Friday, April 23, 2010

Passwords Are Passe', Financial Institutions Looking Toward Biometric ID

Biometric logins that use fingerprints, voice recognition, or identify you based on how you type look set to replace conventional passwords for accessing online banking and credit card services, online payment companies and even internet stockbrokers.

James Pope of the College of Business Administration, at the University of Toledo, Ohio working with Dieter Bartmann of the University of Regensburg, Germany, explain that the security of online financial transactions is becoming an increasing problem, especially as security loopholes in login systems and web browsers emerge repeatedly. Simply logging in with a password looks set to become technically passé.

"Passwords have been widely used because of their simplicity of implementation and use," the researchers say, "but are now regarded as providing minimal security." Moreover, as repeated scare stories about hacking and identity theft pervade the media, consumers are becoming increasingly concerned about online security. Further development of e-commerce and banking will be stifled if the issues of fraud and identity theft are not addressed.

Tuesday, April 20, 2010

Credit Union Cost Reducing Efficiencies; Here Is What One CU Did

If it comes to laying off employees, cutting salaries, no raises, etc., it's time to REALLY tighten the belt.  Here is what one credit union did to safeguard their existence.

• Eliminated NSF/Overdraft notices - we no longer mail them and encourage members to use on-line alerts instead

• Implemented an employee suggestion program to encourage cost savings ideas from staff

• Eliminate Life Savings/Loan Protection programs to members that were paid for by the credit union

• Evaluated our fee structure and adjusted according to pricing within our local market

• Evaluated Reg D accounts for possible changes

• Eliminated loan payment books

• Stopped offering "overnight" delivery through UPS and now if it is requested, it is paid for by the member

• Switched as many of our vendors over to ACH payments instead of mailing a check for payment

• Introduced electronic paystubs to staff

• Made changes to life insurance and disability coverages

• Changed sick time accrual (we have ours seperate from the PTO)

• Closed some of our ATM's and placed them in storage (it was cheaper to put them in storage than it was to leave them operational and due to the age of them, selling wasn't really an option)

• Evaluated branch hours and adjusted

• Eliminated after-hours (or overflow) third party call center

• Conducted a marketing campaign for e-statements (we offered $5 just for signing up)

• Made changes to our new member packet to reduce size and cost of material

• Evaluated the reports staff printed on a daily basis and set some to spool instead of printing on paper

• Eliminated holiday pay for July 4th (it fell on a Saturday and we normally would have given staff an extra 8 hours of pay)

• Reduced the quantity of coffee supplies and bottled water deliveries for staff. Staff can buy their own water.

• Encouraged members to use our Investment/Financial Planning Representative. He is quite conservative in nature and seems to work nicely with the Baby Boomers. This has helped reduce Cost of Funds while generating revenue for us.

We have done most of the things, plus:

1. We're doing our own office cleaning - vacuum, dust, empty trash, etc.

2. We fired our lawn care guy and now mow our own grass.

3. We were able to renegotiate several contracts with vendors - after threatening to drop totally if they didn't (CUNA bond, VISA servicer, web host, on-line application dude).

4. We dropped the annual cpa audit and have the Supr Comm do one every other year.

5. Made it clear to staff that expenses needed to come down - turn lights off, raise/lower thermostats, order/use fewer supplies, etc.

6. We also looked on the income side with fees and rates but didn't really want to put the burden directly on the members - yet.

Not all of these are permanent changes, but they could be indefinite.

What has your credit union done to increase efficiencies?  Anything?  How about sharing them with us. Make up a list like the above and send to billrogers@swbell.net.

Friday, April 16, 2010

Credit Unions Remain Target of Phishing Attacks

Credit unions accounted for 12% of the phishing attacks on American financial institutions in February, down slightly from January and sharply from February 2009, according to RSA.

The security division of EMC said in its just-issued March report that regional banks continued to account for the majority of attacks, 60% in February, while 28% of the attacks were attempts to gain access to accounts at nationwide banks.

Credit unions were the focus of 14% of the attacks on financial institutions in January and 38% of the attacks in February 2009, according to the RSA Anti-Fraud Command Center, which provides detection and shutdown services against malware attacks on more than 300 organizations in 140 countries.

Wednesday, April 14, 2010

Fraudsters Take Aim At Mobile Banking

Symptomatic of a new fraud trend targeting mobile banking, at least two banking institutions have posted messages on their websites, alerting members to be wary of a bogus application distributed on mobile phone platforms.

Bayport Credit Union of Newport News, VA, and First Technology Credit Union of Portland, OR, warned members about a mobile banking application that had appeared on the Android Marketplace, part of the Android mobile phone platform. Android is a subsidiary of Google. More than 50 fraudulent banking apps began appearing in the Android Marketplace in mid-December, industry experts say. The apps didn't contain malware, but instead attempted to get users to enter their passwords, account numbers or other personal information.

