CU*BASE credit unions around the country have reported similar cases of someone using a member’s online banking credentials to initiate P2P payments via Payveris online bill pay. These cases are similar in detail as the perpetrator(s) are logging in successfully with the member’s credentials, or changing the member’s email address before initiating a payment. The affected members could become aware of the unauthorized access when they receive a notification that their email address had been changed, or if they see the unauthorized P2P payment debit from their account. Diligent members have been quick to contact their respective credit unions.
CU*Answers followed our response protocols, and according to our research of the access logs, neither the It’s Me 247 Online Banking nor Payveris bill pay software were malfunctioning nor were these breached in any way. The members were victims of identity theft, with someone having gained access to their accounts using each member’s own credentials.
As you know, certain features such as bill pay and P2P (along with things like A2A, check withdrawals, and CFT maintenance) can be used to remove money from an account, should an unauthorized user gain access using the member’s credentials. Though we are diligent in our consistent review of the security landscape, these attacks on member accounts are unfortunately common throughout any digital financial space.
This is a good opportunity to review the due diligence you performed and documented as part of your risk assessment when you elected to activate these features. Situations such as this, which involve the update of member information, can also serve as reminders to verify your LELOG2 report daily in order to monitor for suspicious activity. Remind your staff about your procedures for responding to reports from members whose credentials have been compromised. This should include advice on how they should take advantage of antivirus detection, tools to clean PCs of viruses, malware, keystroke loggers, etc., as well as steps for keeping devices up-to-date with security patches.
A tip for Payveris bill pay clients: Log in to PASS and select “Search Customer Audit Trail” on the left-hand side of the screen. Then, when the audit trail search box appears, select “Set Up PIN Payment” in the transaction name. This will pull a list of all P2P transactions for your credit union’s members. Before each end of day, scan the report for anything suspicious that might require further research.
Training Sessions for P2P Monitoring will be held on the dates below. Please be sure to register for your preferred session.
Monday, December 17
10:00 – 11:00 AM ET
Tuesday, December 18
2:00 – 3:00 PM ET