Cybersecurity in 2020, Roadwarrior Edition


By Robert McGarvey

Now is the time to take stock of our defenses and I’m not talking about pickpockets and hotel safe thieves. What I mean is guarding against cybercriminals who, unfortunately, prey on business travelers particularly – everywhere from coffee shops to airports to hotels, even whole foreign countries.

A few steps will keep your data safe on the road and it is vastly more valuable than the devices themselves. At least in my case where I usually travel with a five yearold Chromebook, somtimes an iPad Air 2 , neither having much value. The Pixel 3 XL phone has a little value but not much. A suggestion: always travel with disposable tech gear that you won’t miss.

It’s the data that I am concerned about because a criminal could feast on my financial accounts and maybe find a way to monetize data gleaned from emails and documents, many thousands of both on my devices.

Here are my steps towards safe travels.

Countries That Spy on You

Whole countries? You bet.  Visit China and you will hear that the “Great Firewall” means you cannot access Gmail and lots of other websites. You will also hear that, psst, use a VPN – only certain vendors pass muster and the list is a changing target – and you will be able to surf to Gmail, Facebook, you name it.

But you have to wonder: is the Chinese government monitoring that VPN traffic and do they have keys that decode it?

Know too that high level security consultants – with clients inside the Beltway and on the highest floors of Fortune 100 office towers – urge their clients to bring a clean computer and a clean phone, no business data on either, and to never access sensitive information while in China because your devices will be copied on your travels.

Not might be. Will be.

Maybe not the gear of Bob Schub, average citizen, but if there is a reason to think you might have interesting info on your computer or phone know it will be copied.

Do not bring your every day business computers or phones to China. Don’t.

China is not alone. Here’s a map of the world with nations that heavily monitor Internet traffic highlighted. There are places you might not go – Saudi Arabia – and there are places you might go that monitor at least some traffic (Russia, Turkey).  Know before you go and, when in doubt, use clean devices when traveling overseas.

Password Protect Your Phone

At least once a month a friend or neighbor asks me, what do I do, I was traveling and I lost my phone?

Sometimes they say it was stolen.

It doesn’t matter.  You probably will never see it again.

Know this happens, take steps now to protect yourself.

Set up Find My Device (Android) or Find My iPhone in Settings.  Now. When you lose a device it may help you find it and – crucially – it may let you wipe the device which means erasing all personal data.

Also, lock the phone, with a PIN or biometric, in Security (Android) or TouchID and Passcode (Apple).  That simple step will keep most criminals away from your data and, in most cases, they only want the phone hardware anyway.

The data is more valuable than the hardware but most criminals are grab and run small change crooks and that’s the good news.

Just take the two simple steps above and, yes, you can cry about losing a $1000 piece of hardware but at least your data and bank accounts will stay safe and that is what matters.

Never Use a Public Phone Recharging Station

You see them in airports, also at meeting venues. Don’t use them.  They are a fast track to getting hacked. It’s tempting. Your phone is beeping for juice.  Just let it die. Or always carry a plug when on the road, as I do. Often there are two in my bag.  They do get forgotten in hotels, a spare is a good idea.

Don’t Use Public WiFi

Never, don’t.  That means no public WiFi at airports, coffee shops, and definitely not hotels.

You say you are protected because you use a VPN.  Good luck with that (read about China above). Know that there are known vulnerabilities in consumer facing VPNs and there also are vulnerabilities with enterprise grade VPNs.

Personally I sometimes use Google’s VPN on a Google Fi phone when accessing the Internet but generally I am reading the news or checking a website and if that traffic is hijacked, so be it.

My preference is to create a cellphone hotspot and access the Internet via cellular data networks. A few clicks in setting and you are in business.

You really think public WiFi is faster and of course it usually is cheaper? There is one safe way to use public WiFi – read the next step.

Use a Secure Cloud Based Browser

When on the road and accessing sensitive data via public WiFi, I use Silo, a remote browser that processes all data remotely, in the cloud. (Here’s a paper on the technicalities.) It then transmits an encrypted display of the data to you so you “see” the web page but any computing functions have occurred in the cloud, at a remove from your computer.

There are other remote browsers.

Whichever you use, know that when you look at a page with toxic code, no prob, the bad stuff happens in the cloud. Not on your computer.

