Miscellaneous Password Projects
Although the changes below aren’t specifically related to P2P, they were prompted based on what we have been learning from P2P. Enhancements are being planned that will further intensify security on passwords and security answers:
- Allowing members to create passwords up to 256 characters long.
NOTE: The minimum required length won’t change, although your CU could elect to adjust that if you like. For example, if you currently use a minimum requirement of 8 characters, you could choose to set it to 10 or 12 characters. - Moving passwords to a new file, separate from files used for other non-encrypted data.
- Adjusting encryption strength and other details to obscure the password even further.
- Adding similar encryption to the answers for security questions.
Status: Implemented in the 18.03 release.
P2P and Cybersecurity
Seems like at least once a week you read in the news about cybersecurity attacks. If a bad actor somehow gets hold of a member’s online banking credentials, any feature that can remove money from the member’s account is a particularly tasty target.
Of all of the new mobile features our credit unions are rolling out these days, none has quite so high a security profile as the P2P feature available via the It’s Me 247 online bill pay (Paymentus) platform. Some of our CUs recently learned first-hand about this reality when member credentials were used to log in and initiate some fraudulent P2P transactions.
CU*BASE Alert dated 9/1/2016: Hacker Using Member Credentials to Send P2P Payments
CU*BASE Alert dated 2/2/2017: Member Credentials Used to Send Fraudulent P2P Payments
NOTE: You must be on our network to view these alerts.
In all of these situations the forensics showed that these members were victims of identity theft, as logs confirmed that proper credentials had been used to log in to the accounts in online banking. As we did then, we encourage CU to remind members to keep their hardware and software up to date and use tools to protect themselves against viruses and malware. Credit unions should also have security protocols and other routines in place to monitor for suspicious activity.
While security breaches like this seem to have become a way of life in today’s online world, we are always looking for new ways to stay one step ahead of the bad guys. To that end, CU*Answers is working on a number of projects with the specific goal of making it as difficult as possible for your members to become another statistic.
The Future: Stopping Fraud Before It Happens
The projects outlined above are just the beginning. Throughout 2018 and 2019 we’ll be launching other projects that will incorporate automated service denial mechanisms into our online tools.
What does that mean? We’ll be able to evaluate a suspicious person or situation right at the point of the interaction and stop a potentially fraudulent transaction from ever being initiated in the first place. Instead of waiting until after the transfer hits someone’s watch list, we’ll be able to keep it from being posted at all. Watch for more news on these projects throughout the year.
Chefs for this recipe: The SettleMINT Team and Online Banking Team.