A breach at a Texas credit union offers yet another example of how hackers now target financial institution employees to gain access to sensitive information from other sources, such as credit-reporting services, and then commit fraud.
In September 2011, hackers compromised an employee account at the former Abilene Telco Federal Credit Union, now First Priority Credit Union, most likely through a phishing scheme that fooled the employee into opening an attachment or link that launched malware. The credit union did not respond to BankInfoSecurity's request for an interview. But the institution's branch manager reportedly told Bloomberg News in late October that hackers broke into an employee's computer and accessed login credentials to the credit union's online account with Experian, the credit reporting organization.
Experian confirms the breach, and says the incident wound up exposing personally identifiable information of about 702 Experian users, including Social Security numbers, dates of birth and financial data.
Experian spokesman Gerry Tschopp says his organization discovered the breach on Sept. 19, 2011, and notified attorneys general in the affected states, including North Carolina.
"This issue really is about cybercriminals attempting to commit fraud and illegal actions against many companies and many industries," Tschopp says. "This is about the sophisticated criminal organizations that constantly try to exploit companies and victimize consumers.
"The malware was not a direct hack of Experian's systems in North America," he adds.
The year-old breach is getting renewed attention, as legislators, including Sen. John Rockefeller, D-W.Va., review how companies such as Experian collect and protect data.
This incident, and others like it, illustrates how financial institution employees increasingly prove to be weaker links in the security chain, says financial fraud expert Avivah Litan, an analyst at the consulting firm Gartner. Inadequate authentication practices and lax mandates for computer security upgrades, updates and patches leave banking institution employees in some cases more susceptible to malware attacks waged via socially engineered schemes than bank customers, Litan says.
"The banks themselves don't use the same controls they ask customers to use," Litan says. "You see banks focusing on data loss prevention, but then you often see what I consider antiquated antivirus systems. It's those types of outdated systems that make them vulnerable."
To improve security internally, Litan suggests institutions invest in:
- Enhanced malware-detection tools;
- Device identification for employee authentication;
- Network-threat-intelligence software.
Neglecting Employee Protection
Banking institutions, because of increasing regulatory scrutiny linked to conformance with the Federal Financial Institutions Examination Council's updated Authentication Guidance, have better technology in place to protect their customers and members than their own employees, Litan contends.
"Employees have not been a focus, and the FFIEC guidance does not address the need for employee protections," she says.
What the guidance does address is the need for banking institutions to enhance their practices for user authentication to online-banking access. Because of increasing incidents of account takeover - typically accomplished via malware installed on an end-user's computer - the FFIEC recommends banking institutions invest in multiple controls to verify a user's authenticity.
Targeting bank and credit union employees for the purpose of account takeover and fraud is a trend security experts have only recently begun to identify, Litan says. The Federal Bureau of Investigation and the Financial Services Information Sharing and Analysis Center noted much the same in mid-September, when they jointly issued an alert about emerging fraud schemes that, in some cases, involved the takeover of a staff member's desktop PC.
"Recent FBI reporting indicates a new trend in which cybercriminal actors are using spam and phishing e-mails, keystroke loggers, and Remote Access Trojans (RAT) to compromise financial institution networks and obtain employee login credentials," the Sept. 17 alert states. "The stolen credentials were used to initiate unauthorized wire transfers overseas."
Litan says the compromise of employee login credentials is quickly becoming a top concern. By law, in many cases, institutions are required to provide their employees with access to numerous customer and member databases, she says. So once an employee's login credentials are compromised, hackers have access to much more than just an online bank account.
"And it's even easier for them if the employee uses the same credentials for logging into their bank account as they do for accessing some of the bank's systems," Litan says.
Impact of a Breach
The Abilene breach illustrates how a compromised bank or credit union employee account can expose more than the institution.
Compromised credentials from banking institutions and other third parties have netted more than 17,000 credit reports taken from the agencies since 2006, according to Bloomberg.com, which conducted an examination of hundreds of pages of breach-notification letters sent to victims.
Chris Jay Hoofnagle, director of information privacy programs for the Berkeley Center for Law & Technology, tells Bloomberg that the theft of credit reports offers criminals all the information they need to steal an identity to commit credit card fraud, get a fraudulent driver's license or obtain medical treatment.
Tschopp says compromises at third parties, such as banking institutions, can adversely affect any tethered organization, including a credit bureau.
"This issue really is about cybercriminals attempting to commit fraud and illegal actions against many companies and many industries," he says.
Experian works to stay ahead of suspicious activity by constantly updating its anomaly detection systems. But it can only control so much, Tschopp says.
And when login credentials of administrators or those with access to numerous customer accounts are compromised at a banking institution, the consequences can be dire for consumers, Litan says.
"As a fraud analyst at a bank, for instance, you would have access to third-party reports, third-party systems and a lot of other information," she says. "You basically have the full picture of the customer, which includes access to third-party records."
Essential Security Steps
Litan says these types of attacks, aimed at institution staff, require more collaboration between security and fraud departments and necessitate that institutions review new solutions in anti-malware detection and prevention.
"The banks are relying too much on mainstream anti-virus and anti-malware vendors that have not kept up," she says. "They also need to do more to protect the endpoint," which means more device identification for employees.
Litan also calls on banks to use network-threat-intelligence software - sophisticated software that can provide more detailed information about to where data is being transferred and sent once it's accessed. So, if sensitive consumer data were being routed to an external command and control center, for instance, the system would raise a flag and send an alert to the bank.
"Financial institutions have to get more sophisticated," Litan says. "It's the only way they're going to be able to fight these emerging trends."