Keep nefarious characters from finding holes in your information security system and scoring member data.

Assuming your credit union's information security system is impregnable because it's physically "under lock and key" not only is short-sighted, it's dangerous. Nimble-fingered malintentioned individuals easily can pick or snip the lock and find the holes in your system. When they do, the costs will pile up.

Credit unions with a sound approach to information security spend a lot of time and effort playing defense: monitoring systems, creating multiple layers of security, educating members, and exploring biometrics and other emerging tactics for countering fraud.

The result is a well-rounded approach to using technology to enhance operations and interact with members.

Search for holes

"The biggest threat facing credit unions is complacency," says Jeff Multz, vice president of sales for SecureWorks, Atlanta, which provides 24/7 protection against hacker attacks for 570 credit unions nationwide. "The threat is growing exponentially."

Many credit unions assume that establishing a perimeter-style defense based on firewalls is sufficient. But experts say credit unions also must take into account fraudsters' ingenuity.

Phishing attacks create e-mails that mimic genuine company communications to persuade members it's safe to provide personal information, which then is used for identity theft. Spyware and botnets attempt to infiltrate computer systems to plant programs that will relay information or "borrow" computer capabilities for nefarious purposes. Worms and viruses wreak havoc by crashing systems and infecting other computers. Meanwhile, hackers around the globe continuously are creating new ways to bypass security barriers.

"There's no location and there's no time on the Internet," Multz says. "That means online criminals can get to you, no matter where they are in the world, faster than the girl next door."

The Santy worm that attacked credit unions during the 2004 holiday season is an example of hackers' inventiveness, Multz says. Santy was designed to attack at a time when most information security professionals were out of the office for holiday celebrations. Santy was the first example of automated Google hacking, using the search engine to find Web servers running a vulnerable bulletin board program, and then spreading to more than 40,000 sites before loopholes were closed.

Kevin Prince, product manager for Cavion Plus, Mounds View, Minn., says the threats facing credit unions "are becoming more automated, quicker, and much more lethal." Cavion Plus provides Web site, e-transaction, connectivity, and security services to financial institutions.

"For example, it used to be that spam and pop-ups were just annoyances. Now they can have embedded programs and steal sensitive information or create conduits for a hacker to enter a network, usually undetected, through a firewall" Prince says.

"Phishing scams are happening to credit unions now," he continues. "There are Web sites with links or search engines that can direct you toward malicious code that can infect your system. We're also moving toward zero-day worms, where the same day a vulnerability is announced, a worm is released to compromise systems before we have time to patch."

Layer your defense

As threats continue to proliferate, focusing on one problem at a time rarely is feasible. Several experts note that adding a single program to solve a single problem, over and over again, leads to a top-heavy system that creates new holes for hackers. Instead, experts recommend a carefully layered approach to security to guard against multiple threats (see "Security basics").

Hiring outside firms to design, test, and monitor security measures can be less expensive than hiring internal experts, although both approaches require an adequate budget and senior management buy-in. An ideal approach combines internal experts with external advisers and services.

"One thing I hear consistently that concerns me is that credit unions think security is cheap," says Rick Fleming, chief technology officer for security firm Digital Defense, San Antonio. "They think they should be able to have all their security needs met for $300 a year."

But off-the-shelf software for fending off viruses and creating firewalls is unlikely to provide the level of sophistication required to prevent intrusion from determined hackers, who see financial institutions as prime targets.

Likewise, credit unions must check security firms' credentials and experience to ensure they have a high level of expertise.

Credit unions that shortchange the budget for information security may be unaware that damage to their reputation and the need to recreate data carry a high price tag, typically outweighing actual financial losses from successful attacks, Fleming says.

While a layered approach is valuable, too many credit unions start with "the outer layer of the onion," according to Karim Toubba, vice president of product management and marketing for Redwood City, Calif.-based Ingrian Networks, which helps credit unions secure information stored in applications and databases. That information is the innermost layer of the onion, with the greatest need for protection.

"Instead of just protecting systems, credit unions need to adopt a mechanism that protects the information within those systems," Toubba says.

Encryption can make data unusable to outsiders or unauthorized insiders, removing the greatest risk of data theft or malicious access. To make data truly secure, they should be encrypted on a separate appliance before being stored in the credit union's computer system. Store encryption keys on this appliance, away from the data on the computer system. That will keep the encryption keys hidden from attackers and allow encryption to occur without slowing other functions on the computer system.

Add biometrics

Another promising method for strengthening information security is the use of biometrics, which verifies the user's identity by relying on physical characteristics such as a fingerprint or the iris of the eye. Biometric scans map physical characteristics and then convert them to mathematical equivalents stored and recalled when needed to verify identity.

Among credit unions experimenting with biometrics are Purdue Employees Federal Credit Union, West Lafayette, Ind., with $400 million in assets, and Technology Credit Union, San Jose, Calif., with $1.1 billion in assets. Members of both credit unions tend to be highly educated about technology.

Since 1997, Purdue Employees Federal members have been able to use their thumbprints to access accounts at kiosks in five branches, eliminating the need for passwords or plastic cards. It also uses biometrics to protect laptop computers used by traveling employees, who must provide both a password and a fingerprint to gain access.

This year the credit union plans to require a fingerprint scan for everyone who works on its computer system so it can track who's doing what at any given time, explains Bill Arnold, assistant vice president, technology.

Purdue Employees Federal included biometric capabilities in its most recent request for proposals for online banking vendors and probably will make biometrics an optional security improvement for online banking users in the future, possibly as early as 2006. Participating members would attach a fingerprint scan device to their computers and then perform the scan each time they accessed online banking. The credit union has 28,000 members who use online banking at least once every 90 days, with 17,000 getting e-statements and 8,500 enrolling in bill payment services.

Biometric devices would be optional, Arnold says, because some members still are reluctant to use biometrics and some value convenience more than security. He notes that some members concerned about privacy may be unaware that the series of numbers generated by biometric scanners can verify a fingerprint but are insufficient to independently re-create it.

Convenience also is an issue because traveling members may need to access their accounts from computers without biometric scanners, such as those offered by hotels or coffee shops. Mandating the use of biometrics also might create an obligation to provide support for members' computers, Arnold says. Finally, some users may be unaware that biometric technology now can verify whether the finger submitted for the scan is attached to a living person, removing the fear of criminal access.

The lack of an accepted biometric standard is another issue, according to Barbara Cure, research and development manager for Technology Credit Union, which has equipped six branches with biometric scans to verify the identities of members who perform transactions via tellers. The credit union plans to use biometric screening to secure automated teller machines and online banking in the future.