Unfortunately for Priority One CU, they managed to print the account number and the social security number on the election ballot envelope of Steve Bass, a blogger for PC World, as well as the rest of their membership. Here’s Steve’s article (on PC World).
Priority One has an opportunity here.The phrase making lemonade out of lemons comes to mind. The CEO, actually probably marketing, sent letters to the membership informing them of the security breach and they have a notice on their site. They’ve also given everyone free credit report monitoring for a year, which all seems to be becoming a standard response.. If I was Charles R. Wiggington, Sr., their CEO, I’d personally call Steve and ask him to help start a blog for the CU so they could better communicate with their membership. They might have a chance to turn one of their unhappy members with a wide audience into one of their biggest proponents. And maybe redesign the website while they’re at it.
In my previous post, I commented on the proposed “.Bank” TLD. Since then, F-Secure has defended their proposal in their blog, addressing many of the key issues I commented about.
Here is what they had to say about users still being fooled the new addresses:
The main point of such a new TLD would not be that users would suddenly get a clue and would learn to read the web addresses correctly (although for those who do read the URLs, this would be obviously be an improvement). The main point is that it would allow the users’ software to work better. Security software and browser tool bars would essentially have a “white list” to work with.
Yes, .bank would help browsers know whether a site is legitimate or not, but users would have to look for something in their browsers. If the EV-SSL certificate message below isn’t clear enough, what could web browsers possibly say that would be?
F-Secure addressed the issue of EV-SSL certificates as well:
We’re not against these new high-security web certificates. However, a secure top-level domain would still be a good idea: it would authenticate the domain as trusted by the name alone. There’s no way to know if a site has a high-security certificate without visiting it.
True, but EV-SSL certificates identify web sites while also assuring security in transactions.
What about a compromise, a variant of EV-SSL certificates just for financial institutions, a FI-EV-SSL Certificate? This wouldn’t give much additional benefit. One must prove they are a legitimate business to get an EV-SSL certificate anyway.
I’m still not convinced “.bank” is worthwhile, what do you think?
Pretend for a minute that the lions represent the banks, the buffalo represent the CU’s, and the little seen crocodiles represent the S&L crowd. Watch the whole thing, you have to see how it ends. It is pretty amazing! Everyone have a great and safe three day weekend!
CUES has their marketing blog, Nexus Connection, back up and running again here. Go check out Chris and Lisa’s latest posts!
Just wanted to say welcome to Credit Union InfoSec. They’re the latest CU industry blog about information security.
Here is the situation: F-Secure’s Mikko Hypponen has proposed that we fight phishing by creating a new Top Level Domain (TLD), called .Bank. One would have to prove that they are a legitimate financial institution to get one. Additionally, the domains would cost a substantial amount, such as $50,000, to prevent all but legitimate businesses from being able to afford one.
At a glance this may appear to be a great solution, but there are a number of problems. First, it still requires educating users about paying attention to their browsers. If users already watched their address bar we wouldn’t have a phishing problem in the first place, so clearly that alone would be nearly impossible. Although, even if users knew to look for ".bank" in the address, many would still be fooled by long URLs. For example, if your address is "wamu.bank," many users would be fooled by "wamu.bank.fake.ru" or "fake.ru/wamu.bank."
The second problem is that this method would not be more effective than Extended Validation (EV) SSL certificates, which already exist. These type of certificates are highly recognizable in modern browsers like Internet Explorer 7, and prominently display the name of the company that owns them:
The owner of the SSL certificate, "Woodgrove Bank [US]," and the Certification Authority that issued the certificate is easily identified. I don’t see how ".bank" is any more effective than this. What do you think?
I asked the same question the first time I saw IDA. Did someone misspell IRA???
An IDA is an Individual Development Account and it is an initiative the state of Oregon kick off a few years ago through The Neighborhood Partnership Fund. The fund lists three main goals:
- Oregon’s communities will thrive while meeting the housing needs of all residents.
