As credit unions increasingly pivot to digital platforms and solutions, flaws in their cyber meshes may become an expensive point of weakness.

Credit unions face risks associated with out-of-date operating systems and employee credentials leaked onto the dark web, according to a report released last week by cyber-risk rating platform Black Kite. With about 5,200 credit unions operating in the U.S., the report offers a snapshot of the risks facing them, their vendors and their customers in an increasingly digitized system.
The report combined data gathered by the firm’s cyber-risk platform with publicly available information, including some found on the dark web, to assess the credit unions’ security. For the report on the credit unions and their vendors, the Boston-based company adopted a “hacker’s point of view,” Bob Maley, the firm’s chief information security officer, told Bank Automation News. Black Kite’s platform is utilized by lenders like the $1.4 billion Bay Federal Credit Union in Santa Cruz, Calif., and analytics software provider Alteryx, among others.
An overwhelming majority of the 250 credit unions surveyed for the report, or 86%, had at least one breached employee credential available on the dark web, and more than 70% used at least one login form that doesn’t restrict excessive authentication attempts using bots — opening the door for attempted attacks. Such attacks occur when a malicious actor sends multiple requests, often via a bot, to access the attacked website and breach the website’s traffic capacity, thereby crashing it.
As cyber threats continued to rise throughout 2020, with attacks on platforms like Twitter and IT vendor Solar Winds, automation may offer a solution for financial institutions. Machine learning-based models can help reduce false positives by taking additional information into account, like name, birth date, etc., although deploying them usually involves a lengthy training process.
Some credit unions, like the $13 billion First Tech Credit Union in Palo Alto, Calif., have implemented solutions based on artificial intelligence for threat monitoring that can “determine if it is a person or a bot using their systems, based on how fast they are typing,” said Mike Upton, chief digital and technology officer at First Tech. He said the credit union uses a multilayered defense strategy that includes “user authentication, firewalls, human analysts, and verification of transactions and logins.”
While Maley declined to comment on whether Black Kite services any of the unions analyzed by the report, he said “so many new [data] dumps” have appeared on the dark web in recent months, it may indicate hackers’ increased interest in credit unions as consumers lean toward local banking. Vendors used by credit unions could also be leveraged as a gateway into their systems by nefarious actors since “one of the most common data breach amplifiers is third-party involvement,” the report states.
Threats to credit unions are coming from all sides. Eighty-eight percent of the vendors analyzed in the report do not have a Domain-based Message Authentication, Reporting and Conformance (DMARC) policy record for email authentication, which could expose credit unions to spam and phishing attacks. Also, about 65% of vendors use an “invalid, incorrect, expired, or self-signed,” security sockets layer (SSL) certificate. The certificate enables encryption and ensures information travels safely on the internet; without it, customers can be at risk.
While passwords have long been the sentries of our digital world, an increasing reliance on them and cross-purpose use can also put users at risk. “Bad actors are good at figuring out what we do,” Maley told BAN.
Bank Automation Ignite, on April 13-14, is the event for inspiring automation initiatives and investment in financial services. At the virtual event, financial services professionals can discover new use cases and technologies that are accelerating automation in banking. Learn more and register at www.BankAutomationIgnite.com.





