Outrage, lawsuits and justifiable anxiety exploded following the disclosure of the Equifax breach, which exposed sensitive information of some 145.5 million Americans. How should credit unions respond to the resulting threat?

The cybersecurity mess started when hackers took advantage of a flaw in the credit reporting agency software to steal Social Security numbers, birthdates and other personal identifying information. This untethered information could come back to haunt credit unions and members in the form of account takeovers, fraudulent charges and other criminal uses involving identity theft.

Security and industry experts offered their opinions about possible ramifications for credit unions from the Equifax breach.

“In time, we will inevitably see the Equifax data begin to appear [on the dark web]. The data types exposed here — names, SSNs, addresses, credit cards — are not valuable because they came from Equifax. They're valuable because of the myriad of ways buyers can capitalize on the information,” Emily Wilson, director of analysis for the Baltimore-based Terbium Labs, wrote in a blog. She explained the data could turn up in many forms, marketed and remarketed, shared and reshared, renamed, repackaged and mixed with other dark web data.

“This creates a greater opportunity for attackers applying for credit using known good identity data,” Perry Carpenter, chief evangelist and strategy officer at KnowBe4, said. It also means the compromise of questions typically asked by online anti-fraud systems.

NAFCU President/CEO Dan Berger declared in a statement that it is credit unions and other financial institutions that help consumers after a merchant data breach. “It's going to be the financial institution that makes them whole, that pays off the charges or replaces money in the customer's checking account, or reissues the cards, and all those costs fall back on the financial institutions,” he said. “These big card breaches are going to continue until there's a national standard that holds retailers and merchants accountable.”

Tyler Carbone, chief product officer at Terbium Labs, said, “There continues to be a lot of data out there, and it's likely that Equifax will mean an increase in supply as it gets out.” He added this kind of data has always been out there, and so the strategies many credit unions adopt to date are still the right ones, they're just more necessary than ever.

Carbone suggested credit unions monitor specific data of interest to each organization, establishing both a baseline level of exposure, and a procedure for notification when anomalous events occur, which might change the organization's risk profile. “Without visibility into its own, specific exposure, a credit union has no way to know if a breach resulted in an increase of availability of data for its specific customers.”

KnowBe4's Carpenter provided this advice for credit unions:

  • Understand that security- and privacy-conscious customers will likely be at a heightened level of anxiety and frustration regarding the entire situation. Members will also be even more hesitant to trust organizations with personal data.
  • Be ready and able to offer sound advice on how consumers can engage in commerce in a manner that is as safe as possible. This involves helping customers understand the risks and trade-offs associated with various self-protection methods (i.e. credit freezes vs. fraud monitoring vs. identity theft monitoring).
  • Guard against individuals looking to exploit the Equifax data either by setting up fraudulent accounts or claiming that legitimate accounts/charges are fraudulent and caused by the breach.
|

“Equifax, and Experian and TransUnion, those three credit reporting agencies have been collecting data on people for years that goes far beyond what financial companies typically have,” Rebecca Herold, president of the Des Moines, Iowa-based SIMBUS and CEO of The Privacy Professor, pointed out. “So, I think it is appropriate to be concerned.”

Herold suggested credit unions could mitigate member anxieties by remaining proactive in reassuring them about security and privacy. “Let them know what [the credit union] is doing regarding addressing the issue.” In addition, credit unions should notify members about what they are doing to prevent a breach themselves, such as keeping their own systems updated.

Credit unions could also serve as potential targets from cybercriminals obtaining Equifax data. “Be aware of phishing attempts not only through email but also through phone calls [vishing], text messages [SMiShing] and even instant messaging [SPIM],” Herold warned.

Ashley McAlpine, fraud prevention manager for the Rancho Cucamonga, Calif.-based CO-OP Financial Services, explained in the Equifax aftermath CO-OP advised its credit unions to look at any place receiving new applications for cards, especially online applications. “We're going to probably see a lot of instances where fraudsters are trying to capture the data stolen from Equifax in combination from other breaches.”

“Breaches have become a part of our everyday life; we're seeing that consumers are becoming immune to the news,” McAlpine said. She recommended strengthening any authentication involving current and new accounts, or changes to existing accounts. “We want to make sure that it is truly the consumer and not potentially a criminal. So, looking closely at your online applications is going to be very important.”

McAlpine also suggested moving toward biometrics and one-time passwords, and advised credit unions to start utilizing out-of-wallet questions to authenticate consumers (“questions criminals can't answer with standard details about the consumer”).

The St. Petersburg, Fla.-based PSCU's chief information security officer Gene Fredriksen, and chief risk officer Jack Lynch at PSCU, provided takeaways as well.

Fredriksen said, “Listen to the messaging coming from your partners [like PSCU] and industry advocates such as CUNA. The breach has happened, now is the time to discuss the most proactive methods to protect your members.”

Lynch held any time the word “breach” hits the news cycle, there will be a significant amount of speculation over the effect to credit unions and members before comprehending the true consequences. “Reacting to the noise has the potential to cause an overreaction before understanding the extent of the problem.” This includes locking down accounts, which causes transaction declines and creates a poor member experience on unaffected accounts, “or switching to a full-scale CSI investigation when someone wants to open an account. It's recommended that credit unions rely on sources such as current partners and trusted industry media outlets to stay informed on the latest information.”

How does the Equifax breach affect credit unions directly? Right now, the long-term impact is unknown, Lynch said. PSCU has not seen a large bearing yet on card fraud, but it certainly impacts the already serious issue of account takeover and synthetic fraud, where ID thieves create new identities from factual and fabricated information. Lynch said PSCU's Risk Analytics Team is monitoring the compromise very closely.

Lynch recommended organizations ensure all credit union staff has talking points to address member concerns and make sure the message gets out that their credit union is monitoring the situation to the best of its ability. Credit unions should alert members Equifax has established a dedicated website and phone numbers to help consumers determine if they are at risk.

Fredriksen expressed concern about a potential overreaction from a governing standpoint. “The credit union sector must be watchful of new and emerging regulations and legislation. The first recourse of many agencies is to address issues that lead to a breach with more and potentially onerous rules.”

The PSCU CISO suggested credit unions look at the rising trend as a holistic issue. “While the Equifax breach (or the more recent SONIC breach) may not be enough to completely compromise my identity, this information with previously stolen information as well as information on social media may be enough to assume my financial identity. If we continue to treat each breach as a separate case instead of looking at it as an epidemic, we will never make true headway against the problem.”

Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.

Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Roy Urrico

Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).