Archive Links

Consumer Archive
CU System Archive
Market Archive
Products Archive
Washington Archive

CU System Archive

CU System

Breach Aftermath: While CUs Rally, Others File Lawsuits

 Permanent link
MADISON, Wis. (12/26/13)--The data breach Target announced last week has brought in its aftermath several class action lawsuits, compromised card numbers flooding the black market, risk analysis by various industry groups, and credit unions rallying to support members who used their debit or credit cards at the retail giant during the holidays.
As of Monday, Minneapolis-based Target was already the bull's eye in three class-action lawsuits, and attorneys general in Connecticut, Massachusetts, New York and South Dakota had asked Target for information about the breach (USA TODAY Dec. 23).
Target's breach will cost consumers and the financial industry, said the California and Nevada Credit Union Leagues, which urged federal and state officials to take action to prevent the cost of such breaches from being passed on to consumers and the financial services industry.
"When retailers have security breaches in their credit card information, they see it merely as an inconvenience, but there's also a significant financial impact on consumers and financial institutions," said Diana Dykstra, president/CEO of the California and Nevada leagues.
"Every consumer now has to keep an eye on their credit information, and there likely will be headaches for both consumers and the financial services industry, with the potential need to replace millions of cards.  It's an embarrassment for a retailer, but the breach costs fall on the shoulders of consumers and their financial institutions, like credit unions," Dykstra added.
The $5-$10 cost to reissue and deliver each new card is exacerbated by the cost incurred by credit unions to reimburse members who have lost funds due to fraudulent transactions. "California and Nevada credit unions have been inundated by thousands of calls from members concerned about their credit information in the wake of the Target incident," she said.
The breach should prompt the public and lawmakers to engage in a dialogue about the antiquated magnetic stripe technology, said the leagues. That dialogue should emphasize the need of retailers and financial institutions in the U.S. to adopt the more secure chip and pin card technology, which is widely used in other countries and is less vulnerable to breaches, the leagues said.
Because Target's investigation into the breach is ongoing, it has not specified publicly how the breach occurred. Several security analysts have weighed in on the issue, with most experts saying they believe the incident was from an external attack. noted that one leading card issuer affected by the attack said about 40,000 of Target's 60,000 point-of-sale terminals were likely infected with malware automatically downloaded from a hacked server. Once infected, the POS devices were instructed to store and forward the magnetic stripe data from the transactions, said the publication.
Meanwhile, credit unions in Target's home state--like many all over the country--were proactively working with their members to address concerns about their data privacy in the wake of the breach, reported the Minnesota Credit Union Network (MnCUN).
"Member privacy and protection are extremely important to Minnesota credit unions," said Mark D. Cummins, MnCUN president/CEO.  "Minnesotans can continue to count on credit unions as their trusted financial partner as the impact of the data breach continues to unfold."
MnCUN noted that Star Choice CU in Bloomington, Minn., is working with its vendor and Target to determine the next steps and implement strategies to mitigate fraud on member cards. Also, SPIRE FCU, Falcon Heights, Minn., advised members to monitor credit and debit card accounts daily and directed them to contact the credit union immediately so steps can be taken to restore funds to affected accounts. SPIRE is also reviewing accounts for suspicious activity and issuing new cards as needed.
The breach compromised 40 million cards that were used at Target stores across the U.S. between Nov. 27 and Dec. 15. The Credit Union National Association is working with other organizations to keep credit unions informed. Those organizations include CO-OP Financial Services, CUNA Mutual Group, PSCU, Financial Services Information Sharing (FS-ISAC), Visa and MasterCard, as well as the Electronic Payments Coalition and NACHA--the Electronic Payments Association.

FS-ISAC told CUNA it sent a proprietary alert Friday to its member organizations with speaking points to help shape institutions' communications with consumers and media, NACHA's operational bulletin about automated clearing house issues related to Target's branded RedCard debit card, and speaking points about typical investigation processes and information sharing.  FS-ISAC, of which CUNA is a member, is also working to get a clear picture of the breach and impact, including tactics, techniques and procedures, which it will make available when the investigation concludes.

For specific information on what credit unions should do and CUNA Mutual Group's advice on alleviating risks from the breach, use the links to the News Now stories, CUs Impacted in Target Breach Get Risk Mitigation Tips and CUNA Working to Determine Impact of Target Breach on CUs.

