Holiday Anti-Fraud Tips for Credit Unions

Chicago-based OneSpan, which provides anti-fraud and digital identity solutions used by many financial institutions, offered some holiday protection tips and six predictions they suggest will shape the 2020 financial services industry.

“Fraudsters don’t take time off for the holidays and in fact, may capitalize on seasonal spikes in transaction volume to more easily evade detection. As consumers increasingly use their mobile phones as their primary device for holiday shopping, banking and other transactions, cybercriminals are also turning their attention to the mobile channel,” Will LaSala, director of security solutions at OneSpan, said.

LaSala pointed out, “Mobile malware nearly doubled in 2018 and mobile account takeovers increased 79%. It’s estimated fraud losses to banks and credit unions have topped $31 billion due to customer account takeover, new account application fraud and other types of fraud occurring in digital channels.” He recommended employing mobile app security as the key to fighting fraud not only this holiday season, but all year long.

The cybersecurity director provided some measures credit unions can implement immediately to safeguard member data, meet compliance with industry regulations and avoid becoming another data breach headline:

• As transaction volumes increase fraudsters will use this spike to try and scam transactions and call centers. Let members know your brand will never ask them for their credentials via email, text or chat.
• Remind staff that security standards do not need to slip. Even though transaction volumes will be higher, pay attention to those out of the ordinary requests and do not cut any corners. Stick to the processes and procedures defined throughout the entire year.
• Mobile banking apps should protect themselves in untrusted device environments. defend any type of mobile app against sophisticated malware, they should use application shielding technology as protection.

Looking ahead to next year, LaSala also provided some foresight:

Mobile becomes the standard platform for financial interactions. Because of this, the corresponding increase in the attack surface fraudsters can access gets worse. Financial Institutions should bake security into their mobile apps from the beginning. App development must consider the best security mechanisms to protect the app and importantly the brand. Process flows also need streamlining. Machine learning will largely drive intelligent decisions about when to apply the right level of security.

Hackers will exploit open banking. 2020 will see the introduction and adoption of open banking applications used by consumers and enterprises, stimulated by Europe’s PSD2 (Payment Services Directive) and similar legislations in other regions (e.g. Australia, Singapore, Hong Kong). Open banking will give rise to new security threats and vulnerabilities, such as data breaches at third-party providers using open banking interfaces, as these companies might lack investment in security. We may also see vulnerabilities in the IT infrastructure of third-party providers leading to fraudulent payments.

Financial institutions need help embracing artificial intelligence to its full potential. Financial institutions are still holding back from providing enough data to use AI in its most complete from in the effort to prevent fraud. Currently many financial institutions have and siloed and unpullable data pools; however, over the next year, it will be rare to see financial institutions not using AI efficiently. When there are readable and comprehendible complex fraud detection models, the power of AI will shine through across the banking industry.

Advanced liveness detection will be a critical part of cybersecurity. Facial recognition and facial comparison, hampered in its adoption until now because of video spoofing, has now closed this gap in security. Combining both static and dynamic liveness detection could gain acceptance. In more general terms, technologies such as facial recognition and its use of artificial intelligence will come under more scrutiny.

Phishing attacks will remain the dominant and preferred method of attacks by cybercriminals. In fact, they will only get worse simply because they are successful. Organizations and relying parties need to continue to educate consumers / customers about phishing to not to click on links or attachments in emails or text messages from unknowns. Vendors must advance “phish-resistant” technologies to protect unsuspecting users. A great start is to move away from static passwords login.

The California Consumer Privacy Act sparks a federal consumer privacy policy and data protection law. The CCPA has been the catalyst for other privacy bills at the state level and there have been several privacy-related bills introduced in Congress including the “Consumer Online Privacy Rights Act” introduced in late November. Having 50 state consumer privacy laws will create a compliance nightmare for organizations. There needs to be a comprehensive federal consumer privacy and data protection law to address the compliance issue and the legislation should also incorporate minimum security requirements for organizations to deploy to protect consumer data. It would be surprising if the “Consumer Online Privacy Rights Act” becomes federal law in 2020, but it should generate some interesting debates and lawmakers can expect pressure from the business community especially after the CCPA’s enforcement begins in July.