Small to mid-size credit unions and regional banks could be at greater risk of SMS phishing and phone attacks than their big-bank counterparts, according to one cybersecurity expert, who analyzed the frequency, location and targets of actual known attacks.
"Often times people talk about threats than can happen with malware, but we are talking about attacks that actually do happen," AdaptiveMobile's Head of Data Intelligence & Analytics Cathal McDaid told Credit Union Journal.
A Dublin, Ireland-based global mobile security firm protecting more than 1.3 billion subscribers, AdaptiveMobile said it differentiates itself by offering products that protect services on both fixed and mobile networks through in-network and cloud solutions.
McDaid recently presented at the RSA Conference in San Francisco offering industry-leading intelligence on mobile attacks impacting financial institutions stateside. His presentation included industry-first visualizations demonstrating how mobile short message service (SMS) attacks are targeting regional banks and credit unions across the country.
"We have found that attacks are occurring at certain times of day, at certain times of the year in certain areas of the country," said McDaid. "For example, they tend to attack around evening time and on weekends. They [cybercriminals] are trying to create conversion rates—making money—and avoid any type of defense that might be in place."
Earlier this month, the Los Angeles Chapter of the Information Systems Security Association (ISSA-LA) held its Annual Information Security Summit at the Los Angeles Convention Center. The summit focused on growing cyber threats and highlighting emerging solutions to reducing cybercrime. Additionally, the summit featured a Financial Services Security Forum.
"A financial institution is not obligated to report a cyber-criminal attack that results in a loss," said ISSA-LA President Dr. Stan Stahl who also cited Symantec data from 2013 that found more than 552 million identities were breached due to spamming, phishing, and malware. "This skews stats in a negative way."
A Closer Look At Attacks
As part of McDaid's presentation, he offered a first-ever visualization (see related graphic) featuring "solar-flare-like" patterns of regional bank and credit union attacks that occurred over a four month period ending on Martin Luther King Jr. Day 2015. In total, there were 112,220 attack messages received by banking institutions.
"What we found is that these cyber criminals really tend to focus in on smaller credit unions and banks," said McDaid. The majority of attacks occurred on Saturday and Sunday, the latter held the highest percentage.
While there were attempts on larger banks in California, Colorado and Utah, the majority of attacks occurred in the Midwest, southern states and on the Eastern seaboard. Ohio had the highest rate of attack attempts at institutions like First Federal Community Bank. Auburn University Federal Credit Union in Auburn, Ala., also had high attack attempts.
The cybercriminals are attacking member Visa accounts either by SMS attempts or phone calls. Members receive SMS and email messages similar to this sample:
John Doe Federal Credit Union 24HRS ALERT: Your VISA Check Card #413809 is deactivated. Please call our 24 hours line (334) 209-[****].
McDaid added that the word "deactivated" is often swapped with words like: locked, frozen, limited and detained.
"Credit unions have to educate their members that they would never contact them this way," said McDaid.
Stahl, who also serves as president of the Los Angeles-based Citadel Information Group, an information security management services firm, said a reactionary approach to a cyber-attack places financial institutions at a disadvantage.
"The most important piece for all financial institutions is being prepared." Aside from regulatory compliance and incident report due diligence, he said developing relationships with law enforcement agencies can make a significant difference in recouping stolen monies.
"Let's say the cybercriminal arranges for the money to be wired overseas. That will typically go through a national bank, often times law enforcement agencies can intervene quickly, especially if there is a [standing] relationship," said Stahl.
Targeting Small CUs
One reason cybercriminals focus on small regional financial institutions is that the crooks use the same area code when calling members in attempts to gain entry into their accounts. Hackers use the fact that mobile and landline numbers are geographically allocated to target their attacks.
"In the last two or three years, increasing defense against SMS phishing has led to a re-emergence of mainstream voice phishing attacks via cell phone numbers," noted McDaid. The best first step against fraud, he said is cross-referencing the number received against the number on the back of the physical card or the number on the credit union website.
"Another reason for the targeted attacks, for better or worse, is that credit unions may not respond as quickly as larger banks," he said. "The cybercriminals believe they have a longer time period to make the attack successful."
McDaid explained that only a minute percentage of attack attempts yield the necessary information to steal funds. But over a one-year period, he said, collectively these attacks equate to millions of dollars in stolen monies.
Educating members is critical in defending against these attacks. McDaid noted that no financial institution would contact a member as noted in the Auburn University FCU example. To this end, he said that credit unions should have a dedicated page on their websites that outlines typical attack attempts and encourages members to call the credit union if suspicious activity is discovered.
"When credit unions get their intel from their security provider, they should always take a look at unusual account transaction activity around certain time periods," said McDaid.
AdaptiveMobile is currently evaluating ongoing cyberattacks and may release a similar report at the end of the year. McDaid said these crooks tend to target different regions of the country using different methods. In 2013, for example, New York state had a high rate of SMS attack attempts.
"There is no easy answer," said McCaid. "These gangs wouldn't be doing this if they weren't making money."
Stahl encourages CU executives to reach out to local chapters of the Information Systems Security Association, which offers proactive training and education materials. For example, the Los Angeles chapter has a bi-monthly forum for CFOs and other senior managers who manage IT and/or information security. The goal is to learn together, while helping respective organizations more effectively manage the financial risks associated with cybercrime.
"There is a lot of information on the website to help educate people on this space [cyber-security]," said Stahl. "The reality is that there is so much out there in the way of attacks both on financial instructions and their customers that the announcement of one more type of attack really doesn't change the landscape that much. It's not a pretty site."