2019 Brings New Security Challenges

Breaches, account takeovers, card fraud, malware, phishing, ransomware, DNS attacks … which cybersecurity development will have the greatest effect on credit unions in the coming year? Some credit union industry professionals helped draw a picture of what to expect in 2019.

“The continued organization and consolidation of cybercriminals will result in greater efficiency in their effort to attack existing vulnerabilities, while accelerating their ability to exploit new vulnerabilities,” Nayan Patel, vice president, strategic alliances at Fiserv, said. This, along with the increasing lack of cybersecurity talent available to most credit unions, will necessitate the adoption of security orchestration platforms as well as the enlistment of trusted partners to augment existing tools and staff in the form of managed security service providers.

Patel said the concept known as SOAR (security orchestration, automation and response), will tremendously influence credit unions and other institutions going forward. “SOAR platforms enable organizations to collect security-related data from the many different sources that comprise an institution’s security ecosystem, and apply machine learning and automation to that data in order to quickly detect, identify and remediate malicious attacks.”

Paul Love, chief information security officer for CO-OP Financial Services, emphasized, “With new tools and technologies at their disposal, criminals continue to expand their capabilities at an increasingly faster pace; they have developed automated ways to deploy extremely well-crafted and highly-targeted schemes. With a clearer picture of the fraud and cybersecurity risks across our industry, across channels and even across verticals, we can move more quickly to thwart attacks.”

Love said he foresees credit unions in a much better position to spot and stop potentially damaging intrusions by expanding existing technologies, and layering artificial intelligence and machine learning on top of collaborative efforts. “We’ll see credit unions asking their strategic partners and vendors for more meaningful collaboration, mainly through greater data sharing.”

PSCU President/CEO Chuck Fagan admitted cyber threats keep credit union professionals up at night. “You never know from one day to the next where the threat’s going to come from. And if you think for an instant that they’re not getting in, that’s a naive approach.”

He also warned, “It would be a black mark for the entire industry, if a credit union or a credit union partner, gets into a situation where a cyberattack is successful.”

PSCU’s objective is to protect member data without affecting interaction. Fagan referred to PSCU’s Eye on Payments study, in which 75% of respondents said they decided how to pay for something primarily based on what was most secure, convenient and user-friendly. “We have to balance cardholder and member experience versus protecting the financial assets.”

Tim Maron, director of business development services for Corelation, said he sees artificial intelligence and the Internet of Things as possible hacker targets. “Many experts have said the AI evolution will be a hacker’s paradise – and it might be if we’re not careful.” But he noted it isn’t quite mainstream enough in the credit union industry to be a major threat.

IoT is a different story, with the number of equipped devices growing by millions on a daily basis. “This unchecked growth also means IoT vulnerability increases on a daily basis,” Maron said. He noted hackers could exploit unanticipated avenues like security camera systems and put member data at risk through connected devices such as refrigerators, cars and wearables. “Next year we may see more of these devices being hacked than ever before and it could be a massive threat to any financial institution – including credit unions.”

Jeffrey DiMuro, chief security and compliance architect, financial service industry team at Salesforce, said new technology such as chat bots and robo-advisors could be inviting attack vectors. “Credit unions have long been trusted institutions embedded within the local fabric of a community. It’s this trust that hackers can more easily manipulate by inserting/embedding the same chat bot/robo-trading technology to disguise their malicious intention to pilfer the investments of unknowing victims.”

DiMuro proposed, “We see a growing need for attribute, contextual and behavior authentication technology to quickly identify anomalous activity, which would signal a potential breach of member data.”

Greg Sawyers, product compliance officer for Temenos, shared, “Cyberattacks will continue to capture headlines as sophisticated criminals perpetuate attacks in an attempt to stay a step ahead of credit unions’ data security efforts.” Sawyers saw two areas of prominence for 2019: AI and stricter cybersecurity regulations.

“AI’s predictive analytics can provide deep insight into recognizing potential hacks into a credit union’s banking systems and enable them to quickly introduce a course correction,” Sawyers said. “Credit unions must remain vigilant to protect their member data, community trust and corporate brand. A closer look at AI is imperative, for federal regulations are likely to dissuade cybercriminals but will not eliminate the burgeoning opportunity to breach security.”

Jeffery Kendall, SVP/general manager for Kony DBX, explained, “This year, we’ll see a convergence of cybersecurity technologies create enhanced capabilities for fraud prevention for mobile and digital.” Kendall said he thinks regulatory technology and analytics will become more important as institutions look to tie together multiple threat prevention approaches, such as geolocation, biometrics, pattern detection and multi-factor authentication.

He added, “We’re seeing early stages of this convergence now and anticipate it will continue to increase [in 2019].”

As larger banks fund enhanced security controls, attackers will turn their attention toward credit unions and other financial institutions with less mature security programs, Carolyn Crandall, chief deception officer at Attivo Networks, said. “Determined attackers have proven they can bypass security controls, moving the battlefield inside the network. Understanding the adversary and root cause analysis will be big themes for 2019. It will become even more critical to understand where the attack originated, how the adversary is attacking and what they are after.”

Mike Dionne, managing director of community markets for Finastra, noted, “Cybersecurity is an increasingly important differentiator for financial institutions, and a growing frustration for credit unions, which may struggle to stay ahead of the latest security technologies.”

Dionne indicated many credit unions are realizing the added benefits of cloud delivery, platform-as-a-service and open application program interfaces for the latest and greatest fraud prevention technologies. “It enables them to access customer data for use with artificial intelligence to further mitigate fraud. In essence, cloud, PaaS and open APIs are democratizing access to technology and giving credit unions access to the same tools available to the largest banks.”

CRMNEXT, Inc. CEO Joe Salesky voiced concern over many credit unions not properly securing account access/transfer capabilities by using texts or one-time PINs. “The most likely new story will be a large surge in Zelle-related fraud,” Salesky said. “Despite the greater than $250K investment per credit union necessary to bring Zelle capability live, the fraud exposure potential of the platform is still a significant risk.”

Salesky referenced an April 2018 New York Times article in which PwC disclosed one bank encountered a 90% fraud rate on the platform. The piece inferred some financial institutions implemented Zelle without any protections like two-factor authentication and user behavior monitoring. “It is far from clear that Zelle, despite its linkage to Early Warning, has provided any platform capabilities that mitigate fraud risk to members and credit unions,” Salesky cautioned. “Bad people have been robbing banks and credit unions from the inside and outside since the beginning of time; it is clear that Zelle provides them a new tool in this pursuit.”

There are three key areas that will most significantly affect credit unions in 2019, according to Rebecca Herold, president of SIMBUS and CEO of The Privacy Professor:

• More ransomware. “They will not just throw a large digital net to everyone in your organization, but they will go after specific employees and vendors with the most data access.”
• IoT device incidents. More employees, including those working for third-party vendors, cloud service providers and other contracted entities, are using smart devices. “These poorly-secured devices create pathways into your business networks, systems and databases. They can also siphon out data and be used to plant malware, among an unlimited number of other malicious acts.”
• More civil lawsuits. Herold said she believes in 2019, the public will start taking actions as they become dissatisfied with the judgements made in class-action suits and the comparatively low penalties applied by regulators in breach cases.