FFIEC: NCUA Offers Tips for CUsStronger Authentication and Security Benefit Members
The FFIEC, which includes the NCUA, the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corp., and the now merged Office of the Comptroller of the Currency and Office of Thrift Supervision, issued its updated guidance in June. Now regulated financial institutions are working to assess their risks and come up with courses of action that help them conform to the new standards by Jan. 1.
For the nation's credit unions, conforming to the guidance has some nuances. The majority of the FFIEC's clarifications in the updated guidelines focus on ways institutions can enhance fraud detection for commercial accounts. Since most credit union accounts are retail accounts held by consumers, conforming to the guidelines to meet regulatory expectations is a bit tricky.
In response to questions about how NCUA examiners are expected to view those nuances, the NCUA provided a list of suggestions regarding how credit unions should develop strategies to comply:
TRACY KITTEN: Given that most CUs are working with consumers, rather than commercial entities, what steps are they taking to educate their consumer memberships about evolving online threats?
NCUA: Cybercriminals increasingly use malware programs, such as Trojans, rootkits, keyloggers, and spyware, etc., to infiltrate a member's computer system and steal their banking credentials to originate fraudulent wire transfers. Education is an essential component in increasing consumer security awareness.
NCUA encourages credit unions to take proactive steps to educate consumers, such as:
- Establishing an online consumer security awareness center to help the customers better understand security-related issues;
- Performing ongoing customer education to help consumers change their behavior to prevent online fraud;
- Providing educational articles, such as online threats and its impact, prevention and response to fraud; advice; and real-time security alerts. Information should be available on a credit union's website, and hard copies should be available at branches. Real-time alerts should also be dispatched to consumers via e-mail; and
- Updating consumer awareness information as the internal and external threat environment changes.
To effectively prevent and respond to ACH fraud, credit unions serving as originating depository financial institutions [ODFIs] should perform periodic risk assessments to understand emerging threats; implement effective multifactor authentication; establish ACH fraud detection and prevention policies; and implement layered security and sound practices.
An effective layered security program should include:
- Fraud detection and monitoring systems, with a focus on customer history and behavior;
- Dual control and segregation of duties settings, as outlined in Appendix A to Part 748 of NCUA's Rules and Regulations. Effective settings require a second, authorized party to approve member setup, ACH transaction batches and template use prior to transmission;
- Out-of-Band verification for transactions, including an automated system to call members regarding suspicious transaction;
- Techniques to limit the transactional use of the account, such as "positive pay" or debit blocks;
- IP address restrictions to limit access to the specified terminals. This would prevent transactions originating from unauthorized terminals;
- System access limitations to control access to necessary functions and appropriate processing hours. This would reduce the risk of unauthorized access outside of approved timeframes;
- Appropriate controls over account activities to limit the maximum transactional dollar amount a member can initiate, or setting daily debit and credit exposure limits for member originators; and
- Formalized processes to implement software patches to operating systems, firewalls, intrusion detection/prevention systems and antivirus software.
KITTEN: What are some of the top emerging threats the NCUA sees facing CUs, and what preventative technologies and/or strategies should CUs be investing in and/or building to address those threats?
NCUA: NCUA and the other federal banking agencies recently issued a supplement to the 2005 Authentication Guidance that addresses Internet threats, reinforces a risk management framework, and updates supervisory expectations for effective member authentication mechanisms, layered security and other controls to combat growing identity theft attacks and online transaction fraud. Compliance with the updated guidance will help mitigate the risk posed by emerging security threats.
Credit unions are encouraged to establish online fraud prevention strategies. Such strategies should include: identification of compliance gaps, conducting risk assessments, implementing robust/multifactor authentication, and installing layered security controls based on their complexity of services and threat environment to facilitate fraud detection and respond to suspicious activity.
The use of fraud preventative technologies will help mitigate exposure. Utilizing automated fraud detection and prevention systems is recommended for a comprehensive approach to prevent (i.e., secure card readers, encryption, policies and procedures), detect (i.e., SIEM system to review log files), deter (i.e., rejecting invalid passwords), correct (i.e., updated firewalls and IDS/IPS) and recover (i.e., backup data sets) the fraud.
In addition to ACH-related fraud, top emerging security threats to credit unions include:
- Debit and credit card threats - Criminals obtain credit/debit card account information via skimming attacks to produce counterfeit cards;
- Social network threats - Fraudsters upload malicious file(s) or use malicious links to collect user information;
- Mobile banking threats - Mobile devices are compromised by malware. Anti-fraud systems and processes cannot keep pace with the speed of technological development;
- Insider attacks - Disgruntled employees with excessive or inappropriate permissions can use non-public member information for illicit means;
- Advanced phishing attempts - Spear phishing targets select groups (e.g., credit union employees) with something in common. Whaling (phishing) targets credit unions' top executives (e.g., financial directors);
- Sophisticated malware attacks - Many of these focus on financial institutions. Rootkit-based malware is used to obtain the highest operating system privileges on a computer; it poses an unprecedented risk to personal information. Keyloggers record keys struck and then send the captured banking credentials through backdoors to an individual controlling the keylogger; and
- Cloud computing risks - Cloud computing vendors may have issues with privileged user access, regulatory compliance, data location, data segregation, disaster recovery, investigative support and long-term viability.