- Low income Oregonians will have increased opportunities to succeed in school and life. Success will be maximized by an infrastructure of interwoven housing and services provided by a vibrant network of community development organizations.
- Low-income Oregonians will increase their household financial resources and stability. NPF will work with partners to build individual, family, and community social and financial assets.
The primary goal behind the IDA is to help low income individuals and families start a business, education or skills training, or to purchase their first home. The savings in the IDA are matched at a rate of 2:1 or 3:1! How is this possible you say?
The state of Oregon has initiated a tax credit for donations to the NPF at the rate of 75%! Plunk down a thousand dollar donation to the NPF, and you’ll get to write off $750 from your Oregon state taxes! (Footnote: I’m not a tax professional, don’t listen to me. I’m just reading their site.) These donations then fund the savings matching.
How does this apply to credit unions you say? Well besides helping low income families, and besides helping our membership save, and besides helping our more affluent members get a tax break,
"Once eligible low-income participants have met program criteria, they open their IDA at a local
bank or credit union. They work with program staff from a qualified social service organization to set up a savings schedule and ultimate savings goal."
Sounds like a perfect fit for credit unions.
About the IDA (the NPF site)
Over the past few years, we’ve done a lot of different types of internal promotions for our employees. We’ve tried the Get-Away-Today (which was less than stellar), gift cards, movie tickets, days off, a treasure hunt, car wash, jeans day, and Starbucks just to name a few. So what does it take for an internal promo to be successful?
- Fun and different. Find something your staff like and give it a whirl. (Our recent Coach purse promotion went great!)
- Once you find something fun and different, don’t do it again for at least a year! The novelty wears off.
- You must have the ability to provide at least daily updates for all staff. Real-time is ideal, but I’m always shocked to hear how poor most sales reporting is in CU’s (mainly a function, or a lacking function, of CU cores).
- SMART goals (Specific, Measurable, Actionable, Realistic, Time-bound). If the goals are perceived as unattainable for whatever reason, they won’t get hit.
- Find a way to get all employees involved, not just front-line staff.
Our most successful internal promotion we’ve ever had was dubbed Fantasy Checking. In Oregon, the Civil War game (U of O Duck vs the OSU Beavers) is quite the big deal. So in the spirit of the game, we had each of our staff create a Fantasy Checking Team. We setup a little app on our intranet home page where all employees of the CU picked one employee from each branch and answered a tie breaker question. Each individual seller, branch, and fantasy team were ranked on the home page for everyone to see and the data was updated every 15 minutes. We had VP’s, accounting, eft, is, tellers, branch managers, and all sorts of other employees setup teams. Some of the more proactive "coaches" even called our tellers and FSR’s before hand to see who they should pick and called them throughout the promotion to see what was happening! At the end of the promo, we had a prize for each branch who hit their checking goal, prizes for the top fantasy teams, and we threw a tailgate party in the parking lot of our administration center.
We blew our goal out of the water and had our largest checking account month in the history of the company.
Long story short, get all your people involved, keep everyone updated frequently, and make the promo fun and different!
In the Wheaties for you Wallet link list for yesterday I noticed something from Jesse Robbins, the prominent voice of Black Rock Federal. While I applaud Jesse for attempting to make the already public CU data more readily available (the NCUA site is not consumer friendly), it shows the top ten CU’s annual numbers from December, so naturally, Navy Fed is at the top and looks like they are just raking in the dough.
The Fees per Member graph that Jesse also put up is a much better gauge of how a particular CU fees their membership. All this data is wonderful, but it must also be taken with a grain of salt. As with any set of data, the results of analysis are only as good as the data that gets put it. There are, and will always be, many anomalies in call reports so it is vital to analyze data with different denominators, whether it is by member, employee, number of branches, asset size, market share, or number of checking accounts.
Tired of boring PowerPoint presentations? Looking for some inspiration?
Shift Happens recently won the World’s Best Presentation Contest hosted by SlideShare. It’s a pretty amazing presentation and there is a host of other resources on the site as well. If you’re looking for some pizazz to spice up those really entertaining credit unions presentations, look no further.