And eavesdroppers – who often listen in on public WiFi sessions – will only see an encrypted data steam that won’t mean a thing to them.

That’s five steps. Take them and there’s no guarantee of data security on the road. But you can know you are taking steps to secure your phone, your computer, your Internet traffic. And that puts you in a safer place than 99% of travelers

CU2.0 Podcast Episode 69 Casey Boggs on Reputation Management, Hackers and You

What are people saying about your credit union?

That means members, staff, and community members?

And how does a nasty hack impact your reputation?

Meet Casy Boggs of ReputationUS, where the business is in fact reputation management and a primary emphasis is work with credit unions.

You think you have a great reputation? Don’t guess. Know. Get a reputation audit done and be prepared to be surprised by the results.

Particularly interesting is how a hack impacts a credit union’s reputation, a topic Boggs has studied in depth.

Among his findings: 48% of us are very unlikely to remain a member if their data has been hacked and then used to set up a bogus credit card account.

Good news, per the survey, is the vast majority of us hold credit unions in high reputational esteem.

But don’t take it for granted.

Boggs says in this podcast that too many institutions are unprepared to deal with events that involve a reputational hit – they lack a plan and a plan can smooth the path to recovery.

Bad stuff happens. Are you prepared?

Find out what’s involved in this podcast. Listen here.

Like what you are hearing? Find out how you can help sponsor this podcast here. Very affordable sponsorship packages are available.

Find out more about CU2.0 and the digital transformation of credit unions here. It’s a journey every credit union needs to take. Pronto

Why Hospitality Companies Are Cybersecurity Laggards

by Robert McGarvey

For some years I have reported on cybersecurity fails on the part of airlines, hotels, and miscellaneous other travel players. In the background always a question haunted me: why are so many travel companies so bad at cybersecurity? Sure, hackers hack just about everything but travel companies seem favorite targets, in part because they are indeed sources of valuable data of affluent people but also because, somehow, they just seem less capable at protecting their digital valuables (our digital valuables).

And now there’s a suggestion from Bitglass, a cloud app security broker, that just maybe hospitality companies are in fact utterly deficient in cybersecurity. In its report An Analysis of Cybersecurity in the Fortune 500, Bitglass said it “conducted research on the 2019 Fortune 500 in order to identify whether the world’s leading companies are prioritizing information security and customer privacy. Their websites were scoured for keywords, phrases, and executive security personnel in order to learn about the steps that they are taking to protect personally identifiable information (PII) and customer privacy.”

Bitglass added: “The results demonstrate that many organizations lack an authentic, lasting commitment to enhancing cybersecurity.”

It gets worse. Bitglass found that 77% of Fortune 500 companies “make no indication on their websites of who is responsible for their security strategy.”

Guess what sector is most derelict. Hospitality. 0% – none – have a named executive in charge of cybersercurity on their websites. And that’s despite the industry’s many breaches. Eight hospitality companies are in the Fortune 500, all failed.

Manufacturing is next worse. Only 8% name a cybersecurity exec on their websites. Telecom comes in third worst with 9%.

Hair splitting time. In this context “hospitality” refers mainly to hotel companies and some restaurant groups. Not airlines which are grouped under “transportation.”

Hospitality also comes in at the bottom regarding the percentage of companies with website info “about how they are protecting the data
of customers and partners.” Just 25% of hospitality companies offer this info, tied at the bottom with oil and gas companies and construction companies.

That double fail wins hospitality a starring role in Bitglass’ list of least security conscious industries.

Transportation, by the way, does much better. 57% list an executive in charge of cybersecurity and 36% have a statement. This is not to say breathe easily at airline sites (loyalty programs have had their hacker problems). But they do do better than their hotelier brethren.

Here’s the question that matters: What are we to do to stay safe? The start is accepting it is our job. Hospitality companies don’t have our backs. If we are to be safe it is because of what we do (or don’t do).

Rule one: Assume that any hospitality site you use will be hacked. Take that seriously. It means that any data you leave at the site may end up in criminals’ hands. Personally I am just as suspicious of airline sites. I follow the same precautions at both kinds.

Never use passwords that are used at important accounts – a credit union or bank, for instance – at a hospitality site. Hackers use computers to automate testing of stolen passwords at leading banks precisely because they know many of us are lazy and dumb and use a password at multiple locations. Just don’t.

