WAIKOLA, Hawaii (4/28/09)--Credit unions, their members and third-party providers of electronic funds transfer services need to improve their online security because of advances in online fraud involving personal and financial institutions computer systems, a CUNA Mutual Group risk management expert said Friday. Electronic fraud losses are caused primarily by consumer account compromises through online banking systems and system intrusions at third-party providers of electronic services, Ken Otsuka, risk manager, told attendees at the Hawaii Credit Union League 71st Annual Convention.
Ken Otsuka, risk manager with CUNA Mutual Group, discusses electronic fraud with attendees at the Hawaii Credit Union League 71st Annual Convention Friday. (Photo provided by CUNA Mutual Group)
"Phishing scams have become a mainstream activity for fraudsters," Otsuka said. "Consumers continue to be duped by this e-mail scam and provide their account numbers and online banking passwords." Account compromises occur when members respond to phishing e-mails by clicking on embedded links that take them to bogus Web sites imitating the credit union's site. "The branding is remarkably good, and consumers are fooled" into providing information that would allow fraudsters to open accounts with the victim's information," he said. Other contributing factors to account compromises include:
* Successful social engineering attempts by fraudsters to have consumers' online banking passwords reset, and * Consumers' computers infected with malicious keyloggers, which monitor keystrokes and return the data to the fraudsters. Otsuka urged credit unions to increase controls over requests for password resets and to notify members of the importance of using up-to-date antivirus and anti-malware security programs to protect their computers.
Once a fraudster hacks into a consumer’s account, funds are transferred to accounts at other financial institutions using the bill pay, ACH, or wire transfer service offered through online banking. "It’s important for credit unions, corporate credit unions and third-party providers of electronic funds transfer services to adopt suitable authentication methods to prevent costly unauthorized transactions,” he added. The common multifactor authentication method that involves a computer’s Internet Protocol (IP) address and challenge questions is no longer reliable due to the risk of malicious software infecting the computer or an entire system, Otsuka said. For example, if the keylogger resided on the member’s computer at the time the member enrolled for online banking, it would return the member’s username, password, and answers to the challenge questions. Otsuka advised credit unions to take these steps to help reduce electronic fraud:
* Take advantage of the authentication method third-party providers of electronic funds transfer services offer; * Restrict IP addresses of credit union users with third-party vendors; *Adopt multifactor authentication, such as tokens; * Implement monetary transaction limits for third-party ACH credit files and wires; * Implement monetary transaction limits for online payment services; and * Avoid resetting member online banking passwords based on telephone requests from members.
Members also play an important role in reducing fraud. Otsuka recommended credit unions pass along these tips to members:
* Install up-to-date software on home computers to prevent infection from viruses, spyware and malware. * Use strong passwords with a minimum of seven characters, alphanumeric, and include special symbols (such as, !,@,#,$,%,<, .="" *="" never="" use="" computers="" accessible="" to="" the="" public,="" such="" as="" in="" libraries="" and="" hotels,="" to="" access="" accounts.="" *="" be="" careful="" when="" using="" a="" wireless="" network="" –="" make="" sure="" it’s="" secure="" before="" accessing="" accounts="" online.="">,>
Additional loss mitigation and prevention information, guidelines and RISK Alerts are available to CUNA Mutual policyholders in the company’s Protection Resource Center.