Credit unions have long been popular alternatives to mainstream banks. In the U.S., credit union median asset growth over the year ending in Q2 2020 was 10%, although membership declined slightly by 0.3% for the same period. To compete with traditional banks, credit unions have to do more outreach and do their best to modernize banking methods with smaller budgets and staffs.
However, more outreach and modern banking means more internet exposure, and a larger attack surface, as updates are needed for portals, applications, tools and services. And internet exposure increases risk, especially for credit unions that are migrating to the cloud with “tech debt.” Tech debt covers a lot of ground but think of it as aging technology that lacks advanced security features like data encryption and has poor patch management. A shortage of IT cybersecurity skills and other conditions can also compromise cybersecurity. Some credit unions, for example, still use modems to validate information between ATMs and the data center.
The attack methods used against credit unions are designed to get into your business and steal sensitive data. Based on Nuspire research, some of the top threats are:
Directory transversals take advantage of web security vulnerabilities to gain access to file systems that store sensitive data or intellectual property. This method of attack is designed to access restricted directories, read files and execute commands – potentially redirecting information to another site. Target data includes code, credentials and sensitive operating system files.
Port scans involve an application that probes a server or host for open ports. The ports are used by administrators to verify network security policies and by attackers to identify network services running on a host and to exploit vulnerabilities. These “knocks on the door” look for opportunities to use malicious software to access the web environment.
Double pulsar, which often is an insider threat, gives cybercriminals control of a computer system. It uses three commands – ping, kill and execute. The latter loads malware onto a system that can skim information such as social security numbers.
Heartbleed is a security bug in the OpenSSL cryptography library that is used to implement the Transport Layer Security (TLS) protocol. Credit unions running legacy technology and those that don’t keep up with code releases are at higher risk of attacks, which focus on routers and switches.
By understanding credit union-specific threats, you can implement appropriate security controls. This paper describes top attack methods and the steps you can take to thwart malicious activity.