Personally I use Google generated passwords at most hospitality and airline sites, mainly because I generally log in on a mobile phone with a fingerprint and a long, complex password is fine. Either way, though, remember that a hospitality site probably will be hacked.

Do keep tabs on anything of value that you have at hospitality websites. Loyalty programs have for some years been hacker targets. Your points may already have been stolen. A corrective is to regularly monitor balances. How often is enough? It depends upon how valuable a stash is. I think I have some Delta miles but couldn’t tell you when I last looked because I know there aren’t many.

But with the sites where I have large deposits of loyalty points I log in at least monthly. I can’t say I have personally seen miles stolen but I nonetheless do check regularly.

While you are at this, stop using hotel WiFi – it’s dangerous.

Personally, just this week I ignored my advice because my cellphone hotspot was anemic and I had free hotel WiFi via Hilton Honors and I was traveling with an old Chromebook that had no personal data on it. I also didn’t access any sensitive sites (banking for instance).

But whenever possible, use something safer than hotel WiFi.

Can you travel and not get hacked? Maybe. Sure in fact. I don’t believe I ever have been. But my inflexible advice is to always assume you will be hacked. That’s how to stay safer on the road.

Who’s Dumber – Us or Hoteliers?

by Robert McGarvey

Hoteliers know they have a problem in their little used lobby spaces and their similarly unused business centers but now they believe they have a solution and it involves a bet that we are dumber than they are. Here’s the Travel Weekly story. The subhead lays it out: “Hotel companies, recognizing that their public areas are often used as coworking venues anyway, have followed the example of WeWork and its temporary office spaces by renting out portions of their facilities as communal workplaces. But will guests pay to use space that has been free until now?”

It’s that last sentence that boils my blood.

Understand, I do not dispute that hotels might – perhaps even should – seek to impose charges on non guests that use their public spaces as offices. It is one thing to stop into a hotel lobby and have a coffee or a cocktail and do a little business. It’s another thing to park in the space for six hours and do a full day of work. A hotelier has every right to seek to monetize that occupancy. But charging guests?

I applaud the hotelier quest to monetize otherwise under-used spaces – but not at the expense of paying room guests.

Fine by me, too, if hoteliers want to open their fitness centers to the public. Most aren’t much used anyway and if the public can be lured in, why not?

But charging guests for what has been free is where a line needs to be drawn.

Personally I prefer working in my room, I also do not much use hotel wifi and instead create a hotspot on my phone – it’s much more secure internet access. So I’m not exactly the target market for this use of public spaces.

Indeed, I have never parked myself for a workday in a Starbucks – although I know many who do and who enjoy it.

At least one hotel group seems to be doing this right: Crowne Plaza. The chain’s Plaza Workspace program offers – free – access to spiffy work pods. But for those who need more privacy there’s The Studio which is available for booking by the hour (and there’s a dandy online tool for that). Cost where I looked was $50/hour – but, remember, there’s no need to incur those costs unless you need that privacy. The free workspaces look quite inviting and comfy.

Why do some hoteliers believe they can gouge guests for use of what amounts to public meeting spaces? Don’t ask me, ask them. All I can guess is that they think we are dumb enough that we will pay for spaces that had been free (and largely underutilized in recent years – despite the outlier and outsized successes such as enjoyed by Ace Hotels). And to pay when there almost certainly is a Starbucks, or other coffee shop, a block away from the hotel and with free work space in the bargain.

Travel Weekly did quote one skeptic about our willingness to pay, Filipa Pajevic, a grad student at McGill’s School of Urban Planning: “Coworking has already been happening at hotels, in the sense that they’ve already been providing people a place to work while they’re away from their official workplace or home. So for hotels to say, ‘Look, we’re also going to offer coworking spaces,’ I don’t know if that’s going to necessarily go well. You’re asking me to now pay extra for something that I’ve already been doing in your hotel for free.”

And that just may apply to non guests as well. Why indeed would a person who has been using a nearby hotel for business meetings in the lobby – something done for many years by Manhattan dwellers, also San Franciscans – now suddenly dip into his/her pocket for lobby access? I don’t begrudge hoteliers their desire to nick those non guests for $20 or $50 – it’s just that I don’t see people doing this when there are those other nearby, free work spaces (Starbucks).

The bottomline here, however, is that when you are a guest don’t even think about paying to use hitherto free public spaces. Just say no. And walk outside and into a coffee shop (and, yeah, the java probably is better than the hotels’ too).

