Kevin Twiname, head of the Violent Crime Office at SABRIC (South African Banking Risk Information Centre), says his department deals regularly with financial institutions with regard to violent crime associated with bank robberies, burglaries, ATM related crime, and follow-home crimes. The area where banks have the most control to monitor, detect and prevent crime is within the actual banking environment. Limited security measures have also been instituted to prevent the removal (through the use explosives) of cash from an ATM.
With regard to ATM robberies, the bank will assist in investigating the fraudulent removal of funds from a customer’s account. “Customers are however urged to always protect themselves and their personal information from fraudsters at the ATM. CCTV surveillance, where available, may often pinpoint perpetrators and footage may also assist and be used in subsequent criminal proceedings following an incident. Follow-home crimes are unfortunately sometimes beyond the scope of the bank’s security systems but once again could provide some assistance in cases where an alleged criminal is captured on a CCTV closely observing the activities of a bank customer withdrawing funds,” Twiname explains.
He says that the financial institutions constantly review their processes and procedures with regard to their security measures in ways that the public is not always aware of. “We have seen a decline in bank related violent crime if we compare recent statistics with those of 2008. This is attributable to a combination of factors, including improved electronic equipment, an increase in the number of arrests and an improvement in the attitude towards proactive security.”
Kevin Monk, technical director at Bidvest Magnum Technology, which incorporates Provicom Risk Solutions, says that with regard to in-bank monitoring, detection and preventative security measures, the company typically provides integrated turnkey solutions that include the manpower (guards), the electronics equipment (alarms and CCTV) and an off-site control room.
“Starting with the guard who is situated inside the bank, we would typically provide him with an Active Guard and RFID (radio frequency identification) access card which is pre-programmed to identify his area of operation and works on a time control basis. Should he leave his immediate working area, an alert would be sent to the off-site control room and appropriate action would be taken,” Monk says. “At this stage manual intervention could be instituted from the control room or we could programme the system for the CTTV cameras to automatically take over the monitoring of the guard’s surveillance area until he returns to duty.”
Monk adds that the Active Guard allows guards to communicate with the control room via the touch of a button and sends all button data back to the control room immediately and directly in real-time using GPRS/GSM data transmission. “Active Guard’s functionality allows immediate notification to the control room in case of emergency and speeds up intervention, which tremendously improves security of both property and people.”
Other features include video verification, monitoring of alarm systems, and opening and closing signals.
He says typically, the CCTV cameras link into the control room and the off-site software monitors any problems with the cameras. “If a camera goes offline for any reason, a visible and audible alarm is sent and the customer is notified either by phone or with an automated SMS or e-mail. The system is also programmed to examine hard drive and monitor performance and if this goes below certain parameters, an alert is sent to the control room.”
A major concern for the banks is the possibility of collusion between guards and criminals. “We have determined that the majority of incidents take place when a guard leaves his post. By being able to monitor the guard’s activities on a camera, we are able to proactively identify problematic scenarios,” Monk notes.
When it comes to ATM robbery incidents, most of these crimes are opportunistic, according to Monk. Criminals mark soft targets then persuade them to divulge their password or PIN number and in this way defraud them of their money. “It may sound obvious, but ATM users need to be vigilant at all times and if they suspect they are being targeted for a hit they should leave the ATM immediately.”
A crime which may not threaten human life directly but which has a huge negative impact on banks is the rigging of ATMs with explosive devices. “These criminals are well versed in explosive technology and plan their crimes with military precision, ensuring that the detonation will blow up the ATM with-out damaging the cash,” Monk says. “Various methods could be employed as a deterrent to these crimes. For many years we have used remotely activated pepper spray dispensers to temporarily disable criminals. In essence, one would fit a pepper spray dispenser to an ATM and if CCTV cameras installed at the ATM picked up suspicious behaviour, for example the rigging of an explosive device, the control room operator could remotely activate the pepper spray until an armed response unit can reach the scene.”
Twiname adds that the financial institutions are required to comply with certain regulations with respect to security. “With regard to the prosecution of criminals, the Criminal Procedure Act comes into play. Unfortunately, there is no law governing standards with regard to the quality levels or spec-ifications of surveillance equipment, so customers need to use discretion when purchasing systems. Obviously, we acknowledge that if all banks were to invest in high quality security systems this would lead to a better chance of prosecution of criminals.”
Susan Potgieter, who heads up the Commercial Crime Office at SABRIC, says there is a huge emphasis on information security and optimising state-of-the-art technology within the online banking space. “We instituted an awareness campaign in conjunction with our members to bring important information to online banking customers regarding safe online banking.” The resulting 40-second infomercial features the heads of online banking at the various member institutions sharing their input on the dangers of phishing and other online banking crimes.
Lee-Anne Van Zyl, CEO for FNB’s online banking division, says it is important for customers to be aware of current and imminent security threats. “Criminals are becoming more sophisticated in their approach to defrauding funds and it is crucial that customers who use online banking are armed with the knowledge to counter these attacks. It is our duty, as a financial services provider, to educate our customers and to give them the tools they need to prevent online funds theft.”
