Multi-modal security best for registered financial service providers
October 2016, This Week's Editor's Pick, CCTV, Surveillance & Remote Monitoring, Access Control & Identity Management, Cyber Security, Integrated Solutions, Financial (Industry)
The financial sector faces a number of security challenges that range from outright banking hall robberies, through theft of money at ATMs, internal and external fraud, as well as phishing and similar cyber threats. With such a diversity of risks, the approach to mitigation is multi-pronged and multi-tiered. Hi-Tech Security Solutions finds out what registered financial service providers (RFSPs) are doing to keep customers’ money safe.
Unlike residences and many manufacturing facilities, most financial institutions do not have the luxury of perimeter walls. Situated primarily on street fronts or in shopping malls and centres, they often rely on shopping mall security and the most vulnerable point of access is their front door. It is little surprise, therefore, that entry is via a single-person access barrier such as a turnstile or man-trap cubicle. In tandem with this, one often sees a security guard posted at the door to observe client behaviour.
Andy Lawler (left) and Gary Swart (right).
The risk, according to Gary Swart from Rhyco Risk Projects and Andy Lawler from Sentinel Risk Management, is not consistent throughout a 24-hour period. After-hours it is much harder to access the vault than during working hours and similarly, during working hours, the banking hall is at risk due to the volume of people passing through the facility. The time of month is also a variable, with month end and other designated pay-days associated with large amounts of cash on hand, both within banking halls and at ATMs.
Deon Roodt of DFR Engineers.
Deon Roodt of DFR Engineers says that there are two distinctly weak points in any vault – the door and the fire escape hatches. These points can never be of the same strength as the vault wall. However, the doors are dependent on the integrity of the key holders. If the information about key control and management is leaked then the whole system is vulnerable.
One of the priorities for banks, apart from ensuring that money and valuables are prevented from falling into criminal hands, is protecting the human capital – the financial institution’s employees as well as its clients. In Lawler’s words: “Criminals threaten lives and create chaos to get their hands on money. Remember, the target is people and the reward is money.”
One of the biggest threats to financial institution security is staff complacency. Unfortunately, many bank employees are not adequately trained to detect and recognise suspicious criminal behaviour. There are a number of instances where ‘clientele’ sitting in waiting areas exhibit behaviour that would be considered unnatural to the trained eye, but which is undetected and ignored by unsuspecting employees.
Dion Cronje of 247 Security Group.
Dion Cronje of 247 Security Group highlights cheque fraud, bank robberies, ATM card skimming, workplace violence, identity theft, internal and external fraud, and cash-in-transit heists as being of major concern to banks.
He suggests that both employees and clients be required to swipe an RFID card and insert a PIN before transactions can be undertaken. To ensure secure online logins, the use of one-time passwords (OTPs) sent via email or SMS, is becoming common practice. Other added security options include logging into a VPN (virtual private network) that has an authentication certificate, using biometric fingerprint readers and attaching a USB hardware token to a desktop that generates an OTP and thereafter logging into a VPN client with the OTP.
Other areas of concern include ease of access to facilities and accounts and the extreme nature of the violent criminal behaviour in their attempts to access funds. In addition, there is often a lack of urgency in response from both the SAPS and armed reaction units when dealing with incidents.
Roodt comments that intelligence gathering, evaluation and assessment is increasingly becoming an important element of security to ensure that appropriate decisions are taken timely.
The RFSP’s employees are often a major source of theft within the ranks, using a number of schemes to swindle money from unsuspecting clients. Lawler says that one cannot strongly enough stress the importance of considering the human factor. Internally, organisations are experiencing higher threats in terms of fraud committed on a cyber level, while the incidence of external crime is lower but the payload is greater and obviously more hazardous in terms of personal safety.
Cronje adds that insider threats pose a larger risk as, in addition to often having access to client accounts, they know where the vault is located as well as the location of large amounts of cash. This information can be readily passed on to an outsider. The consequences of insider attacks are disclosure of confidential customer information; loss of intellectual property; monetary loss; disruption to critical infrastructure; and destabilising, destruction and disruption of the cyber assets of financial institutions, all of which result in embarrassment and reputational loss for the institution.
Swart elaborates that internal threat is committed by a number of defined means. The opportunistic attacker is the most commonly found and seizes opportunities to steal money with the firm belief that they will never be caught. The emotional attacker undertakes the fraud with the intent of causing harm to a specific person or group of people, often as retaliation for a perceived insult or slight. The intellectual attacker is a resourceful and skilled person who attacks the system for their own gain. They are able to carefully plan and strategise an attack for maximised effect, with minimised risk. Finally, there is the fraudster who either advertently or inadvertently assists an associate, friend or family member by allowing small misdemeanours to occur, usually as a favour to the person.
Lawler cites three predominant modus operandi in internal theft: fraud; money theft; and collusion with and abetting emotional attackers. An instance of money theft through manipulation of client accounts is where an account has become dormant and the employee then activates the maximum overdraft facility on the account, transfers the money into a third-party account and closes the primary account. The account owner is then charged with non-payment of the overdraft amount and is liable to be criminally charged, while the employee has scooped a substantial amount of money at no cost to themselves.
