Evolving Tactics In Network Attacks Call For Employee Vigilence

by. Henry Meier

At least three U.S. banks have lost millions of dollars recently after hackers gained control of their wire transfer systems, according to an article in PC World and a widely read blog by Avivah Litan, a security consultant.  The trend is significant because, as explained by PC World, while hackers have long targeted individual users to, for example, compromise a member’s account, these latest attacks are aimed at gaining access to wire transfer switches set up to connect the member’s accounts with wire transfer software.  Once they get access to this information, they can basically pick and choose which accounts they want to attack.

This contrasts with the old-fashioned method of gaining access to the account of an individual member and then tricking the financial institution into sending the money to an account oversees where it is never to be recouped.  Interestingly, the illegal wire transfers are often accompanied by denial of service attacks, which security experts speculate are used as diversions while the actual theft is taking place.

The trend underscores several key points for credit unions to keep in mind.  For years now, the emphasis has been on keeping fraudsters from gaining access to individual accounts.  That’s why we have the dual authentication requirements.  While this is still vitally important, you also have to make sure that your employees handle their passwords with care.  As the hackers try to gain access to an entire network system, it’s absolutely crucial that you limit access to particularly important systems solely to those employees who need it.  In addition, you may want to impose even tougher password requirements on the chosen few to make sure that even if their information is compromised, your credit union can minimize the damage.

Finally, almost all credit unions use third-party vendors to coordinate their payment systems.  One of the biggest trends in litigation in recent years has been disputes between financial institutions and their business customers about who should bear the brunt of losses when a hacker gains access to the business account.  Now I expect to see more litigation dealing with whether a vendor or financial institution should bear the cost for system wide breakins.  This will all be decided by contract law, so those of you with leverage should take a hard-line with your vendors before signing on the dotted line.  Those of you without leverage should at least read the pertinent clauses so you know what’s at stake and at least try to get changes.

continue reading »