The 3 ‘As’ of Fraud Prevention: Authentication, Authentication, Authentication

Cyberattacks directed at credit unions continue to grow in frequency, type and level of impact. Many of these attacks result in losses in the thousands or even millions of dollars for a single financial institution. In fact, a recent Juniper Research report said the total cost of cybercrime is expected to exceed $2 trillion this year, an amount that has quadrupled in just four short years. To make matters worse, most Americans are more fearful of being a victim of a cyber-attack than being a victim of a violent crime, according to Gallup.

One of the most effective ways to prevent fraud crimes – taking any shape or form – is to build a well-armed fortress of authentication.

Criminals continue to find new, sophisticated ways to perform fraud on financial institutions. More often than not, criminals perform an attack by obtaining an employee’s or member’s personal or financial information to then gain access to the victim’s account, and/or steal their identity to carry out one or a series of financial attacks on a financial institution.

While there is no silver bullet for preventing these attacks, adopting multiple strong authentication methods to validate whether someone is in fact who they claim to be will immensely decrease a credit union’s vulnerability to these crimes. Requiring more than one authentication requirement when an individual – whether they be an employee, current member, new member, vendor or other type of requestor – makes any kind of sensitive account inquiry or transaction request will make it much more difficult for an individual to provide false credentials and launch an attack.

First and foremost, it is important to set up passwords for any online or in-person account requests. This should be a credit union’s first line of defense when validating an employee’s or member’s identity. But this should not be the only line of defense. Passwords continue to be exploited at alarming rates. From simple phishing attacks to sophisticated targeted spear phishing attacks, gaining access to members’ accounts can be a much simpler job if the only authentication layer your credit union has in place is password protection.

In addition to a password, your credit union should require members to provide identifying information (i.e. a driver’s license for in-person requests, or an address and birthdate for online or over-the-phone requests) along with personal information (i.e. a high school crush, best friend from childhood or pet’s name) before granting account access. Roughly 44% of the U.S. population (roughly 148 million individuals) had identifying information compromised during the 2017 Equifax breach, including their Social Security numbers, birth dates, driver’s license numbers and addresses, Krebs on Security reported. That’s why requesting personal information via pre-set security questions can massively reduce instances of account takeover fraud.

Enable multifactor authentication for account access or transaction requests posed in person, online, or over the phone to help prevent someone else from getting into the account. Multi-factor authentication is a method of requiring a user to accurately provide more than one form of information before giving access to the account. These methods include signature requirements, account passwords, PINs, security questions and biometric identifiers like voice, face or fingerprint recognition. The most effective authentication measures require knowledge factors (such as password, PIN or security questions), possession factors (such as ATM card numbers or security token) and inherence factors (such as fingerprints or face recognition).

Weak authentication methods can lead to easy access points for account takeover fraud. This fraud can be greatly reduced by adopting strong online and in-branch authentication requirements for new account, loan or card opening requests, as well as prior to selling products or services to any new accountholder. Two-factor authentication requirements, or 2FA, are also being used more and more to protect against cybercrime and fraud. 2FA sends a one-time pin or passcode to the requestor’s phone or email on file to validate the identity of the individual prior to processing the account request.

Educate your members and employees about the importance of creating complex passwords and opting into any available authentication measures offered by your credit union and their other online accounts (i.e. 2FA or security questions). Put information on your website and mobile app or let them know in face-to-face interactions that taking these simple precautions will better protect their information and vastly reduce their risk of exposure to identity theft and financial losses.

The bottom line is this: Requiring more than one form of authentication to identify employees and members makes it much more difficult for an individual to provide false credentials and break into accounts via card-not-present fraud, ACH and wire transfer fraud, account takeover fraud and other prevalent fraud crimes. By establishing these strong barriers and reducing exposure to cybercrime, your credit union can better protect its bottom line, as well as increase the trust of its members, which in turn will lead to greater member retention and higher account usage.

Ann Davidson is Vice President of Risk Consulting for Allied Solutions. She can be reached at ann.davidson@alliedsolutions.net.