Preparatory behaviour prior to the crime being committed includes the collection of information such as client account numbers and identity numbers, as well as testing of countermeasures. Often employees will leave obvious errors such as error logs in files or they will delete errors, in order to deflect suspicion from themselves.
Management can be alerted to these preliminary actions by checking correlated usage patterns. By examining computer systems to ascertain trends, such as repeated transactions on an account, corrective action can be taken. Another red light is the verbal behaviour of employees. In many instances, disgruntled staff members who openly voice their dissatisfaction with the company or specific supervisory staff, as well as those who ask other employees for confidential client information, are primed for committing fraud.
It is critical to carefully observe and document personality traits. Those employees who display one or more of the following could be considered as being possible current or potential future offenders: drug or alcohol addiction, repeated and regular absenteeism, violation of rules and those exhibiting inappropriate social behaviour.
So how does one mitigate these insider threats? Lawler suggest starting with administrative controls. This entails examining the bank’s policies and procedures as well as regulated law. All controls should be regularly updated to keep pace with changing threats and trends and accepted as part of the institution’s regulated procedures. In all instances, cognisance should be given to applying rules and procedures commensurate with the requisite legal entities such as the Financial Advisory and Intermediary Services (FAIS) Act.
Preventative controls involve setting up political commissions on certain functions. An example is the need to acquire approval by higher level employees when creating or transferring accounts. Strict quality assurance measures and process sampling by process supervisors and auditors are also important. These controls should also include details on decisive action to be taken against perpetrators, to ensure that punishment is not arbitrary and inconsistent. Finally, security staff should be adequately trained to recognise risks and appropriately and promptly react to them.
Cronje proposes that institutions drive better risk management through careful assessment of online transactions through the type of transaction or user group. Banks should adopt strong authentication standards, beyond the standard two-factor authentication. Some new techniques that provide a higher level of protection include the use of a separate communication channel or the use of advanced behaviour-based fraud detection engines which automatically detect transaction or website navigation anomalies in real time.
He continues that a layered approach of various complementary security technologies such as strong authentication, behavioural fraud detection, out-of-band transaction verification, mobile authentication and extended validation SSL digital certificates, will aid in increasing security levels. Customer awareness campaigns add a further level of risk mitigation. By involving the customer in the whistle blowing process and reporting suspicious activities, there will be heightened awareness across the board.
Putting technology to work
Swart says that electronic measures are necessary to enhance security in the banking fraternity. Biometric access control, integrated with CCTV cameras and intelligent analytics are ideal preventative technology solutions.
Cronje cites the many different kinds of access control defined in a financial environment. There is network access control (NAC), identity management (IDM), Web access control, remote access control, and device or endpoint access control. Access control involved three processes: presentation, authorisation and audit.
A system will allow access to resources through verification, using a user name and password, or multi-factor authentication. Biometrics and vein readers are becoming common practise for restricted areas as keypads present a dual challenge – (a) they can be easily hacked and (b) they can be easily ripped off walls. By employing correct installation and protection of biometric devices in dual casings, one is assured of a far more secure access control environment.
Cameras should be capable of providing an image that has a resolution suitable for accurate identification of people. They should also be able to provide complete coverage of facilities, including often-neglected areas such as passageways.
CCTV cameras are currently used for post-incident analysis of events. However, by including both analytics and an offsite monitoring service, safety for employees, clients and security personnel will be enhanced due to early and proactive intervention.
Cronje’s concern is that in many of the older banking facilities, CCTV cameras are generally based on ageing and often defunct technology and are randomly located in the facility. Whilst newer facilities are catching on to the idea of deploying cameras with high definition characteristics, often the budget does not allow for an adequate coverage and resolution. He suggests a complete review of existing technology in terms of quality levels and applicability and a DVR recording capability plus offsite monitoring of live footage.
Swart says that analytics is proving increasingly popular and allows banks to set up specific parameters to enable actual situations to be measured and analysed against. One of these is people counting in specific areas around ATMs. When the number of predefined people is exceeded, an alarm will be activated. Another example is the generation of alarms when people loiter around ATMs. Tailgating alarms will be activated when two people enter an access point, such as a man-trap cubicle, which is meant for one person only or when a person stands too close to another person at an ATM.
Other alarms include ones for camera tampering; when a person stands still for too long; when an object has been classified as too large, for example a shopping trolley entering the banking hall; or abandoned objects at ATMs or in banking halls.
Another suggestion Lawler makes, is the replacement of under-counter panic buttons with a panic button that is concealed on the bank employee. This could be as an inconspicuous pendant on a chain around their neck. By making the action of activating the panic button as unobtrusive as possible, the likelihood of the employee being harmed by the armed robber is greatly reduced.
A good security solution should be proactively corrective and convergence aided. By creating one system that manages both physical and logical security, banks will be able to streamline workflow, save money, leverage client-specific elements, and provide a unified network policy which will help to gather status information without the need to be physically present in the bank. This will improve user access and will solve any privacy concerns, since it will be customised. As mindsets change around security being merely a cost centre, banks are realising that integrated security can indeed provide a return on investment.