Update on Fraud Involving Stolen Credentials Using CU*Talk

The last couple of weeks have seen increasing incidents of fraud where credentials are being stolen and the CU*Talk audio response system is being used to move funds fraudulently.  Several Michigan CUs have now taken a loss.

What’s Happening

In a nutshell, bad actors are finding a member’s account number and SSN, logging in to their unused but activated CU*Talk account using the standard password and changing it, then moving money into another account via an inter-member transfer. They then use a shared branch teller, ATM withdrawal, or other means to get at the funds.

In a couple cases the funds were transferred into a new membership that had recently been opened at the CU using a fake ID.  Employee and board member accounts also seem to be targeted more frequently, perhaps because of the extensive amount of board member and employee information posted on many credit union websites.

The incidents seem to be increasing in frequency (for non-CU*BASE credit unions and banks, too, by the way) since we first mentioned this back last November. Some of our prior announcements:

Are You Doing Your Due Diligence on Audio Banking?

Advice on Tightening CU*Talk Security

Xtend Fraud: Alert Fraudulent Account Openings and Money Transfers

What We’re Doing

In addition to making configuration changes as requested, we have been working directly with credit unions who’ve reported actual fraud incidents.  Remember that you do not have to auto-activate new members to use online banking. (See the tips document previously sent.) Have you examined your configurations settings and general practices to mitigate your risk?

Other things we are actively working on:

1. Disabling inter-member transfers and check withdrawals (CU*Talk only)

Since inter-member transfers can’t be deactivated for CU*Talk without affecting It’s Me 247, we are working on a project to completely disable both inter-member transfers and check withdrawals via CU*Talk.  (The options for both would simply not be available in the phone tree.)  Members would still be able to transfer within their own accounts, but there would be no way to move the $ to another account or out of the CU.

This may seem a drastic step, but at this point it’s the quickest way to stop the account-to-account transfers that seem to be the criminals’ favorite way to access funds fraudulently. We have done some analysis across the network on the frequency of inter-member transfers via CU*Talk. Among CU*Answers online CUs there are 67 CUs who have 10 or more members who posted at least one inter-member transfer during the month of July.

Since this does appear to be a fairly popular feature, we are also looking into a future project to reactivate inter-member transfers after adding new controls so you can choose to enable it or not (independent of online banking) and perhaps tie it to a member’s transfer control list.

2. Flooding the ARU Activation Flag to No for all CUs

As CUs reviewed our tips a few have requested custom floods to deactivate members not actively using audio response. We are now considering running a one-time cleanup flood on all credit union libraries. This would deactivate CU*Talk for any member who hasn’t used it in the past 60 days.

Assuming we proceed with this change, if you do not want us to run this flood, you will need to sign an indemnification indicating that you understand the risk and agree to hold us harmless should fraud happen as a result of opting out.

3. Changing the ARU Auto-Activation for New Memberships Flag for all CUs

A number of credit unions have asked for changes to their configuration settings, but surprisingly, 62.9% of our CUs still have ARU automatically activated for new memberships!  In the past given the extremely low incidence of fraud via this channel, this auto-activation method was popular as it gave new members an easy way to get started with audio banking at their convenience.  But times are changing, and we highly recommend you rethink that strategy.

Even if we run the flood already mentioned, leaving this auto-activate flag on means that over time, the number of idle accounts will increase for your credit union, increasing your fraud risk.  We are therefore considering changing the auto-activate flag in the ARU config for all credit union so that you must manually activate CU*Talk for any new members who request it.  This would, of course, require you to alter procedures for your MSRs.

Assuming we proceed with this change, if you do not want us to change this setting, you will need to sign an indemnification indicating that you understand the risk and agree to hold us harmless should fraud happen as a result of opting out.

NOTE: While we are still discussing the details, we will be making a decision very soon, perhaps within the next week or even sooner if the situation continues to heat up at other credit unions.

What You Can Do Now

Don’t wait for us to make these changes! Here are some steps to take now:

  • Take a look at your website – are your employee names and other information readily visible? Make sure that at least your insider accounts are not activated for CU*Talk unless they are in active use (i.e., a custom password has been set).
  • Review the tips and decide whether your current settings and procedures are leaving you open to potential fraud.
  • Place an order in the store to change your config setting for new memberships.
  • Review procedures for phone center, teller, and MSR staff.
  • Contact the DHD for a custom flood, especially if you wish to do something different from the 60-days inactive flood we are considering.

We will send additional communications when we’re ready to pull the trigger on any or all of the 3 projects mentioned above.  Comments or questions should be submitted to Client Services via the AnswerBook.