Fighting Fraud: Insight from Kris VanBeek, Digital Federal Credit Union
But do these changes also open the doors to potential fraudsters?
Kris VanBeek, SVP of Information Systems at Digital Federal Credit Union, discusses:
VanBeek is a banking/security leader with deep experience in banking and regulatory compliance. Prior to joining DCU five years ago, he spent time as a supervisory manager at the Federal Reserve Bank of Boston; data center manager at Fiserv; senior IT specialist and examiner with the Federal Deposit Insurance Corporation. Digital Federal Credit Union is a not-for-profit financial cooperative owned by and operated for its members. DCU was chartered in October of 1979. DCU serves more than 350,000 members and their families in all 50 states. DCU is the largest credit union headquartered in New England as measured by assets and among the top 15 nationwide.
TOM FIELD: We have new compliance and security laws. We know there are boon to financial institutions, but are they also a boon to fraudsters? Hi, I'm Tom Field, Editorial Director with Information Security Media Group. We are exploring this question today with Kris VanBeek, Senior Vice President of Information Systems at Digital Federal Credit Union. Chris, good to talk to you again.
KRIS VANBEEK: Thanks Tom. It's good to be here.
FIELD: Just to catch people up on what you have been doing since the last time we spoke, what are the biggest projects on your plate these days?
VANBEEK: Well, in terms of projects there are a wide variety of categories. I mean they kind of fall into some basic buckets, but I mean everything from infrastructure upgrades, which is just kind of an ongoing battle as it relates to securing networks, securing our infrastructure, and kind of always raising the bar as it relates to kind of being ahead of the fraudsters and ahead of threats that may be causes of risk to the credit union.
Similarly, though, you know with all the new changes in compliance and pending regulation that are kind of looming for the rest of this year and well into 2010, really kind of positioning ourselves to ensure that we can be compliant in a timely manner and manage any risk as it relates to the transition of that process, and of course efficiency. With any new compliance requirements oftentimes there is a possibility of loosing some efficiency, and we want to make sure that we are as efficient as possible.
FIELD: Now, Kris, you raised an interesting point, which is how some of these new compliance regulations and security laws may actually be doing a favor to the fraudsters. I would love you to expand upon that and explain what you mean.
VAN BEEK: Well, there are a couple of different ways of looking at it. Kind of on the most basic level, you know almost from a technology level that anytime you introduce changes to a system, there are a number of risks associated with that. The risk can be something as simple as during an upgrade time or maintenance window that you need to make changes to a system, during that time oftentimes systems are in store and forward modes, or in some kind of hybrid mode that makes them a little bit more vulnerable then they typically would be. But that is not really where the real risk is; that is just kind of one of the obvious ones. Some of the real risk is the changes themselves, and again, you could describe those on a couple of different categories. Whenever you introduce changes to a system, if you didn't properly test them, whether it be an actual bug or maybe the logic wasn't there or it wasn't implemented in the most optimal method, so there is another risk there.
And then probably the most profound risk is the actual compliance regulations themselves. It is not true of every compliance change coming down the road or every regulatory change coming down the road, but certainly some more than others. I think a good example of one of the major changes is some of the Reg CC changes with the Federal Reserve consolidating their processing centers into a single kind of super center in Ohio. What that does is changes Reg CC in terms of availability, and what better way for a fraudster to look at a potential opportunity than to change funds availability.
So again, whether you are going into an ATM, whether you are going into a branch, whether you are using remote capture to deposit an image form home or from some other source, the requirements of the funds to be available in a shorter timeframe presents an opportunity for fraudsters who are kind of technically savvy and understand the process really well -- sometimes as well as financial institutions themselves.
FIELD: And have more resources than some financial institutions.
FIELD: That's a great example Kris. Are there any other specific changes that concern you that fraudsters might target?
VANBEEK: Well there really is a whole host of them. Whenever you change the systems -- you know some of the Credit Card Act changes, I wouldn't say that they are individual items or specific items in them but it is more the mass changes, and sometimes whether it is core service providers, whether it be business partners, you know you make a change as it relates to changing a fee calculation or something like that, and oftentimes the systems don't talk the same way they had prior to the upgrade. That is a big issue.
