Posts tagged ‘FBI’

How secure are your home offices?

As the person ultimately responsible for mitigating both legal and compliance risks to your credit union, you don’t need to know all the answers, but you need to know what questions to ask. One of the questions you should be asking your IT team about is how safe your virtual private network (VPN) is. 

Recently, the FBI and the CISA issued a joint guidance warning companies in high-profile industries, including the financial sector, that they are being targeted by increasingly sophisticated attempts to gain access to virtual private networks. Think about it – a little more than six months ago, we were all concerned about personally identifiable information being sold on the dark web. According to these reports, there is a growing market for VPN identification. Given the sudden movement towards remote work, this trend was inevitable, but the more remote work becomes the norm rather than the exception, the more examiners will be expecting to see what steps your credit union is taking to prepare. 

As explained in this joint examiner guidance released in June, “examiners will review the steps management has taken to assess and implement effective controls for new and modified operational processes. Examiners will assess actions management has taken to adapt fraud and cybersecurity controls to manage heightened risks related to the adjusted operating environment. Examiners will also review how management has assessed institutions’ third parties’ controls and service delivery.” In addition, NCUA has emphasized that information technology remains a top priority during the pandemic. 

Some of the techniques being used can be guarded against regardless of the size and sophistication of your institution. For example, the highly influential KrebsOnSecurity posted a blog in August describing increasingly brazen vishing attacks in which hackers contact employers pretending to be from the company’s IT department, requesting login information to access the employee’s account. According to Krebs, this technique is particularly effective against newer employees, who are interacting with their IT department for the first time.

Finally, some of the classics are also being used. Good old fashioned emails requesting login information are still being responded to, reminding us yet again that our computer systems are only as safe as our most technologically inept employees allow them to be. Full disclosure – there are weeks when I talk to the IT department more than I talk to my own kids. 

What this means for your day today is that you may want to remind employees not only that they should be aware of suspicious emails, but also who they are talking to, particularly if they receive a proactive phone call. In addition, this is yet another example of why one of the trickiest parts of remote working is going to be onboarding new employees. My personal suggestion is that even if an employee is going to work remotely, a lot of the orientation process should still be done live and in-person. 

September 22, 2020 at 9:51 am Leave a comment

Ransomware is Getting Worse. What Steps are You Taking?

The use of ransomware is on the rise as a new business model makes it even more likely that your credit union, irrespective of size, will one day have to decide whether or not to pay off hackers who have frozen you and your members out of your computer system. Here’s a look at why I am trying to scare you a little.

Ransomware is the crime of hackers infecting your computer systems with a virus which makes it impossible for users to access the information they need to do their jobs. The hacker offers to unlock the blocked software, but only after the victim agrees to pay a ransom, usually in the form of bitcoins. While the highest profile examples have involved cities such as Baltimore, it is an increasingly common form of attack against businesses of all sizes.

Recently, it has gotten even more attention. On October 2, 2019, the FBI issued an updated public service announcement warning citizens that ransomware attacks “are becoming more targeted, sophisticated and costly, even as the frequency of attacks remains constant.” Troublingly, the FBI informs us that since 2018, the incidence of indiscriminate ransomware attacks has sharply declined, but the cost of such attacks have increased, presumably because hackers are getting more selective and better at targeting their victims.

In addition to the FBI PSA, the bloggersphere has been analyzing the implications of research performed by McAfee Security Firm, which underscores just how lucrative and organized hacking has become. It appears that the people who make really big money in ransomware these days are the entities that create the ransomware viruses, but then essentially license that technology to groups and individuals hoping to make money off ransomware attacks. In other words, computer crime has become so sophisticated and easy to sell on the web that hackers now effectively license their technology in return for a piece of the ransom payments received by the licensee. Just how profitable is this model? Well, when the previous kings of ransomware as a service announced their retirement from the business in late May, they had made an estimated $2 billion in profits. Yes, that’s billion with a b. Not surprisingly, a new criminal enterprise called Sodinokibi is filling the void. What’s more, according to research done by McAfee, the average ransom is $4,000, but estimates as to the average ransomware vary widely.

The point of all of this is that your credit union should be aware of the possibility of a ransomware attack, take appropriate countermeasures and have plans in place should an attack be successful. For instance, a little more than a week ago, CUNA organized a simulated ransomware attack for credit unions. I wish I would’ve thought of this idea first, it’s a great idea as it forces credit unions to game plan for this very real scenario.

Then of course there are the preventative measures you can take. Here is a baseline list of measures outlined by the NCUA.

Finally, from the perspective of someone who loves technology but needs his kids to set up his kindle, it seems to me that one of the most basic steps you could take is to have a rigorous system backing up your data. Then again, this is no panacea. First of all, backing up all of your data on a daily basis is not cheap. In addition, given how interconnected everything is these days; you have to take extra steps to ensure that that ransomware doesn’t infect your backed up data.