Maine Takes Holiday Breather on 'Don't Tax' Campaign

 Permanent link
PORTLAND, Maine (12/26/13)--Maine credit unions--like others throughout the country--are taking a brief holiday break after four months of consistent advocacy efforts in the Credit Union National Association's and the state leagues' nationwide "Don't Tax My Credit Union" campaign to preserve credit unions' tax status, but they aren't letting their guard down.
This week, shopping, eating, and visiting with family and friends are providing a respite from the tax issues. In noting the pause, the Maine Credit Union League said that credit union members in the state have generated 39,763 contacts the past four months on behalf of the Don't Tax efforts, placing them No. 9 among the states in total contacts (Weekly Update Dec. 20).
A comprehensive bill probably will be released after the first of the year, according to CUNA. Then, the nation's credit unions may have a better idea of Congress' intent regarding tax reform.
Meanwhile, bankers across the country are keeping the pressure on, pushing toward taxing credit unions, said league Director of Governmental Affairs Quincy Hentzel. "It is clear that their strategy is to attack credit unions on as many fronts as possible," she said. "Any opening they can create in a state could have a domino effect to threaten credit unions' tax status in other states and at the federal level," she added. 
"We need to remain vigilant on this issue and continue to educate our members of the incredible value they receive as member-owners of their credit union," Hentzel told credit unions in the article. "However, we want to be sensitive in regard to all you have done and continue to do and are being careful as to not have our credit unions fatigued so early on in this fight."
In the meantime, the league said it is important that the tax status issue remains visible to members and that credit unions should keep up posters, Web banners and more.
"We are expecting this to be a lengthy campaign and will be prepared to resume it in the New Year," said League President John Murphy.

Cornerstone League Recaps 2013 Advocacy

 Permanent link
FARMERS BRANCH, Texas (12/26/13)--The Cornerstone Credit Union League, serving credit unions in Texas, Oklahoma and Arkansas, offered a recap of its 2013 advocacy efforts (The Advocate Dec. 17).
The league's efforts include:
  • Fielded more than 3,000 phone calls to the InfoSight hotline;
  • During the 83rd Texas Legislative Session, reviewed the text of 6,379 bills filed, tracked more than 220 bills that could impact credit unions, and closely monitored more than 75 bills in the final weeks as they wound their way through the legislative process;
  • Ensured passage of legislation that would increase the number of advisory directors on the state's credit union board, and stopped several proposals for rules that would have been burdensome for credit unions;
  • Obtained 85 regulatory compliance comment letters from league credit unions;
  • Continued expanding credit union membership in Cornerstone's successful grassroots program, CU: ROAR, to 74 credit union members;
  • Consistently ranked as one of the top three to four leagues in the country for rallying massive responses to the national "Don't Tax My CU" campaign, generating more than 83,000 messages to the U.S. House of Representatives and Senate;
  • Raised $465,000 for the Texas Cornerstone Credit Union League Political Action Committee, plus $223,000 for the Credit Union Legislative Action Council (CULAC). This was 105% of goal--Cornerstone credit unions have contributed more money to CULAC than any other entity;
  • Raised $3,340 for the Arkansas Credit Union League Political Action Committee--plus $20,140 for CULAC--212% of goal;
  • Sponsored a golf tournament Oct. 28 in Edmond, Okla., raising $9,954 for the Oklahoma Credit Union Political Action Committee (OCUPAC);
  • Raised a total of $49,878 for OCUPAC;
  • Filed more than 60 Texas Ethics Commission reports since 2001;
  • Developed the first political advocacy guidebook specifically for Cornerstone credit unions;
  • Developed customized "Don't Tax My CU" cards and banners for credit unions, expanding the grassroots effort to include credit union members; and
  • Published 18 Advocate newsletters and 16 special alerts or announcements devoted to grassroots, taxation and PAC activities.

Home-Equity Loan Scammer Sentenced

 Permanent link
ALEXANDRIA, Va. (12/26/13)--The mastermind behind a Nigerian home-equity loan scam that netted millions from credit unions was sentenced to 70 months in federal prison last week.
As the alleged leader of a Dallas-based cybercrime group, Tobechi Onwuhara pleaded guilty to conspiracy to commit bank fraud, and conspiracy to commit money laundering and computer fraud, all in relation to a home-equity line of credit (HELOC) fraud scheme that attempted to steal more than $38 million and caused roughly $13 million in losses, said the Federal Bureau of Investigation Friday.
Onwuhara and his cohorts allegedly used many data points to wire thousands of dollars to their own accounts.
They began with fee-based databases to search for potential victims--people who had large balances in HELOC accounts--and match the information against commonly used security questions, the FBI said.  Once they had credit reports in hand, they impersonated the victim and authorized the transfer of available HELOC funds into an account that allowed outgoing wire transfers.
The group used laptops, prepaid cell phones and a "spoofing" service that disguises a caller's voice, redirected phone numbers and international wire transfers to steal, then hide, the money. They weren't limited to the Dallas area--they worked from hotel rooms in New York; Lagos, Nigeria; and Miramar, Fla. (TheDallas Morning News Dec. 20).
Accounts at U.S. Senate FCU and State Department CU, both in Alexandria, Va., were targeted by the cyber criminals.
Onwuhara was charged with conspiracy to commit bank fraud in 2008. He became a fugitive and was featured on "America's Most Wanted." He was arrested in Australia in December 2012 and returned to the U.S., where he pleaded guilty June 21.
Eight others were convicted for their participation in the conspiracy, said the FBI.

