Cybersecurity criminals never stop coming up with creative ways to attack personal data. While most of you are probably hyper-aware of all things related to online and mobile banking, one area you might not consider a low-hanging fruit for cybercrime is your audio response system. It may be time to rethink that and tighten your controls a bit.
A credit union recently reported a fraudulent attempt to gain access to member funds via CU*Talk. They were ultimately unsuccessful, but it pointed to a potential area where a determined criminal could take advantage.
CU*Talk Activation Options
For 60 percent of CU*BASE users, CU*Talk is set up so that it is live for all members at all times. All a new user has to do to access the service is sign in for the first time with their account number and the default PIN, at which time they will be prompted to set a new, permanent password. This is certainly a convenient way to encourage members to try CU*Talk any time they want.
However, bad actors have figured out that if they know both a member’s account number and the default PIN, they can log in as that person, reset the PIN and access their accounts. (What they tried to do is transfer all funds into a single suffix then use a third-party ACH transaction to withdraw those funds. The CU recognized the ACH transaction as fraudulent and stopped it.)
For the other 40 percent of CU*BASE users, CU*Talk must first be activated for a member by calling the CU. Then, the member can log in for the first time using that same process. To use this method requires changing a single configuration flag and updating your enrollment procedures for members.
CU*Talk has worked this way for decades, and in all those years, there have been no reports of any actual dollar loss to a credit union via this channel. It is still considered by many to be an extremely low-risk channel, especially considering the limited number of transaction options it can be used for. But this situation was a stark reminder that it’s never too late to take a harder look at your procedures and the tools already in place.
Q: How do I change my configuration so my members aren’t automatically activated for CU*Talk?
A: Either place an order in the store or submit the Configuration Change Request Form (see the second question on page 2).
Q: What happens if I make the change so members aren’t automatically activated?
A: A member would need to reach out to the credit union to request activation. After verifying the member’s identity, a credit union staff member can use Tool #72 Update ARU/Online Banking Access (shortcut: PIN) and check the Audio response activation flag. Then, instruct the member to log in using the temporary password and follow the prompts to set a new, permanent one.
Q: Can I query to see which members still have the default PIN?
A: Is not possible to query audio response PINs.
Q: Is there another way to tell which of my members haven’t ever logged in to CU*Talk?
A: There is data that logs members who are using CU*Talk, going back many years, which could be used to determine which members are not logging in. If you’re interested, contact the Asterisk Intelligence team at AI@cuanswers.com for assistance.
Q: Can a member set a PIN that matches the default temporary one?
A: No. CU*Talk blocks a member from reusing the temporary PIN as a permanent one.
Q: Is there another way to do the default PIN for CU*Talk?
A: We do not currently have any other option for the default PIN but will be looking into possible enhancements we might make, weighing the expense of this investment against the potential risk. If you have suggestions, we’d love to hear them!
Provided by CU*Answers