BOSTON—With crooks able to pivot quickly and take new, and even old, approaches to committing fraud, credit unions need to take a holistic approach to cyber defense, insists PSCU.
Jack Lynch, PSCU chief risk officer and SVP of fraud operations, described for attendees at CUNA’s America’s Credit Union Conference here an environment in which inroads are being made in fighting cybercrime, even as new avenues for fraud are opening up quickly.
“Fraud moves, so a holistic approach to cyber security—one that is consistent across all channels—is needed,” Lynch said.
That means the same layered defenses across the call center, new account openings, mobile…
“A credit union can’t afford to attack this issue one channel at a time. And this includes vendors, as well,” he said.
The Fluidity of Fraudsters
To illustrate how fluid fraudsters are, Lynch noted that voice fraud is making a big comeback. He said that in 2015, one in 2,000 calls into the call center were fraudulent, and now that rate has dramatically increased to greater than one in 937 today.
“The criminals are hitting this channel hard,” Lynch said.
Lynch said as EMV is markedly cutting down card present fraud, ATM attacks are picking up—an issue CUToday.info has extensively reported. He talked about ATM skimming and jackpotting, where fraudsters drill into an ATM in an isolated location and connect with the machine’s internal system to get it to spit out money. Lynch also addressed how thieves are exploiting FI networks to reach ATMs and also get machines to dispense money.
As many experts have addressed, Lynch noted that card not present fraud has markedly increased.
“We are seeing a 26% increase since 2016,” he said, adding there was $15.4 million in card not present theft last year, up from $13.1 million the previous year.
Synthetic Fraud
Lynch further observed that the Equifax breach has contributed markedly to synthetic fraud, where crooks create a false identity and then apply for loans and never repay, and also steal funds.
“There was $6 billion in synthetic fraud last year—that’s fraud committed by people that don’t really exist,” he said.
Lynch emphasized that not only do credit unions need strong defenses to keep the bad guys out, they must be prepared to address what to do when criminals get inside. He said CUs need to monitor data that is going out of the credit union to catch and stop thieves that have penetrated their network.
Layered authentication is critical, stressed Lynch, saying that passive authentication, where the CU uses challenge questions, is no longer effective. Lynch said credit unions need to use authentication that includes the basic defenses like challenge questions, but then also layers on defenses such as biometrics and geolocation, for example.
“And you have to employ linked analysis,” said Lynch.
Lynch said that defenses must be able to analyze what is occurring across all channels simultaneously to search for patterns and signs of fraud.
In closing Lynch said that all of the efforts to fight fraud are often wasted if staff are not trained to follow cyber security policies.
“One mistake, one phishing email clicked on by an employee and the bad guys are in,” he said.