The one thing I think we all can agree on is that the ransomware threat, which has actually been around in its earliest form since the 1980s, is here to stay. It is another one of those chronic problems that need to be managed and not ignored. After all, in the immortal words of Woody Allen, crime does pay, and the hours are good.

October 22, 2019 at 9:15 am Leave a comment

Three Things You Should Know On A Beautiful Thursday Morning

Image result for cyber mortgage fraud

Cyber Mortgage Fraud Continues to Surge

With apologies to those of you who consistently read my blog, this morning once again highlighting the dangers that email and other online activities posed to your credit union. I know I’ve touched on this theme a lot lately but that is because that this is among the biggest issues that affect all credit unions irrespective of their size.

In this excellent article in this morning’s American Banker, the paper points out that “Verifying identities continues to be a tricky proposition for banks as cybercriminals diversify and increase their attacks — especially when it comes to wire transactions.” The key point is that these attacks can be as useful against smaller to medium size credit unions as they can be against larger banks.

In July the FBI issued this updated public service announcement in which it noted that between December 2016 and May 2018 there has been a 136% increase in identified loses caused by compromised business emails. These compromises involved both small and large businesses.

Furthermore, mortgage lending is a particularly favorite target right now. According to the FBI, virtually every stage and participant in the mortgage process is being targeted ranging from real estate attorneys, title insurers, lenders and of course the homebuyer.

All of this underscores the need to take steps to mitigate inevitable losses. In an upcoming blog I will be talking about some important cases evaluating cybersecurity insurance and its limits.

NCUA Board Meeting

There’s a lot to pay attention to at today’s NCUA board meeting. Most importantly, NCUA is going to be proposing raising the threshold for credit unions to be subject to the Risk Based Capital requirement from $100 to $500 million. NCUA will also be proposing delaying the effective date for the new rule.

What the Mets Can Teach You About How Not To Manage Your Business

One of the books that anyone in any business should read is Thinking Fast and Slow, a memoir by Daniel Kahneman who is considered the father of behavioral economics.

One of the things he points out is that businesses and people tend to overvalue what they own, often to their detriment. For example, you show me someone with a “For Sale by Owner” sign up in their front yard and I’ll show you someone who insists they can get at least $30,000 more for their house than the seasoned real estate broker they talked to said they could. Another more practical example: Has your credit union ever been a little slow in starting collection  or foreclosures actions because of its  sentimental attachment to the borrower or an unwillingness to admit that the  underwriting was wrong?

What does this have to do with the Mets? On Tuesday, the New York Mets could have traded three of their starting pitchers and replenished their entire Minor League system. Instead they turned down amazing offers including reportedly from the Yankees. That night they lost 25-4. I’m glad I’m not a Met fan.

August 2, 2018 at 9:32 am Leave a comment

Rangel Wrangles Another Victory and the G-Men Get Their Man

The U.S. Attorney for the Southern District of New York and the FBI announced the completion of a sting operation worthy of “The Sting.”  

For the last two years, federal authorities have had a password-protected website dedicated to selling stolen credit and debit card information.  Go to the site and you could bargain for anything from the information obtained from card data strips to advice on setting up phony addresses and share thoughts on the merchants least likely to catch the use of stolen cards for online transactions.  According to the press release, more than 400,000 instances of identity theft were identified as a result of the FBI site.  People were arrested across the globe, including twelve Americans. 

We justifiably love to point out the burden imposed by regulations.  Few regulations made credit unions howl louder than the requirement that credit unions identify and guard against instances of identity theft and take special precautions to verify address changes..  But it is precisely these types of activities taken as a whole that can, if not eliminate, then minimize and deter the type of identity theft uncovered by the FBI.  If I was in charge of data security at a credit union, I would review instances like this to see if they indicate the emergence of new trends that the credit union should guard against.  Remember data security doesn’t end with the credit union’s policy.  A good program recognizes the dynamic nature of fraud and does what it can to guard against new trends as they arise.  I’ll get off my soapbox now.

Rangel Wins 

Political legend has it that Gerald Ford went to bed on election night in 1976 so confident that he had beaten Jimmy Carter that he was shocked the next morning when told the bad news.  I had to do a double take this morning when I read the news that Harlem’s four-decade Congressman, Charlie Rangel had survived his toughest primary challenge yet when he defeated State Senate Democrat Adriano Espaillat by five percentage points.  Political wisdom had it that the Harlem District, which is growing more Hispanic, would end the career of the aging Congressman.  Once again, conventional wisdom took a beating. 

Incidentally, the Association will soon be coming out with a detailed look at the recently concluded NYS Legislative session and the primary election results.


Gone Fishing

I will be heading off on vacation for the next week, so I probably won’t be greeting you every morning, but if something happens that demands a blog, I will post.  See you soon.

June 27, 2012 at 8:16 am 1 comment

Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 756 other followers