Business Travel’s Wellness Hoax

by Robert McGarvey

The Skift headline got me smiling: “Wellness for Business Travel Is An Uphill Slog.” You betcha.

From my perspective of perhaps 45 years of business travel, I’d say the industry can measure its wellness progress in centimeters. No more. We drink less booze – certainly I do – and eat fewer steaks and for that we can congratulate ourselves (and maybe mourn the passing of the “good times”). But as for a real wellness commitment, who is kidding whom?

Hoteliers and event planners talk a good wellness game. Just about every chain now has a “major” wellness initiative. But talk is still cheap. It’s the doing that matters.

Or the non doing in this case. Both on the part of the hoteliers and – truth be acknowledged – us.

I am just back from three nights in Las Vegas – a conference hosted by a financial technology company – and I returned a pound or two lighter than when I left home. But I skipped dinner every night, I also skipped the event cocktail hours, and every day I logged about 10,000 steps, just walking around a huge Strip resort.

But was my trip healthy? A role model for wellness?

Don’t be silly. I swilled maybe six large cups of coffee daily – at least double my norm – to keep me fueled up for long meeting days; I ate more scrambled eggs, bacon and sausage in three mornings than I had in the three prior months; and I also ate close to zero fresh and raw vegetables and fruit.

The breakfast buffet stands as an exemplar of progress not made. Sure, there was a platter of beautiful melon slices, an artistic palette of green, orange, yellow. It remained largely intact throughout service. I am not pointing fingers. I too admired its looks but otherwise ignored it. I dove into the scrambled eggs, the crispy bacon, the sausage links and, shudder, also grabbed a croissant one morning. The bread wasn’t good so I skipped it the other mornings.

Don’t tell my cardiologist about that morning feast. He would double my statin dosage.

Lunch – another buffet line. Fresh salads to start, also largely ignored. Visually appealing but shunned. Onto the chicken, the steak, and – of course – a small heap of cooked veg, just for appearances sake, no need to actually eat them.

The good news about lunch: desserts were at a separate table which I never visited and, by all means, give me applause for my discipline.

Or, more to the facts of this matter, question what happened to my culinary sanity as you review my daily intake of cholesterol, fats, and stuff that we know isn’t good for us.

Note: this was at a lovely, upscale Strip hotel. No faulting execution. It’s the underlying concepts that I question. The concepts are ours, by the way. Hoteliers are giving us what we want.

Here’s the reality: we all are talking a dandy game of enhanced wellness on the road but it is a mirage. Very little has changed in a half century. Perhaps a few more of us use the hotel or resort gym (although I am skeptical about that as are Cornell researchers). But we are a heckuva lot more obese than we were a half century ago. Maybe 10% of men were obese in 1960. Now it’s nearing 40%. Around 15% of women were obese in 1960. Now it is over 40%.

If it had been available, would I have eaten a bowl of oatmeal with almond milk and a handful of berries for breakfast? A feast at home. But on the road?

For lunch would I have eaten a veggie burger on a whole grain bun with an arugula, tomato salad on the side? Well, yes, actually. That’s become a personal favorite meal.

But count me as a no on the oatmeal. What about you?

We – most of us – are wellness laggards.

“The business travel industry is taking baby steps to incorporate more wellness, but there is a ton of room left for growth,” Sahara Rose De Vore, founder of the Travel Coach Network,told SKIFT. Indeed.

It’s not their fault, however. It’s ours. They are giving us what we want.

Plastics Bans Coming to an Airport Near You

by Robert McGarvey

SFO fired the first shot – on 8-19 it forbade airport shops, restaurants, vending machines, et. al. from selling plastic water bottles. We are instructed to bring our own refillable bottles and to grab our water at some 100 hydration stations.

Watch for this to spread to airports across the country and globally. Single-use plastics are cluttering our planet. Can we recycle our way out of this? Hah. “As investor Rob Kaplan of Circulate Capital recently told National Geographic, ‘There’s no silver bullet to stop plastic pollution. We’re not going to be able to recycle our way out of the problem, and we’re not going to be able to reduce our way out of the problem.’”

Much recycling is ineffective. Maybe even a scam. Just don’t use single-use plastics. That’s the exit and water bottles are a good place to start.

