02:44 PM
Connect Directly

Credit Unions Hacked More Than Banks

One vendor’s research shows FIs should never rest on their laurels, no matter their size or visibility.

Are credit unions the preferred target of hackers — more so than banks? According to a one-year study conducted by IT security services provider SecureWorks (Atlanta), the answer appears to be yes.

Limited as this research might seem, it does suggest some interesting trends. SecureWorks tracked its 600 bank and 500 credit union customers from February 2005 to March 2006 and found that, as a whole, credit unions were attacked 67 percent more than its bank clients. Although its larger bank customers were harassed more as an individual group (968 daily attacks for banks in the $10 billion asset range, and far fewer for smaller banks), credit unions, no matter their size, were definitely the favorite target. SecureWorks blocked an average of 767 attacks per credit union per day.

These results are somewhat surprising to Jon Ramsey, CTO with the company. “Credit unions aren’t very well known when compared to banks,” he says. “You think foreign entities wouldn’t know about them. And a lot of credit unions have the opinion that they have nothing [a cyber criminal] would want. The irony is, that’s the attitude hackers look for.”

Elizabeth Clark, VP of corporate communications with SecureWorks, agrees. “We have customers sitting out in Bismark, N.D., and they ask us how anyone would even know they’re a credit union. Some of them don’t even have the words ‘credit union’ in their names.”

There’s no such thing as anonymity in the Internet Age, comments Ramsey. A simple search with Google, the FDIC or NCUA produces just the results hackers seek. “Hiding is not a very valuable security strategy,” he notes.

Ramsey is quick to point out that credit unions are no less secure than banks. In fact, he believes the financial services industry in general is quite security conscious, but that there’s always room for improvement. “The way you protect yourself today might not be enough for tomorrow,” he relates. “Hacking is an incredibly organized, efficient money-making endeavor.”

Indeed, cyber criminals are constantly engaged in finding new ways to thwart banks’ security systems. Ramsey says the new trend financial institutions need to be aware of is targeted attacks. “[Hackers] will look to a specific application within a particular credit union or bank,” he explains. “They do this because no one knows about these proprietary applications, so you don’t see patches coming from the big vendors. They look for the weakest application.”

Furthermore, companies should never breath a sigh of relief after repairing a vulnerability, Ramsey warns. “If someone gets compromised and they fix it, this still tends to draw a lot of attention to that organization. Hackers figure if they can get in once, they can get in again.”

Ramsey thinks that one problem facing financial institutions today is that some of them still need to get their heads around the concept of security as more than just a vault. “Some financial institutions have trouble speaking the language, so they just follow the regulatory guidance and go find a vendor who offers multi-factor authentication. There’s no one silver bullet,” he says.

Also, look for things to start heating up again with the spread of SQL injection attacks, Ramsey suggests. SQL injection is a type of security exploit in which the attacker adds structured query language (SQL) code to a Web form input box to gain access to resources or make changes to data. With this technique, hackers can determine the structure and location of primary databases and can download the database or compromise the database server. The Secret Service recently issued an advisory about this type of hack, according to Ramsey.

Like many in the industry, Ramsey advocates a layered approach to security for financial institutions. “You need a defense in depth, like a castle,” he explains. “You need the right technology (your weapons), experts who know how to use the weapons, processes for doing all this and good information. Remember, your highest priority isn’t necessarily your core processing system, but it might be a secondary system instead.”

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.