I think at DCU we do a great job testing, testing, testing and that, understanding that and making sure that the systems are working in the way that we expect them to is really the best control to minimize that risk. But you know, there is a lot with so many changes coming down the road, there is a lot to look at these days.
FIELD: So how do you go about handling this? I mean what advice would you offer to a credit union or a bank that has these changes coming down the pike and wants to thwart any potential attempts by the fraudsters?
VAN BEEK: Well, I think it falls into, again, a couple of different schools of thought. I think first and foremost to understand the changes. And when I say understand the changes I mean it both in terms of the regulatory requirements, what the change is, but also what that means in terms of technology, what that means in terms of process. And sometimes there can be a disconnect there because a lot of financial institutions depend upon a core service provider or an outsourced solution, and when you have regulatory changes oftentimes one core system might interpret a regulatory change a little bit differently than another core system.
So if you understand and have your own interpretation of the regulation from your financial institution's perspective, you want to make sure your interpretation fits in with your core service provider, or any other provider that might be sharing information as it relates to that particular compliance topic. Does that make sense?
FIELD: It does, Chris. So just to switch gears a little bit here, you talked up front about fraud in general, and I am curious: I am hearing today about new attempts at skimming that are hitting ATM's, and that has got a lot of institutions concerned. What are the areas of fraud that you are particularly concerned about as we are going into 2010?
VANBEEK: Well, in terms of--that's a great question, and really going into 2010 I don't see anything that is a major revolution. I think that what you almost see are waves, whether it be skimming, credit card fraud, identity theft in general, and you seem to see waves. And it is sad, but it is almost that you can see a little bit of a uptick in fraud claims, whether it be credit card chargebacks or member inquiries, or whatever it might be, and then whether it is a week, a month, two months, oftentimes you will hear that there was a large retailer that had some kind of financial compromise. You can almost anticipate that these days because it has gotten to be so relatively frequent.
For 2010 I don't see a massive amount of change in terms of the risks. I think that maybe from the standpoint of the financial environment that we are all living in, the economy, I think we have seen a few more desperate acts and those are threats and those are risks certainly, but I don't think they pose the larger risk of, you know, the large, intelligent. well-funded fraudsters that have a lot of resources behind them. I think that threat is there, and it has been there for a number of years and will continue and maybe even modestly increase in 2010. Just my opinion, of course.
FIELD: Now what have you found to be effective in keeping your staff up to speed to face all of these different challenges that they face in terms of fraud attempts?
VAN BEEK: I think the good news there is that there is a lot of great resources out there and, whether it be technical magazines, technical websites, whether it be sites much like yours, that there are a lot of folks that have a good understanding of recent events, about things that are kind of emerging as risks, gaps in infrastructure, firewalls, or new operating systems and the related patches.
I think encouraging folks to get out and to get outside their box and not just do their job, but invest in themselves a little bit, and oftentimes that is as simple as, you know, taking 15 minutes or a half hour a day to kind of make sure you are up to speed on what is going on. I think that is true not just in the IT world and not just in the banking or credit union world, but in every job out there these days.
FIELD: Kris, one last question for you and again, I want to shift gears on you and talking about career opportunities, if you were to advise someone that would be starting or restarting an information security career in financial services in 2010, where would you advise them to start?
VANBEEK: Well, I would start out by stating the time is still great. I mean, a lot of folks are talking about the economy and the lack of jobs and such and this area, whether it be specifically information security or maybe security with a little bit of a compliance tone, if that is your skillset, I don't think the time has ever been better.
In terms of recommendations, I think getting certification, getting recognition, being able to somehow solidify your skillset through some form of designation just makes it easier for you to stand out a little bit compared to maybe someone else who doesn't have a certification. But bottom line, I look at things in really, really simple terms. If you have an information security professional that has a solid background, that has the education and skillset and is willing to be an athlete, but play a variety of positions, I think that is where it is at these days.
We are all looking for efficiencies, we are all looking to do more with less, and an information security professional that is willing to wear a couple of different hats and maybe handle a couple of special projects, and balancing a variety of duties, those are the folks who are in the highest demand these days, at least from where I see things.
FIELD: Kris, as always I appreciate your time and your insight. Thanks so much for spending some time with me today.
VANBEEK: My pleasure.
FIELD: We have been talking with Kris VanBeek of Digital Federal Credit Union. For Information Security Media Group, I'm Tom Field. Thank you very much.