What FIs & Consumers Should Do Post-Breach: FS-ISAC

The Financial Services Information Sharing and Analysis Center published two white papers to guide consumers and financial institutions following a year of more than 1,000 breaches affecting perhaps billions of consumers.

The Reston, Va.-based FS-ISAC, a nonprofit association dedicated to protecting financial services firms from physical and cyberattacks through information sharing and analysis of those threats, stated, “Data breaches are a source of risk for financial institutions even at organizations outside of financial institutions. The compromise of personally identifiable information may increase compliance/regulatory, financial, legal and reputational risks.”

One white paper, “Tips for Financial Institutions: What to do Post-Breach,” provided suggestions for financial institutions that may help reduce the effect of data breaches beginning with assessing risks to the organization and consumer accounts, such as some common forms of fraud institutions should consider following an external data breach. These include new account, account takeover, cash advance, online banking and mobile wallet transaction fraud; fake wire transfer requests; and social engineering, phishing and vishing.

The report also provided suggestions for leveraging loss prevention strategies, including using fraud and behavioral analysis tools to detect suspicious customer or member activity, and eliminate false positive alerts through machine learning and algorithms that assess risk nearly in real-time of user activity. These tools exist for a number of banking activities including credit and debit cards, electronic funds/ACH transfers, online and mobile banking, and checks and other draft instruments.

If a credit union does not currently use these tools, fraud reporting capabilities are usually available from its core or card processing third-party service provider.

The report also recommended verifying the information of any customers or members requesting to establish a new account relationship, or verifying the account and authenticating accountholders for funding and account-to-account transfers using one or more of the following methods: Instant, real-time account, trial deposit or identity verification.

A second white paper, “Tips for Consumers: What to do Post-Breach,” noted, “Data breaches pose a potential risk to consumers in the form of identity theft, account takeover and fraud when personal and sensitive information is compromised.”

FS-ISAC’s tips for consumers to reduce the risk or impact of data breaches included placing a security freeze and fraud alerts on credit reports. “A security freeze protects against identity theft and the opening of fraudulent accounts with a consumer’s personal information. It will block an institution or lender from accessing a report, unless a pre-set PIN is provided to ‘thaw’ the report; a credit report may be thawed at a particular bureau for a period of time or for a specific lender.” A fraud alert on credit reports requires potential creditors to contact the consumer and obtain permission to open new accounts or lines of credit.

The white paper also suggested consumers utilize two-factor authentication to provide an additional layer of account logon protections wherever possible. Two-factor authentication requires two pieces of information to login to an account, usually the password and a code from an SMS text message or the approval of the login via a phone call.