Credit unions also should re-evaluate authentication techniques to determine if they’re still effective in today’s environment. For example, many institutions have implemented simple device identification. This typically uses a “cookie” loaded on the member’s PC to make sure it’s the same PC the member enrolled and its log-in ID and password match.
Apparently, this type of cookie can be copied and moved to a fraudster’s PC, allowing the fraudster to impersonate the legitimate member. So credit unions should no longer consider simple device identification as a primary control to be an effective risk mitigation technique. Instead, consider using a more sophisticated form of this technique that uses “one-time” cookies and creates a more complex digital “fingerprint” by looking at a number of characteristics including PC configuration, IP address, geo-location, and other factors.
Many institutions use challenge questions (e.g., mother’s maiden name, year of college graduation, etc.) as a backup to the primary log-in authentication technique. The provision of correct responses to challenge questions
can also be used to
re-authenticate the member or verify a specific transaction subsequent to the initial log-in. But challenge questions can often be easily answered by an impostor who knows the member or has used an Internet search engine or social networking site to get information about the member.
Again, don’t consider basic challenge questions as a primary control to be an effective risk mitigation technique. Instead, use “out of wallet” questions that don’t rely on information that’s often publicly available and are much more difficult for an impostor to answer correctly. The agencies believe the use of more sophisticated questions can be an effective component of a layered security program.
Lastly, don’t forget to educate members so they’re aware of the steps you’re taking to protect both them and the institution from cyber crime.
VALERIE Y. MOSS is CUNA’s director of compliance information. Contact CUNA’s compliance department at firstname.lastname@example.org.