STOCKHOLM, Sweden–Cybercriminals are no longer brute-forcing their way into credit union systems; they are simply logging in because many of the old warnings to employees about not clicking on bad links have not been updated to account for the newest criminal methods, according to one person.

Confidence Staveley, a Nigerian cybersecurity & Information technology expert and author, and founder of the Cybersafe foundation, told the World Credit Union Conference here that many of the two-factor authentication methods CUs and other companies use are basically no-factor authentications, thanks to stolen credentials and identities that leveraged inherent weaknesses in “trust.”

Empty Store Shelves

After showing photos of the empty shelves in a store where she shops, Staveley said the reason was a war: but not the traditional kind, but instead a cyberwar that had shut down a food distributor after a cybercriminal called into the company’s service desk and impersonated an employee and was able to get passwords changed. 

“Impersonation is something we really see central to many of the attacks,” said Staveley. “We have gotten so used to receiving these fishy emails and our technical teams have gotten so good at stopping them, and there has been lots and lots of training on not clicking on links. But who is guarding your phone calls, your text messages?”

The Threat to ‘Trust’
It was a theme she returned to often, stressing the attacks upon “trust” are core to cybersecurity in many forums. 

Many of the trust-based attacks have the same gang behind them, she said—Scattered Spider, a loose collective of English-speaking hackers that is decentralized and has members as young as 16 and which is especially good at social engineering. 

“They aren’t doing anything new. They are using trust against us,” said Staveley. “They’ve gotten very good at getting around two-factor authentication. We have offshored to other countries some of our cyber security. They are going after identity. They are able to log-in like everyone else.”

Staveley said cyberthieves are now primarily engaging in three different practices involving:

Trusted Tool or Trusted Nucleus 

Cyberthieves use the same tools as everyone else, such as Google apps, screen-sharing tools, and the “trusted nucleus,” such as a service desk, said Staveley.

Personalized Social Engineering

“This is basically digital destruction. Emails and voices can be customized now with AI.”

Human Identity

“They are able to use stolen identities to get around security. Three out of every four data breaches are caused by a human. We must make sure we are centering humans in our culture to ensure they take responsibility and are prepared for the next threats. We cannot trust blindly,” Staveley said. “We must audit what these humans are doing and when there are slip-ups, we must catch them very quickly.”

As Staveley emphasized throughout her remarks, “Attackers are no longer brute forcing their way into your systems, they’re logging in.”

She said looking for loopholes in security has become too much work for most hackers. Instead, they go after the lowest-hanging fruit—fruit she said is often laying on the ground—in the form of the lowest-paid employees. 

The ‘Magic Wand’

“The magic wand is gaps in identity and access controls rather than technological vulnerabilities,” Staveley stated. “How do you prove who you are? You provide a user name, a password.” 

She noted voice authentication security is now easily breached as all a criminal needs is three seconds of someone’s voice, say, from a social media post. 

“AI is not just a threat, it’s a trust distortion engine,” Staveley said. “The things we would normally believe in mean we must now put in extra effort to prove they are real. You must begin to ask yourself: can my systems tell the difference between what’s real and what’s not? Identify does not equal trust anymore. Identity has evolved, but have we evolved our trust mechanisms accordingly?”

‘Trust Poverty’

Those institutions that do not evolve are headed toward what Staveley called “trust poverty,” which is the dearth of shared and sufficient-enough trust parameters.

As companies have gotten better at detecting traditional phishing emails, hackers have had to turn to new techniques to make their lures more believable, Staveley pointed out. She asked attendees about their security around phone calls, text messages, WhatsApp messages and more. 

“We have been told when we see the green padlock at the top of the browser that it is safe,” she said. “But cybercriminals can buy those domains. Legitimate infrastructure and tools are now really in use.” 

Trust Blind Spots

Staveley encouraged credit unions to think about their blind spots.

“Impersonators love your service help desks,” Staveley said. “This is literally a trust nucleus. They are really good at crafting their messages to your help desk. If your security plan is centered on ‘Don’t click,’ you don’t have a plan. If you’re security plan still hinges on ‘Don’t get tricked,’ you don’t have a plan. Someone can clone how you look on Zoom, how you sound. Cybercriminals aren’t breaking in, they are logging in.”

Reminder About Vendors

Staveley urged the credit unions from around the world to ensure their vendors have security verification for their own staff. 

“Everyone who has access to the tools you use, to the sessions you’ve conducted, they are all a threat. Trust transcends perimeters. Trust must go past your organizations.” 

Staff training, she said, must create complete “digital mindfulness” and build “cognitive resilience.” That is, train employees not to allow themselves to be emotionally manipulated.

The Prognosis

Looking forward, Staveley told credit unions to expect:

• Escalating trust-centric attacks.
• Personalized deep fake attacks will surpass mass-phishing by 2027.
• That context is now “king.” “The way you authenticate your members will have to change.”
• The world to be in a behavioral analytics arms rate
• Third party risk catastrophes are going to climb by 50%.