There’s a loophole in the SFO bans, by the way. Water can be sold in plastic bottles bigger than one liter, reports SFGate. My reaction to that is big deal. (1) What traveler buys a half gallon water jug? Not me. (2) It’s as easy to ban big bottles as it was smaller ones so if there’s a flagrant parade of giant jugs watch for a broader ban.

The bigger loophole is that the ban does not apply to juices, sodas, etc. It should.

Globally we use more than one million plastic bottles a minute. No one wants that much trash. Recycling efforts are noble but Sisyphean. Mountains of trash accumulate daily.

Repeat: no one wants this much garbage.

We can do our part. Personally as I walk around Phoenix where I live, I usually have a metal water bottle, stamped with the name of one resort or another, I couldn’t tell you which, or maybe it was a handout at a business meeting where, in recent years, there are ever more giveaways of logo metal water bottles. Point is: they are free.

It’s no big deal to carry a small metal water bottle in a carryon bag. For years I’ve carried a small travel umbrella (go to New York or Belfast enough and you’ll never fly without an umbrella). A water bottle is a little smaller and lighter.

Some pundits report that business travelers are grumbling about the SFO ban. Reported WAPO: “Although public reaction has mostly been positive, the news has resulted in some disgruntled business travelers who bristle at the inconvenience of having one more item to pack.”

I don’t get. What’s the inconvenience of toting a lightweight refillable bottle when measured against a planet that is choking with waste plastics?

Water bottles are just the first shot.

Color me also opposed to plastic straws which I never use. If you like straws buy a metal straw. They are cheap and small. California has a plastic straw ban (customers have to ask for a straw to get one); more states will follow. Plastic straws simply are bad. Something like 7.5% of the waste plastic in the environment is from straws and stirrers. Stop it.

I’m on record in my attempt to support the flygskam movement – but I am equally on record noting that it just isn’t easy to cut back on flying because our transportation alternatives suck.

It is easy to cut back – eliminate – a lot of plastic. I remember as a kid liking the feel of glass Coke bottles. Paper straws were fine too in that era (although I think reusable metal straws are a much smarter solution in 2019).

While we’re at this, ban single-use plastic bags too – as many nations already do. So does California. It’s easy enough to carry a small string sack, or cloth bag.

We can make a difference when it comes to plastics. I hear the pain when the talk is about flygskam. Single use plastics are different. They are easy to eliminate – we won’t miss them – and the planet will thank us.

You want some plastic in your life? Have at this.

Credit Unions Buying Banks: Good, Bad, or Plain Ugly


By Robert McGarvey

Ten times so far this year a credit union has bought a bank, according to Credit Union Times’ count.  Some deals are small – Verve for instance paid $43 million to buy South Central Bank in Chicago.

Some are bigger such as Arizona Federal Credit Union’s buy of Pinnacle Bank in Scottsdale with its $236 million in assets. No details on the purchase price have been released.

In Florida – where the recent credit union buying a bank trend kicked off in 2015 when Achieva Credit Union bought Calusa Bank for $23.2 million — there have been three buy outs of banks by credit unions so far this year.

In the Chicago area, there also have been three purchases of banks by credit union so far this year.

This isn’t an entirely new phenomenon. The first deal dates to July 2011 when United FCU bought Griffith Savings Bank in Indiana.

And the deals keep coming.  

Understand this: some credit union thought leaders are adamantly opposed to this trend.  To them, banks and credit unions are different and never the twain should meet.

Still others worry that as credit unions incorporate more elements from banks – including hiring bank trained staff – they may become more bank like and lose the credit union difference.

Consider this maybe the very most contentious issue in the credit union universe.

Banks incidentally are vocally opposed to the trend – or put more accurately they see this as a proof that credit unions should lose their tax exemption.

The other reality is that community banks are struggling. Their numbers are dwindling as the big banks get bigger and smaller, community banks find it harder to compete. For them, in some cases, the exit strategy is to sell the assets – primarily branches, loans, customers – to another financial institution and if it happens to be a credit union, so be it.  (Here’s a list of many CU – bank deals. Go to page 8.)

Big banks also seem largely uninterested in buying struggling community banks.  For many of the latter, a possible acquisition by a credit union looms as an attractive exit strategy.

