Despite massive gains in digital transformation during the pandemic, credit union cybersecurity strategies still lag
Digital banking usage has skyrocketed since the coronavirus broke out: 73% of U.S. adults said they’re more likely to leverage digital banking and payments while social distancing. But increased digital banking also comes with increased cybersecurity risk.
While online banking and other digital services are hardly new, many consumers and businesses that had been slow to adopt such models were pushed online when COVID-19 halted in-person transactions. And now that they’re onboarded, many may never go back. In fact, only 40% of respondents in a recent survey said they expect to return to physical branches post-COVID.
Digital adoption may have increased overnight, but many organizations’ cybersecurity strategies remain stuck in the past. Credit unions must adopt stronger remote authentication protocols — or risk data breaches that undermine their recent advances.
Cybersecurity concerns in the financial services industry
Recent data from McKinsey shows that consumers and businesses jumped five years forward in digital adoption in just two months.
Pre-coronavirus, many banks and credit unions failed to gain much traction with their online tools and services. In 2019, nearly half of U.S. banking customers used digital services infrequently or not all. But the pandemic forced these consumers online, overwhelming digital banking platforms around the world — U.S. Bank, PNC, Fifth Third Bank, Bank of America, T.D. Bank and BB&T all experienced outages as a result of the sudden surge.
Unfortunately, outages are not the only concern as a result of mass digital banking adoption. Hackers, who were already wreaking havoc across the industry before the pandemic, have taken advantage of the chaos to execute more frequent — and more sophisticated — cyber attacks on businesses and individuals. And because of the valuable financial data they handle, banks and credit unions are subject to even higher rates of potential breaches: Financial firms are 300 times more likely to experience cyber attacks than other companies.
That’s especially worrisome when financial institutions are tasked with remotely managing in-person banking services like opening new accounts, high dollar transactions, and new or replacement card issuance. In essence, the pandemic has created a perfect storm for identity fraud. With remote account opening becoming the norm, card not present (CNP) transactions on the rise, consumer behavior analytics out-of-sync with new purchase patterns and government stimulus checks issued via direct deposit, hackers have gained access to a much larger playing field.
To make matters worse, the abrupt transition to remote work introduces even more vulnerabilities. Not only are employees using personal devices and non-secure networks from home — where roommates, spouses or school-aged children may unknowingly let hackers in — many are nervous and distracted by the crisis, making them more susceptible to phishing attacks. Despite 81% of respondents stating they were aware of COVID-19-related phishing attacks in a recent survey, a full 24% admitted to clicking on a COVID-related email from an unknown sender.
Additionally, because many financial institutions still rely on usernames and passwords to authenticate employees, poor password hygiene remains a huge challenge. In the same survey, 42% of respondents admitted to physically writing their work-related passwords down, 31% said they digitally capture passwords on their smartphone or computer, and nearly 20% said they use the same password across multiple work systems, increasing the risk of sensitive data breach should one password become compromised.
And to top it all off, hackers have also begun breaching credit unions through customer-targeted COVID-related phishing scams. One such scam involved the impersonation of the Virginia-based Navy Federal Credit Union via fake email accounts used to trick users into disclosing their login credentials.
Now more than ever, the ability to securely verify identities remotely is critical to your credit union’s continuity.
How to prepare for the future of banking
It’s clear that COVID-19 has accelerated digital transformation efforts in banking, recasting systems and workflows built around physical branches and in-person identity checks into truly digital user experiences. And while the virus may be temporary, the effects on banking will be long-lasting. Banks and credit unions should expect online platforms to increasingly replace physical branches, as well as increased competition from challenger banks and fintechs.
To compete in the digital-first future of banking, your credit union must implement robust cybersecurity practices to protect yourself, your customers and your reputation:
- Stronger password strategies: As cybercriminals become more sophisticated in their attacks, so should your password strategies. Single authentication passwords (i.e., a username and password) are no longer sufficient to keep out bad actors. And with so many employees working from home, unsecured networks and poor password hygiene introduce an increased risk for security breaches.
According to the recent State of Remote Work Cyber Security Survey, a clear majority of employees (63%) are connecting to their company’s VPNs during the pandemic, yet they’re also using unique passwords to access various company resources (64%), rather than a more secure solution like single sign-on (SSO). It’s evident there’s a massive opportunity for security breaches that could be offset by stronger password strategies like multi-factor authentication (MFA) or passwordless solutions.
- Biometric authentication: To put it simply, passwordless solutions, like biometric authentication (e.g., fingerprint or facial recognition), ensure that the credential holder is, in fact, the credential owner.
Passwordless solutions work by creating a secure digital identity on the employee’s mobile phone using a certificate from a Public Key Infrastructure (PKI) — a cybersecurity framework needed to manage public-key encryption and digital signature services — that can be unlocked via biometric authentication. The transition to passwordless solutions is similar to the way unlocking an iPhone has evolved over the years, from inputting a passcode to providing a fingerprint to using facial recognition.
Additionally, consider deploying high-assurance authentication, which uses multiple authenticators like one-time passwords, phone biometrics and smart cards, to ensure corporate assets and the digital identities of your employees and customers are protected.
- Encrypted document signing: Encryption technology ensures that an e-document will not be tampered with or impersonated by a bad actor whenever a customer has to sign documents electronically — whether it’s for a loan or opening a new bank account.
Digital signatures are widely considered best practice for the digital verification of electronic transactions because they provide “non-repudiation” — the assurance that the document came from the original author and has not been changed since it was digitally signed. Encrypted document signing is particularly useful in workflow processes that require more than one approval, like many financial forms and back-end or administrative documents.
- Remote customer onboarding: Even though more branches are reopening their lobbies, customers may still hesitate to visit physical locations for routine tasks like opening a new account or adding a credit card. Secure mobile ID proofing services allow customers to complete all the necessary authentication steps from home using their mobile devices.
Any smartphone owner will find these cloud-based identity verification services seamless to use. Customers are simply asked to upload a photo of a government-issued ID and take a selfie as part of the digital application process, making it possible to open a new bank account remotely in about 60 seconds. AI-powered authentication technology then analyzes the ID, selfie and mobile device to ensure secure identity verification.
Credit unions made massive progress in their digital transformation plans in recent months, forever changing the future of banking. But cybercriminals will continue to become more sophisticated in their attacks, so it’s essential for your credit union to become more sophisticated in its defense.
Cindy Provin is SVP & General Manager for Authentication and HSMs at Entrust Datacard. In this role, Ms. Provin leads a world-class team of security professionals who empower organizations by delivering trust, integrity and control to their business-critical information and applications.