by. Henry Meier
At least three U.S. banks have lost millions of dollars recently after hackers gained control of their wire transfer systems, according to an articlein PC World and a widely read blog by AvivahLitan, a security consultant. The trend is significant because, as explained by PC World, while hackers have long targeted individual users to, for example, compromise a member’s account, these latest attacks are aimed at gaining access to wire transfer switches set up to connect the member’s accounts withwire transfersoftware. Once they get access to this information, they can basically pick and choosewhich accounts they want to attack.
This contrasts with the old-fashioned method of gaining access to the account of an individual member and then tricking the financial institution into sending the money to an account oversees where it is never to be recouped.Interestingly, the illegal wire transfers are often accompanied by denial of service attacks, which security experts speculate are used as diversions while the actual theft is taking place.
The trend underscores several key points for credit unions to keep in mind. For years now, the emphasis has been on keeping fraudsters from gaining access to individual accounts. That’s why we have the dual authentication requirements. While this is still vitally important, you also have to make sure that your employees handle their passwords with care. As the hackers try to gain access to an entire network system, it’s absolutely crucial that you limit access to particularly important systems solely to those employees who need it. In addition, you may want to impose even tougher password requirements on the chosen few to make sure that even if their information is compromised, your credit union can minimize the damage.
Finally, almost all credit unionsuse third-partyvendors to coordinate their payment systems. One of the biggest trends in litigation in recent years has beendisputes between financial institutions and their business customers about whoshould bear the brunt of losses when a hackergains access to the business account. NowI expect to see more litigation dealing with whether avendor or financial institution should bear thecost for system wide breakins. This will all be decided by contract law, so those of you with leverage should take a hard-line with your vendors before signing on the dotted line. Those of you without leverage should at leastread the pertinent clauses so you know what’sat stake and at least try to get changes.
