Increasing threats of cyberattacks against financialinstitutions – which are not only growing in size, but targetingmore valuable personally identifiable information – have led toincreased scrutiny of risk management programs.

There are no shortcuts when it comes to establishing aneffective, end-to-end cybersecurity program, and in an age whenmassive data breaches are becoming the norm, complacency isextremely hazardous. One major area of concern involves whathappens to stolen data after a breach occurs, as an incident'srepercussions often spread outside the breached organization.

The Vancouver-based cybersecurity company NuData Securitymonitored and evaluated 5.1 billion actions that took place fromMay through July 2015, and discovered a number of emerging trends,including a growing number of account takeovers. Of the more than500 million account creations analyzed, more than 57% were flaggedas high risk or fraudulent, compared to 28% in February throughApril 2015.

“We are seeing all these accounts created using stolen data,”Ryan Wilk, director of customer success at NuData, said.

Account takeovers, in which fraudsters steal an establishedaccount with personally identifiable information attached to it,are topping credit card fraud, and account creation fraud hasincreased by more than 100% since February 2015.

NuData predicts and prevents online fraud, protecting businessesfrom reputational damages and financial losses caused by fraudulentor malicious attacks.

“We monitor different touch points in the user's environment,”Wilk explained, adding that identifying trends helps organizationsbetter understand how users interact within their environment,allowing them to either substantiate the positives or understandthe potential risks.

Although some credit unions and other financial institutions aregetting much better at identifying account takeovers, criminals arechanging their techniques to circumvent adopted controls.

“It's really quite difficult to identify these types of falseaccounts using a lot of traditional techniques,” Wilk noted.

Financial institutions can have trouble finding anomaliesbecause bad actors often use valid stolen information such as phonenumbers and addresses to create new accounts.

In order to protect their brand and members, credit unions mustfigure out how to detect the fraudsters utilizing an increasingamount of personally identifiable information. They must verifyusers' identities as well as confirm the behavior behind eachtransaction is that of a valid user – and that's where userbehavior analytics plays a vital role.

Wilk said NuData's NuDetect product harnesses behavioralattributes and passive biometrics to establish how legitimateaccountholders actually act. It's a relatively new and somewhatunusual form of biometric security analysis, which relies onuser-specific, subconscious patterns of behavior that emergethrough repetitive human actions such as typing, scrolling orholding a phone. Once a reliable set of data has been gathered fora particular user as a standard, the system can then detect unusualbehavior and identify it as a security risk.

Another cybersecurity challenge facing credit unions involvesthe vetting of technology tools and applications being developed toaccommodate member demands. While the code is being written forthese tools and applications, security vulnerabilities can popup.

“The big difference between the large banks and the mid-tierbanks and credit unions is that the big banks have a lot ofsoftware developers and they build a lot of their own code, so theyhave more control over the quality of the code,” Drew Kilbourne,managing director at the Dulles, Va.-based software security firmCigital.

For credit unions, gaining control over code means buildingsolid security initiatives inside System Development Life Cycles.Cigital works as a mentor with financial services organizations toensure the software they develop is secure and adheres to industrysecurity regulations while meeting consumer demands.

Kilbourne explained Cigital uses the Building Software Securityin Maturity Model, which provides a data-backed comparison of aprogram against a security industry standard. Cigital's BSIMMassessment helps prioritize objectives and determine whichstrategies make sense for a credit union.

During a BSIMM engagement, Cigital interviews individualsinvolved with software security within an organization. Thisincludes speaking with team members who define and administersensitive security information, and engineers who design, developand deploy applications. BSIMM is not a standard; instead, itdescribes a set of activities practiced by 67 of the mostsuccessful software security initiatives in the world. It's alsodesigned to help address security throughout a development process,rather than test for bugs and flaws at the tail-end.

Cigital also helps organizations incorporate guidelines intotheir development cycles and ensure compliance using securitygovernance – a framework of policies, standards and processes thatform a structure for making decisions and defining expectations.The company said good business processes are transparent, alignwith a credit union's culture and provide cost-effective value toall stakeholders.

According to Cigital, the vast majority of firms do not have asoftware security governance program in place, meaning they haveneither secure SDLCs nor systematic control over the securitypostures of their application portfolios.

“We focus on helping them,” Kilbourne said. “That is everythingfrom building controls around architecture and design torequirement definitions through testing software, dynamic testingtools and penetration testing.”

Cigital engages organizations in three key ways:

• Developing programs or initiatives. “You havegot to build a secure SDLC so when you develop software you buildsecure software,” Kilbourne said. “We will help build out thosecapabilities. We help the organization become more mature, period.”Cigital starts with BSIMM and from there provides roadmaps andprocesses.

• Making assessments. “At some point you need totest – you have to find what you need to fix,” Kilbourne noted.“Our mantra is: Find, fix and prevent.” But credit unions have tofind the defects first. Cigital does that through traditional,manual hacking and various methods of dynamic and statictesting.

• Creating products. This involves challengingdevelopers to build more secure code up front. Cigital's usesCodiscope SecureAssist to identify security vulnerabilities andenables developers to immediately fix problems.

Codiscope SecureAssist, which integrates directly intodevelopment environments, is not just a testing tool – it's ateaching and productivity tool, Kilbourne explained. It teachessecure coding practices and improves developer productivity byidentifying design flaws or vulnerabilities, explaining the issuesat hand, and providing contextual guidance for resolving timelyissues.

“We leave a foundation in place that allows developers to securecode and grow,” Kilbourne said. “If you are going to build policyfor them, you have to have them involved, you have to buildsomething that will fit the culture that they will use.”

If a credit union doesn't build its own code, Cigital can spenda few weeks helping it build out the basis of a vendor managementprogram. Kilbourne stated that financial institutions acquire mostof their code from third parties.

“So the challenge is how to manage the quality of the softwarethat your vendors are creating,” he said. “What we are seeing outin the industry is some vendors are being told to build a securityprogram that creates a secure SDLC or they are not going to do workanymore, because [institutions] cannot take the risk.”

What are some of the security risks posed by bankingapplications? According to one security expert, it's notsecond-guessing the user.

“The biggest risk is placing too much trust in the user beingcomputer savvy and the security of the user's device,” Adam Harder,director of mobile engineering at the Arlington, Va.-basedcybersecurity firm Endgame, said. “The actual security posture ofthe user's device will vary dramatically from vendor to vendor andmodel to model.”

Harder emphasized that Samsung, Motorola, RIM, Nokia, Microsoftand Apple devices, for example, carry different vulnerabilities andrequire different types of protection against physicalintrusion.

“In practice, what we commonly see are applications not checkingthe validity of SSL certificates storing credentials and othersensitive info in the clear on the device,” Harder added. “Anapplication developer simply cannot assume anything about thedevices their app will be installed onto, and the least secureconfiguration possible should be assumed. The device is not a safeplace to store sensitive data.”