Organized crime rings have had their sights set on the credit union industry with sophisticated and automated attacks for several years. Credit unions are seeing an increase in automated attacks like credential stuffing that lead to account takeover (ATO) and fraud. These criminal organizations have become experts at effectively gaining access to member accounts on a massive scale by using actively exploited or publicly available compromised credentials bots, and readily available tools.
Account takeover (ATO) and new account opening fraud pose a huge problem for credit unions. Both can be extremely difficult to prevent because when encountering your defenses, the most skilled fraudsters will adapt their methods specifically to bypass any security or fraud countermeasure. This typically means instead of emulating human behavior, the fraudster exhibits human behavior, using low cost click-farms or manually interacting with the application.
Making matters worse, criminal organizations are motivated by enormous financial gain and compromising member accounts has proven to be a lucrative avenue for fraud such as money laundering— a stark reality that these types of attacks will likely continue to increase.
Proven Attack Methods
One tactic proving to be very effective for hackers are around them deepening their capabilities on imitating legitimate users. They use the same tools that users do, automating production browsers like Chrome, Firefox and Safari, and proxying through residential IP addresses. By emulating human traffic and behavior, they can bypass lower friction defenses, MFA gates and rate limits to takeover accounts, crack cards or steal data. Malware sits resident on victims’ computers, scraping their credentials and delivering them back to fraud marketplaces.
Clever phishing proxies, which seamlessly skin over a legitimate website and then intercept the traffic that goes through, are also on the rise. Members are fooled into thinking they are logging into their email account or credit union account, as the web page looks the same, but meanwhile their credentials are being stolen by a cybercriminal. In response, credit unions have been drastically stepping up their authentication layers.
The Member Experience Paradox
While institutions have undoubtedly added more security to their authentication, they’ve also added more friction to the member experience. CAPTCHA tests are almost universally known as a painful process for proving human identity, while even SMS multi-factor authentication causes an irritating level of disruption to a member journey, even more so if the user doesn’t have their smartphone in hand.
Credit unions that add a lot of friction to mitigate fraud may incorrectly think they are improving security defenses, so it’s all worth it, no matter what the cost is to user experience. Meanwhile, however, the downstream damage they’re causing to their account holder experience is adding mounting pressure, in a world where it’s all too common for consumers to switch brands for the smallest infractions. Too much friction can negatively impact account creation, logins and ultimately growing wallet share.
Credit union security and fraud departments need to look for fraud and cybersecurity solutions that are widely deployed in the financial services industry with visibility into automated and human traffic and machine learning algorithms trained by attack profile, risk surface, and historical fraud records, that subsequently can accurately distinguish fraudsters from a real customer, without friction.