But, first, what specifically is in this for a credit union? The St. Louis Fed tackled exactly that question.  Here’s what it said: “So what would entice a credit union to pursue a bank instead of another credit union? For one thing, it may be the fastest way to expand into new business lines that are more closely associated with banks (for example, business lending). The average ratio of business loans to total loans for the acquiring credit unions in the quarter before the transaction was 8.6 percent, whereas the average for the acquired banks was 33.8 percent. The acquisitions of the commercial banks raised the business-loans-to-total-loans ratio in the credit unions to 10.9 percent.”

Moreover, like credit unions, small community banks tend to have strong community ties and know their customers on a more personal level than their large-bank counterparts do. This strong community relationship can be an asset to the acquirer.” 

Other experts suggest that the number of sizable, viable credit unions that are available for merger into another credit union is dwindling. The attractive candidates have already merged, at least most of them have.

Very probably, we will see a continuing stream of credit union purchases of banks or at least parts of banks.  But probably not that many. The St. Louis Fed believes this kind of deal will never become commonplace: “Because of all the regulatory and business-model barriers involved, it will likely never be a dominant transaction type.”

Which brings us to the big issue: are bank purchases in fact good for credit unions?

For starters, know that the bank charter is not transferred in the deal.  A credit union cannot own a bank charter, said Wendell “Bucky” Sebastian, a co-founder of Callahan, longtime CEO of GTE Federal Credit Union in Tampa, general counsel of NCUA, and, at the start of his career in banking, a senior official in an Illinois regulatory agency.  Hear Bucky’s candid podcast for a lot more opinions including Bucky’s optimism about the credit union future. Listen here.

As for foes of bank acquisitions, there’s Jim Blaine, retired CEO of SECU, the giant North Carolina credit union, who has strong opinions on this topic. He ventilates his ideas with gusto in the CU2,0 podcast.  

Blaine opposes credit union – bank mergers. He sees them as a manifestation of an increase in what he calls the commercialization of credit unions.  At their founding, credit unions were created to serve members. Not to sell them products they don’t need which of course is a bank business plan.

Blaine also said that in negotiations between a banker and a credit union executive, he’d bet on the banker to win.

Credit unions just aren’t banks and shouldn’t be, Blaine believes. So keep them apart.

Bucky Sebastian – who supports credit union mergers, definitely ones with other credit unions, in his podcast – also comments that “banks exist for one purpose – to take as much from their customers and to give it to their shareholders as they can.”  That’s true. So ask yourself how that culture blends with a credit union’s.

That deep philosophical concern is aired by Gary Oakland, the retired, longtime CEO of BECU who saw that institution grow from a couple hundred million in assets to over $10 billion during his tenure. (He offers his perspectives on range of issues facing the industry in his CU2.0 podcast – find it here, it posts in late July – and he specifically addresses why BECU grew so big, so fast when many other credit unions did not.)

“You are seeing a change in leadership of credit unions,” says Oakland.  “A lot of new leaders are coming in from the banking industry. There’s not as much development of homegrown leaders.”

Which leaves us with a troubling question: at what point does a credit union assimilate so much bank characteristics that it ceases to be a real credit union and instead becomes a bank? Sure, the charter may say credit union.  But is the institution truly a member focused institution?

Is that case closed, credit union purchases of banks are bad? Not so fast. Some bank branch buys win broad applause. In the Deep South, Hope Federal Credit Union has bought a number of bank branches, mainly from institutions that had announced plans to close those locations.  Hope CEO Bill Bynum talks at length about that strategy in his CU2.0 podcast.

These acquisitions have been widely praised.

Even the cynic Blaine applauds what Hope is doing and he indicated that in negotiations he’d bet on Bynum to beat the bankers.  In some cases Hope may well have gotten the branches at no cost.

That’s a hard deal to turn down especially when a credit union can do tremendous good for the community by using the facilities to offer financial services to a community that might otherwise become a “banking desert.”

That does not mean however that it’s full steam ahead for bank mergers, either. 

Eyes will be on growing numbers of credit unions that have consumed banks, or hired senior bank executives.  The verdict has not been written.

But it will be.

CU2.0 Podcast Episode 41 Sherri Davidoff on Cyber Insecurities and You

Put phishing emails in front of credit union employees and how many will fall for them and cough up sensitive info? 20 to 60% will get conned.

And that can be costly to a credit union, both in terms of money and reputation.