Google says it has removed the malicious applications, which targeted customers of Barclays Bank, Chase, Wells Fargo, Bank of America, Wachovia and Deutsche Bank, among others.

Read more at: http://www.cuinfosecurity.com/articles.php?art_id=2085

22 Banking Breaches So Far in 2010

There have been 173 reported data breaches so far in 2010, and 22 of these involve financial services companies.

This means that in less than one quarter of the year, we already have seen more than one-third of the 62 banking-related breaches reported in all of 2009.

The numbers are slightly skewed, says Linda Foley of the Identity Theft Resource Center (ITRC), the organization that tracks data breaches, because some of the 22 incidents actually occurred in 2009 but are just now being brought to light - particularly in Maryland, where the state's attorney general's office reported a slew of 2009 incidents on March 1 of this year. "I suspect there will be more [reports] coming," Foley says, "so the trend thus far is we're finally finding out about breaches that are just coming out."

But the new year's breaches are enough to convince observers that last year's trends are continuing. "2010 could be a tough year for everyone," Foley says.


>>  2010 Trends

If the breach trends do continue as they did in 2009, then financial service companies will continue to experience malicious hacking and insider theft. The challenge for organizations such as the ITRC is that many organizations fail to report their breaches. "The problem is: We're not trying to embarrass a company, but inform everyone of what is happening out there."

Based on what Foley says she's seen so far in 2010, much information has been lost, "so there's a real need for businesses to adopt policies to protect data."

Despite the Federal Trade Commission's work in promoting the ID Theft Red Flags Rule, Foley says many businesses still don't want to comply with the requirements. "If you don't want to protect it, then don't collect the data," she advises these organizations.

For those organizations that do buy into data protection, they must deputize their employees to take the responsibility seriously. "You should be telling your employees why it is important, so they buy into the wanting to actively protect data, and so they don't see it as another chore," Foley says.

Biometrics: Getting Back to Business

People and passwords—in the long run, they just don't work very effectively together. At least that's what Phil Fowler, vice president of IT at Telesis Community Credit Union, a Chatsworth, Calif.-based financial services provider that manages $1.2 billion in assets, found out. His team ran a network password cracker as part of an enterprise security audit last year to see if employees were adhering to Telesis' password policies. They weren't.

"Within 30 seconds, we had identified probably 80% of people's passwords," says Fowler, whose group immediately asked employees to create strong passwords that adhered to the security requirements. A few days later, the team ran the password cracker again: This time, they cracked 70%.

"We couldn't get [employees] to maintain strong passwords, and those that did forgot them, so the help desk would have to reset them," says Fowler. Telesis decided to secure network and application access with a biometric system that eliminated the need for user IDs and passwords, opting for the DigitalPersona fingerprint system from DigitalPersona Inc. in Redwood City, Calif.

Monday, April 12, 2010

Identity Fraud Reaches New High in 2009

The bad news is that identity fraud reached a new high in 2009. The good news is that consumers are fighting back.

The number of ID fraud victims jumped 12 percent in 2009, but consumers are becoming more educated and are filing more reports with law enforcement, according to Javelin Strategy & Research.

Javelin analysts said the increase may be due to the economic downturn, when fraud rises historically.

And there are many ways a thief can swipe your personal information, even without your credit card or Social Security card.

For the rest of the story, go to:
http://www.chicagotribune.com/business/yourmoney/sc-ym-0307-identity-theft-20100304,0,5146332.story?obref=obinsite

ATM attacks more sophisticated, says Javelin

ATM attacks have become more sophisticated--shifting from traditional skimming to use of malware inside ATMs or ATM networks, fraudulent mobile alerts and account takeover from stolen information, according to a new report.

Attacks have been reported in which maintenance crews opened up ATMs and installed malware, according to a Javelin Strategy and Research study.

ATM manufacturer Diebold issued a security update last year for its ATMs after they were attacked by criminals who installed malware to steal sensitive customer information (Financial Services Information Security News April 6).

Individuals can gain access to sensitive information in ATMs via administrative privileges to encrypted personal identification number (PIN) data, then use a computer to reverse the PIN encryption, said Robert Vamosi, analyst at Javelin Strategy and Research. Other attacks have involved sending customers fake message alerts asking for account information. Criminals then use the information to create a cloned card, the publication said.

The financial services industry is moving toward Triple Data Encryption Standard for all ATMs that will help prevent such attacks. Other steps financial institutions can take to protect their ATMs include using security software that guards against malware and using encrypted PIN pads in ATMs that are Payment Card Industry Data Security Standard-compliant, Vamosi added.

About 10% of fraud victims experienced fraudulent ATM withdrawals, Javelin said. About 23% of those with the fraudulent withdrawals left their primary financial institution.

Thursday, April 1, 2010

March News & Views Published Below



CU SECURITY & TECHNOLOGY News - Providing a brief summary of news and information related to security and technology issues for credit unions - Plus some interesting and fun web sites . . .