Hackers Are Breaking Into Credit Union Accounts. One Solution? Blockchain.
In December of 2019, a North Carolina man logged into his credit union and watched as a scammer withdrew money from his account. In early April, a fraudster impersonated credit union employees, asking customers to tell him their account information — he then withdrew more than $10,000 of their savings.
Last year, hackers cost U.S. consumers a combined $16.9 billion in identity fraud, according to Javelin Strategy & Research. As the COVID-19 pandemic spreads across the United States, the risk of account takeovers is up. According to Julie Esser (left), chief experience officer at CULedger, a credit union services organization (CUSO), credit unions going digital has led to a rise in criminals targeting remote call centers.
“Predators prey on these entry-level positions to try and get personal information out of them,” Esser said. “They just pretend they are somebody they’re not and oftentimes it’s successful.”
CULedger started as a research project in 2016, with 70 credit unions and industry trade groups dropping a combined $650,000 into a pilot blockchain project aimed at preventing call center fraud. The group chose to focus on blockchain because it was a proven technology, Esser said: “I’m not aware of any blockchain that’s been hacked.” Two years later, the Denver-based company was officially formed and is now putting its technology to the test.
Today, more than 500 consumers use CULedger’s signature blockchain technology. Eleven credit unions across the U.S. have signed on to work with the firm. And the participating industry groups have dropped another $10 million to scale CULedger’s business.
“In order for credit unions to survive, they need to work together. They have the same requirements as the mega banks do from a regulatory standpoint, but fewer resources to do it and pay for it,” Esser said. “They’re left with no choice. They’ve always been reliant on third-party relationships to help them provide services for their members. I don’t know if there’s any other technology that has the same promise as blockchain.”
How distributed ledgers rethink identity
Credit unions are subject to Know Your Customer mandates, which are federal regulations that call for financial institutions to collect data on customers as a way to fight fraud.
Traditionally, companies verify identity through either siloed accounts, which require users to create a username and password, or federated systems, which allow individuals to login in via a third party like Facebook.
CULedger, in contrast, verifies user identity through its MemberPass product, a distributed ledger that records and encrypts users’ transaction history. MemberPass does not record identifiable information, and does not require anyone to memorize a username or password. It’s built on a consensus mechanism, which means that everybody in the network has an individual node and has to agree a transaction is valid for it to go through. And it is stored in a mobile app that requires users to scan their iris, touch their thumb or use other biometric data to log in.
“Anytime an imposter tries to penetrate into one of those systems and change the transaction, we would have to change it on all of those different endpoints at the same time in order for it to work,” Esser said. “That’s what makes this harder to hack.”
The company’s distributed ledger is built on the Sovrin Network, which calls itself the world’s largest decentralized identity platform. Esser said CULedger also has relationships with R3’s Corda enterprise blockchain, the Hedera Hashgraph high-speed blockchain and IBM. She said the company plans to use these platforms to eventually capture transaction data from smart contracts, act as a value exchange for cross-border payments, and more. With members’ permission, credit unions could even use MemberPass to verify users’ identity for other organizations, she added.
“Someday those credentials could be used for insurance, or applying for a loan, or healthcare,” Esser said. “There are a lot of other verticals that need a strong identity mechanism.”
When CULedger launched, it operated on a transaction-based model, charging credit unions for every purchase notched on the chain. Last year, however, CULedger switched to issuing a flat fee, since charging credit unions by the number of transactions discouraged them from promoting the product.
It also ran counter to how the conservative institutions traditionally budget for items.
“Credit unions are profit-minded but not profit-driven, they’re very protective of their members’ money,” Esser said. “Because of that conservative nature, their preferred model is subscription-based, because they can budget for it.”
“Credit unions are profit-minded but not profit-driven, they’re very protective of their members.”
Esser declined to elaborate on the cost of implementing MemberPass but said the company needs 27 signed contracts to reach profitability. She estimated CULedger will reach that point in about a year.
Academic Lana Swartz, a professor at the University of Virginia and self-described “blockchain skeptic,” said she saw similarities between the promise blockchain holds for credit unions and the promise blockchain holds in the music industry. By using blockchain, musicians would be able to receive royalty payments, venues could curb counterfeit tickets and record companies could easily trace song streams.
But “I think it has struggled to reach the potential that some people thought it was going to have,” said Swartz, author of the forthcoming book New Money: How Payment Became Social Media.
She said blockchain’s main power was bringing together diverse groups of people to identify and discuss shared problems. As music execs talked over the cost and complexity of implementing blockchain, she said they often settled on solutions other than distributed ledgers.
Like the music industry, Swartz said credit unions’ mission of charging members low fees could present a barrier for CULedger.
“It can be quite costly to explore new technologies, especially new technologies that may be overhyped. And I think that credit unions, more so than most financial organizations, have their members’ interest in mind and have to make tough decisions,” Swartz said.
But “if any group of organizations is prepared to figure out how to make a technology like blockchain work for them, it’s probably the credit union movement. They are cooperative in nature.”