Enter BrightWise, a Des Moines Iowa cyber training company created by Sherri Davidoff, CEO of LMG Security, and the Iowa Credit Union League’s holding company Affiliates Management Company (AMC).

After training, said Davidoff, the number of employees who fall for the phishing con tumbles below 10%.

What BrightWise will focus on, said Davidoff, are fun, short videos – think maybe five minutes – than an employee can absorb at his/her leisure.

Smarter employees are critical because how hackers work has changed, said Davidoff. “It’s no longer 13-year-olds in their moms’ basements that are hacking us; it’s organized crime groups all over the world,” Davidoff shared with NBC’s Today Show.

“People tend to think cybersecurity happens in the IT department,” added Davidoff. “Front-line staff are under constant assault from crooks and their automated robots, look-alike communications and other crafty tricks. We have to arm employees with knowledge, but also give them the tactics they need to sidestep cyber sneak attacks.”


Want more details on the Paul Allen scam? Read this.


Listen up to this podcast for a fast overview of the cyber threats credit unions face – and what they can, indeed must, do to protect themselves and their members.


Listen here

Like what you are hearing? Find out how you can help sponsor this podcast here. Very affordable sponsorship packages are available.

Find out more about CU2.0 and the digital transformation of credit unions here. It’s a journey every credit union needs to take. Pronto

Show Us Your Tweets Before Entering the US


By Robert McGarvey

The US government now has announced a policy where applicants for US visas are asked to disclose their social media handles. Apparently about 15 million foreign visitors will be impacted annually.

Would you disclose your Twitter, Facebook, and other accounts to a foreign government?

My Twitter account is @rjmcgarvey, ditto on Facebook, and I have never posted on Instagram, Snapchat, et. al. I have nothing to hide. But I do have questions about this new US information grab.

Is the US overreaching in its paranoia? Should what you post on social media figure into your ability to travel the world? And remember that others will follow the US policy – that is, many nations will start asking for social media handles on visa applications.

So US citizens too will be impacted.

Which brings us to the question: why did the US make this change?

According to TIME, the US explained this thusly: “National security is our top priority when adjudicating visa applications, and every prospective traveler and immigrant to the United States undergoes extensive security screening. We are constantly working to find mechanisms to improve our screening processes to protect U.S. citizens, while supporting legitimate travel to the United States.”

The free speech advocate inside me recoils at yet another government act that may stifle speech.

Even so, I have assumed for some years that the big governments – especially the US, China, possibly Russia – routinely sift through all social media postings.  I would also assume that many who post inflammatory stuff do so under pseudonyms. So a visa applicant might have a humdrum account on Twitter in his/her real name – and another account full of hideous nonsense under a fake name.  Which account would you guess he’d disclose on his visa application?

Is there any point to this new government intrusion?  Will demanding social media handles deliver anything of value?

Then, too, many millions of foreigners enter the US under a visa waiver program that allows passport holders from countries such as Australia, France, Germany, Ireland, Japan, South Korea, and the United Kingdom to enter without a visa.  

In FY 2015, about 22 million came in under the visa waiver program (Japan was the leader with 3.7 million).  That’s half again more than will come in with a visa but that makes sense because most developed countries are in the waiver program (and in most cases US citizens do not need visas to enter these countries).

As for the new US demands, civil liberties folks are up in arms.  Per the New York Times, “This seems to be part and parcel of the same effort to have an extraordinary broad surveillance of citizens and noncitizens,” Elora Mukherjee, director of the Immigrants’ Rights Clinic at Columbia Law School, said of the latest development. “Given the scope of the surveillance efforts, it is hard to find a rational basis for the broad surveillance the Department of State and the Department of Homeland Security have been doing for almost two years.”

Probably, too, this search won’t actually prevent any terrorism. A Washington Post story from a few years ago took up exactly this question and said, naw, it won’t work.  Why? The vast majority of posts are about the same old stuff – “Almost all were about traffic, celebrities or the weather. Discovering whether a visa applicant has ever voiced suspect opinions will require searching through acres of haystacks in the hopes of finding a few needles,” said the Post as it reviewed Ukrainian posts after Russia’s seizure of Crimea. Note that timing. Even tho war was breaking out, the overwhelming majority of social posts were about the same old trivialities of everyday life.

