to clients’ suggestions and concerns, and providing useful information because it’s in everyone’s best interests.

“Credit unions should take advantage of security seminars, training, and the latest updates,” he says. “They should understand current and evolving threats, and always ask questions. Chances are good that others have asked these questions and that answers are readily available.”


CUNA Strategic Services alliance providers:

  1. 3SI Security Systems
  2. Agility Recovery
  3. Diebold
  4. Intersections
  5. Ongoing Operations
  6. Perimeter E-Security
  7. Switch SuperNAP
  8. TraceSecurity
  9. Verafin