Account takeovers, in which fraudsters steal an established account with personally identifiable information attached to it, are topping credit card fraud, and account creation fraud has increased by more than 100% since February 2015.

NuData predicts and prevents online fraud, protecting businesses from reputational damages and financial losses caused by fraudulent or malicious attacks.

“We monitor different touch points in the user's environment,” Wilk explained, adding that identifying trends helps organizations better understand how users interact within their environment, allowing them to either substantiate the positives or understand the potential risks.

Although some credit unions and other financial institutions are getting much better at identifying account takeovers, criminals are changing their techniques to circumvent adopted controls.

“It's really quite difficult to identify these types of false accounts using a lot of traditional techniques,” Wilk noted.

Financial institutions can have trouble finding anomalies because bad actors often use valid stolen information such as phone numbers and addresses to create new accounts.

In order to protect their brand and members, credit unions must figure out how to detect the fraudsters utilizing an increasing amount of personally identifiable information. They must verify users' identities as well as confirm the behavior behind each transaction is that of a valid user – and that's where user behavior analytics plays a vital role.

Wilk said NuData's NuDetect product harnesses behavioral attributes and passive biometrics to establish how legitimate accountholders actually act. It's a relatively new and somewhat unusual form of biometric security analysis, which relies on user-specific, subconscious patterns of behavior that emerge through repetitive human actions such as typing, scrolling or holding a phone. Once a reliable set of data has been gathered for a particular user as a standard, the system can then detect unusual behavior and identify it as a security risk.

Another cybersecurity challenge facing credit unions involves the vetting of technology tools and applications being developed to accommodate member demands. While the code is being written for these tools and applications, security vulnerabilities can pop up.

“The big difference between the large banks and the mid-tier banks and credit unions is that the big banks have a lot of software developers and they build a lot of their own code, so they have more control over the quality of the code,” Drew Kilbourne, managing director at the Dulles, Va.-based software security firm Cigital.

For credit unions, gaining control over code means building solid security initiatives inside System Development Life Cycles. Cigital works as a mentor with financial services organizations to ensure the software they develop is secure and adheres to industry security regulations while meeting consumer demands.

Kilbourne explained Cigital uses the Building Software Security in Maturity Model, which provides a data-backed comparison of a program against a security industry standard. Cigital's BSIMM assessment helps prioritize objectives and determine which strategies make sense for a credit union.

During a BSIMM engagement, Cigital interviews individuals involved with software security within an organization. This includes speaking with team members who define and administer sensitive security information, and engineers who design, develop and deploy applications. BSIMM is not a standard; instead, it describes a set of activities practiced by 67 of the most successful software security initiatives in the world. It's also designed to help address security throughout a development process, rather than test for bugs and flaws at the tail-end.

Cigital also helps organizations incorporate guidelines into their development cycles and ensure compliance using security governance – a framework of policies, standards and processes that form a structure for making decisions and defining expectations. The company said good business processes are transparent, align with a credit union's culture and provide cost-effective value to all stakeholders.

According to Cigital, the vast majority of firms do not have a software security governance program in place, meaning they have neither secure SDLCs nor systematic control over the security postures of their application portfolios.

“We focus on helping them,” Kilbourne said. “That is everything from building controls around architecture and design to requirement definitions through testing software, dynamic testing tools and penetration testing.”

Cigital engages organizations in three key ways:

• Developing programs or initiatives. “You have got to build a secure SDLC so when you develop software you build secure software,” Kilbourne said. “We will help build out those capabilities. We help the organization become more mature, period.” Cigital starts with BSIMM and from there provides roadmaps and processes.

• Making assessments. “At some point you need to test – you have to find what you need to fix,” Kilbourne noted. “Our mantra is: Find, fix and prevent.” But credit unions have to find the defects first. Cigital does that through traditional, manual hacking and various methods of dynamic and static testing.

• Creating products. This involves challenging developers to build more secure code up front. Cigital's uses Codiscope SecureAssist to identify security vulnerabilities and enables developers to immediately fix problems.

Codiscope SecureAssist, which integrates directly into development environments, is not just a testing tool – it's a teaching and productivity tool, Kilbourne explained. It teaches secure coding practices and improves developer productivity by identifying design flaws or vulnerabilities, explaining the issues at hand, and providing contextual guidance for resolving timely issues.

“We leave a foundation in place that allows developers to secure code and grow,” Kilbourne said. “If you are going to build policy for them, you have to have them involved, you have to build something that will fit the culture that they will use.”

If a credit union doesn't build its own code, Cigital can spend a few weeks helping it build out the basis of a vendor management program. Kilbourne stated that financial institutions acquire most of their code from third parties.

“So the challenge is how to manage the quality of the software that your vendors are creating,” he said. “What we are seeing out in the industry is some vendors are being told to build a security program that creates a secure SDLC or they are not going to do work anymore, because [institutions] cannot take the risk.”

What are some of the security risks posed by banking applications? According to one security expert, it's not second-guessing the user.

“The biggest risk is placing too much trust in the user being computer savvy and the security of the user's device,” Adam Harder, director of mobile engineering at the Arlington, Va.-based cybersecurity firm Endgame, said. “The actual security posture of the user's device will vary dramatically from vendor to vendor and model to model.”

Harder emphasized that Samsung, Motorola, RIM, Nokia, Microsoft and Apple devices, for example, carry different vulnerabilities and require different types of protection against physical intrusion.

“In practice, what we commonly see are applications not checking the validity of SSL certificates storing credentials and other sensitive info in the clear on the device,” Harder added. “An application developer simply cannot assume anything about the devices their app will be installed onto, and the least secure configuration possible should be assumed. The device is not a safe place to store sensitive data.”