Acting Head of Online Banking at Nedbank, Brett Kinmont, adds that his group undertakes regular surveys with its customer base to both ascertain what their current level of risk knowledge is and to provide its customers with a high level of confidence that their money is safe because of high-tech anti-theft measures.
Kinmont says Nedbank’s online banking has evolved over the past several years and currently utilises both a two-factor authentication process, as well as the Rapport browser security software from Trusteer. “The two-factor authentication process means that if an online banking customer wishes to initiate a sensitive transaction they would need to provide information derived from another source in order to acquire the necessary authorisation. The customer would enter his/her username, password and PIN on the online banking site then, before performing a sensitive transaction (once-off third party payments, pre-paids and adding a new beneficiary) an SMS containing a one-time pin code (OTP) would be sent to his/her cellphone. Only after entering this OTP can the user proceed with the transaction.”
Itumeleng Monale, director of Self Service Banking at Standard Bank, notes that the bank has knowledge of at least 3700 phishing sites and the numbers grow daily. “Phishing attacks are cyclical, with hackers targeting an individual aggressively over a two or three week period with a bombardment of phishing e-mails. However, while phishing will continue to play a huge role in our online banking security drive, it is now being superseded in the deviousness of its attack by malware and spyware.”
Van Zyl agrees, but adds that financial institutions need to take a layered approach to their security methodologies. “An analogy would be home security. You start with the electric fence and automated gate, add a couple of guard dogs, fit burglar bars or security gates on all openings on the house, and install an armed response alarm system. Likewise, with online banking, there is not just one silver bullet. We need to try and stay two steps ahead of these wily criminals.”
The result of global awareness of online banking security threats and pressure brought to bear by the Electronic Communications Act, has led to the development of a number of software packages which address not only phishing, but which also prevent spyware or malware attacking a customer’s CPU. Both Nedbank and Standard Bank have adopted Rapport from Trusteer while FNB has gone the Prevx SafeOnline route. Both software downloads are available free of charge to banking customers once they have officially logged into their online banking account.
When you connect to your bank online, Rapport does three main things in the background to make it extremely difficult for criminals to target you:
* Rapport verifies that you are really connected to the bank’s genuine website as opposed to a fake website created by criminals. Although this sounds trivial, it is not obvious that you reach a genuine website when you type your bank’s address into your Web browser.
* Once verification is complete, Rapport locks down communication between your computer and the bank’s website. This prevents criminals from hijacking your online connection with the bank.
* Rapport protects your computer and Internet connection by creating a tunnel for safe communication with your bank, preventing criminals from using malware to steal your log-in data and tamper with transactions.
“Malware designed to steal a user’s confidential banking information may be embedded in unsolicited e-mail, such as an invitation to upgrade a program such as Adobe Acrobat Reader, and may be triggered by simply opening an e-mail. In addition, malware may also be hidden on websites,” Van Zyl says. “While certain banking security systems offer protection only while logged onto an online banking site, Prevx SafeOnline constantly monitors and protects user information on all websites from being stolen by phishing or malware. The software can also determine if the user has logged onto a hoax banking site used for phishing.”
Monale says that by the end of July 2010 at least 35% of Standard Bank’s online banking customers had taken advantage of the free Rapport download. “We have estimated that, together with our anti-phishing campaign, these security measures have prevented R24,5 million in losses.”
Customers must consider both Rapport and Prevx SafeOnline as enhancements to their current anti-virus software. “We recommend that customers retain their own anti-virus software, but that they also download this free anti-phishing/malware software on each of the work-stations that they access the internet from,” Kinmont says.
Education a priority
Van Zyl says that education of customers is a major priority. “We can never rest on our laurels and we always have to assume that not all of our customers are as online banking smart as we would like them to be. A classic exampleis the fact that many customers use the same password and username on at least 90% of their sites that require these details. We urge them to have different user names and passwords for each site, no matter how onerous this may sound.”
Kinmont has a list of tips for customers to ease the security risk of online banking:
1) Download the free anti-phishing software. “You will know it is authenticated software as you will first need to log into your online banking account before you can do the download.”
2) Banks will never require you to log into your banking account via an e-mail link.
3) Once you have downloaded the software, you are encouraged to access your online banking account at least once a month to allow software updates to download and to scan the system.
4) Keep your computer safe by doing software upgrades to defend against vulnerabilities. “Microsoft offers automatic upgrades and while they may seem to be large, there are often very important patches which decrease your vulnerability.”
5) Do not conduct Internet banking activities in an Internet café or on a public system. “You just do not know who has been using the system before you and therefore you do not know if it contains spyware or malware.”
6) Keep both your PIN and your password safe, as they are as important as your signature.
7) Log off and close down your browser when you are leaving your work-station, no matter how short the period of absence.
“It is contingent upon us to actively market anti-phishing measures to our customers and to proactively communicate any security threats to them on a regular basis. As responsible financial service providers we will all continue to find optimal ways of securing the funds of our valuable customers,” Monale concluded.
© Technews Publishing (Pty) Ltd. | All Rights Reserved.