CU System Briefs (12/26/2013)

 Permanent link
  • ST. LOUIS (12/26/13)--Andrew Caleb Maberry--known as the "I-55 bandit"--pleaded guilty in federal court Dec. 20 to robbing 10 financial institutions in five states. The 19-year-old was charged with robbing Scott CU, Edwardsville, Ill., in May and three other banks along Interstate 55 (St. Louis Post-Dispatch Dec. 21). During the incidents, Maberry allegedly would present a note saying he had a bomb, a gun or both. He also is accused of robbing four banks in Maryland, one in West Virginia and one in Tennessee ...
  • MOBILE, Ala. (12/26/13)--Chief financial officer and interim CEO Robert Fertitta was named president and CEO of Navigator CU, Pascagoula, Miss. (Press-Register Dec. 22). Fertitta was CFO for the $271 million-asset credit union for 17 years. He also is on the board of Corporate One FCU, Columbus, Ohio, and was a previous board member of Southeast Corporate FCU ...
  • CONYERS, Ga. (12/26/13)--Georgia United CU, Duluth, Ga., promoted Debbie Smith to CEO. Smith, who was chief operating officer at the $950 million-asset credit union, has more than 30 years of experience in operations and human resources, said Tom Dickson, board chairman (The Rockdale News  Dec. 19). Prior to her 2002 employment with the credit union, she served on the advisory board when it was known as Georgia FCU ...
  • ENTERPRISE, Ala. (12/26/13)--After a 29-year career with Army Aviation Center FCU, Jim Mitchell retired as president/CEO from the $1.11 billion-asset credit union Dec. 10.  For his "visionary leadership and unwavering commitment," the credit union dedicated its Daleville, Ala., operations center in honor of Mitchell and renamed its scholarship program (Southeast Sun Dec. 18) ...

Latest Front Line Ties Risk to Errors

 Permanent link
MADISON, Wis. (12/26/13)--Splashy cybercrimes that feature devious hackers breaking through a giant bank's firewalls generally make front-page news. But that's far from the whole story about how consumers' confidential data gets into the wrong hands.
Research shows employee error puts sensitive data at risk far more often, Jay Isaacson, CUNA Mutual Group's credit union protection product management director, told the Credit Union National Association for the December issue of the Credit Union Front Line Newsletter.
The article was written well before Target announced last week that 40 million debit and credit card accounts were compromised in a breach. (See News Now story, "Breach Aftermath: CUs Rally to Help Members.")
Verizon data security experts analyzed more than 47,000 data "security incidents" in 2012. In these incidents, the exposure of this sensitive data didn't necessarily involve crime or result in monetary losses, but exposed gaps and oversights that could be exploited.
"Error" ranks as the largest threat category, making up 48% of all incidents, according to Verizon's 2013 Data Breach Investigations Report. Errors included lost devices, errantly addressed emails and faxes, and publishing mistakes.
Threats caused by malware and "misuse"--which covers employees' violations of data-use policies--tied for second, at 20%.
All credit unions implement various network security measures to protect data against high-tech attacks. But, according to Issacson, employees also can protect members' sensitive data with these measures:
  • Double-check the destination of e-mails or fax numbers before hitting "send." Before sending e-mails that involves sensitive data to members or third-party vendors, first check with the credit union's information security policies to determine if they permit transmitting members' confidential data. If so, best practices recommend sending only encrypted data.
  • Avoid saving data to movable memory devices--and keep laptops secure if transporting them off-site.  Laptops are a major target for thieves. Whenever possible, don't take a laptop containing members' confidential data out of the office. If laptops are taken off-site, they should never be left in plain sight in a car or unattended in a coffee shop or library, or in other situations that invite theft.
Member data saved to thumb drives, CDs or other portable media present a huge risk. That's why some credit unions lock down the USB ports and CD/DVD drives on their workstations.
Don't lose track of member data saved to external memory devices. Delete the data or destroy the disk as soon as the data are transferred.
  • Properly destroy data devices. Data storage devices such as old tape drives, disks and computer hard drives should be rendered unreadable, just as old paper documents would be shredded.
  • Beware of targeted phishing attacks. Financial services employees are at greater risk than the general public for phishing schemes. A common phishing attack tricks financial institution employees into opening an infected e-mail attachment or clicking on a link to an infected website. This automatically installs malicious software (malware) on to the work computer, possibly creating a back door into the credit union's network.
Criminals search social networks such as LinkedIn to discover employers, job titles, and e-mail addresses, and generally send phishing e-mails to a specific group of employees at a credit union--a tactic called "spear phishing."
Be careful about any e-mail that contains a link or file, even if it appears to be from a professional organization or social network. The credit union might have an acceptable use policy prohibiting employees from using credit union-owned computers for personal purposes, including surfing the Internet and/or checking personal e-mail.