Then, too, added the Post, the Internet is awash with hate speech – vide Trump’s Twitter account.  There’s a lot of bluster, a lot of ranting, and a lot of plain hate. That means “identifying suspicious social media activity cannot be conclusive without additional labor. Whittling hundreds of thousands of flagged accounts down to a manageable watchlist will be an expensive and time-consuming human effort, not the work of algorithms.”

So probably this is actually just a Washington DC witch hunt not worth the time and effort.

Is Member Ownership a Credit Union “Missed Opportunity”?


By Robert McGarvey

It’s a loud, universal credit union mantra: we are not a bank, we are member owned.

Are they really?

Of course credit unions are not shareholder owned, nor are they owned by a proprietor so – sure – on paper they are are indeed cooperatives owned by their members.

But do they walk the talk?

These dark thoughts flooded my mind in a recent conversation with cooperatives researcher Nathan Schneider that resulted in a wide ranging podcast that, ultimately, to my ears is very optimistic about cooperatives, especially new kinds that are forming to serve new needs (platform co-ops and worker owned co-ops for instance).  

But at roughly the 15 minute mark Schneider said that many cooperatives drop the ball, with a loud thud, by not stressing that they are in fact a democratically run cooperative because that kind of structure will appeal to a new generation.

“It’s a missed opportunity,” said Schneider who then issued “a challenge to cooperatives to reinvigorate their democratic spirit.”

Credit unions, he’s looking at you.

In fact he said, “that goes for credit unions too.”

“They need to rediscover the power of democratic involvement in these businesses.”

Do you vote in the annual meeting at your credit union? I belong to two and, as I confessed to Schneider in the podcast, I have never voted in a credit union election. Never as in not once.

I am embarrassed by that but I also am sure I am the credit union norm. And that’s very wrong.

I have often voted in annual elections of publicly held companies because they send me a proxy statement.  They make it easy for me to vote. And so I have.

I don’t even know when my credit unions’ annual meetings are.  I know one is 2500 miles from me. The other is within 10 miles. But I don’t know where or when.

Do credit unions care about the dismal member involvement in governance – keeping in mind we are, per the mantra, member owners?

Nope.  

Schneider said that a recent annual meeting of a large Colorado credit union he belongs to, he counted around 30 members in attendance and so he asked the CEO what he was doing to increase member involvement.  The CEO’s answer: “Credit unions aren’t like that any more.”

“That’s a big problem,” said Schneider of the indifference to member involvement.

He stressed that member ownership is a huge differentiator from other financial institutions – and yet credit unions aren’t making the most of this difference.

Schneider concluded: “If your main differentiating factor is no longer important, that’s a problem.”

CUNA of course has its “Open Your Eyes to a Credit Union” campaign – where a central plank is member ownership – but what if that ownership adds up a big zero? What if?  (Listen to Teresa Freeborn on the CUNA campaign, which she chairs, in this podcast.)

This really is the game. Credit unions are local, they usually offer free checking and lower cost loans, and they are member owned – that’s the three part argument.  It’s a great foundation for a marketing campaign. But when member ownership is an unfulfilled promise, the argument crumbles.

Schneider is right.  Credit union boards and management need to get serious about raising member participation.  When members feel they have the same stake in a credit union that they would have in Chase if they banked there – zilch in other words – credit unions have blown it.

Set a goal. Double member participation in the next meeting. Double the number of votes.  Get more members posting about the credit union on Facebook. Let’s see the members acting as owners.

Make it a core business goal to dramatically up member participation. Boards can make this a key consideration in grading a CEO’s performance.

Some credit unions get this. Some allow voting by members online. Some even allow Facebook voting. Bravo.

There are ways to introduce 21st century voting into credit unions and thereby to up member participation.

Most credit unions don’t deploy such tools however. Annual meets are still in person only. In the 21st century! There’s the “missed opportunity.”

But every credit union needs to commit to dramatically upping member involvement in the democratic control of the institution.

Upping member involvement won’t come easily. But this is an obligation that can’t be ducked. Never forget: democratic member control is the 2nd of the Rochdale Principles. “Co-operative societies must have democratic member control. According to the ICA’s Statement on the Co-operative Identity, ‘Co-operatives are democratic organizations controlled by their members, who actively participate in setting their policies and making decisions.’”

That’s not hard to understand.

It may not be that easy to do.  But the doing is what will give credit unions a winning proposition.

Talk is cheap.

Democracy isn’t.