It is almost a year since Hi-Tech Security Solutions published an article on security risks and mitigations in the financial sector. We revisited this industry to see if anything has changed.
Kevin Twiname, head of the Violent Crime Office at SABRIC (South African Banking Risk Information Centre), said that the predominant risk presented in the financial sector with regard to violent attacks is in the conveyance of cash. “This is specifically prevalent with small to medium sized businesses when they are transporting cash either from or to the bank. The volume of crimes committed in this way is of major concern to both SABRIC and the SAPS.
“We would like to encourage the individual client and such business to consider alternatives to carrying large amounts of cash. Banks are able to advise clients in this regard. However, we have not lost sight of the fact that ‘cash is king’, in such cases one may consider utilising the services of a commercial cash-in-transit company, that professionally deals with the risk of carrying large sums of cash.”
Another area of continuing concern for SABRIC is ATM bombings. “The criminals involved are aggressive and extremely focused on getting the cash. They employ increasingly violent means of achieving their goals and show absolutely no respect for human life. In addition to the cost of human life is the cost of the physical damage incurred to ATMs, the surrounding buildings and the infrastructure,” said Twiname.
One light at the end of the tunnel is that both bank robberies and cash in transit robberies seem to be decreasing. As with any crime prevention drive, education of the public and businesses is vital to ensure success. Consumers of financial services need to be aware of the risks involved in carrying cash, securing their PIN code and the necessity of being vigilant when withdrawing funds. The banks can guide consumers but they cannot force them to be compliant.
With the conversion of many older analogue CCTV systems to digital surveillance, the quality of recording has increased substantially. “This means that when footage is reviewed it is a credible link in the chain of evidence and may be used to prosecute criminals,” Twiname added.
Susan Potgieter who heads up the Commercial Crime Office at SABRIC agreed that education plays a primary role in reducing and curbing crime, especially in the online banking arena. “Phishing activity is still unreasonably high. However, by informing the public on an ongoing business of phishing endeavours and by arming them with tools geared towards identifying malware and spyware, South Africa has moved from being the third most phished country in the world to fourth. This might not seem significant, but there is, in fact, a large gap between the two positions so we are making headway.”
Potgieter said that in April the banking institutions ran a TV ad on phishing for the first time in history. “The educational campaign is ongoing, but we still find people who naïvely click on hyperlinks in e-mails sent to them. In the past it was easy to identify the phishers because their grammar and spelling was poor and they often used substandard and inappropriate bank logos. Today, however, they have reached a fairly high level of imitation sophistication and it is often difficult to determine whether the e-mail is from your bank or not.”
A surefire way for consumers to verify the authenticity of an e-mail is to hover the mouse above the ‘click here’ button in the phishing mail, you will see the true URL that the link takes you to. This will very clearly identify if the website is actually that of FNB, Standard Bank, Absa or one of the other valid banking institutions. It is important to know that the sender’s name at the top of the mail is not always a true reflection of who actually sent the mail. If you go into your e-mail properties, details of the sender become visible in the e-mail header. “We encourage the public to forward phishing mails together with the header information that is copied and pasted into the mail, to the bank that it purports to come from. All of the banks have dedicated e-mail addressed for the public to report phishing attacks. The e-mail address is: [email protected](your bank’s name).co.za. Potgieter said that once the e-mail is received by the Phishing Centre the site is investigated and shut down.
“The banks are very proactive and constantly trawl the Internet looking for phishing sites and shutting them down before they can even pose a risk to the consumer. Obviously, though, some of them do manage to slip through the cracks and this is where public intervention and cooperation comes into play.”
Although the recent announcement by FNB that it has launched its FNB Banking Application (App), for smartphones and tablet devices in South Africa might seem like good news for owners of these devices, Phillip Gerber, technical director at Magix security cautions that this could provide criminals with yet another avenue for phishing.
“The amount of information, with regard to phishing has increased as we are bombarded with press and publicity on how to identify and prevent hacking and phishing. This is a bit of a catch 22 situation as, in the banks’ efforts to educate the public on preventative measures, the criminal is also educated and simply devises more devious and sophisticated ways of collecting his booty,” said Gerber.
He added that organisations like SARS, with its eFiling facility, have become prey to the ongoing hacking. “In essence, the individual is now more aware and protected than ever before, and as a result businesses are now the prime target of the phishers, due to the complex nature of the banking platforms they use. Facilities such as bulk payments open the businesses to ongoing attacks and they have to find increasingly advanced ways of managing the risks.
“A focus on behavioural patterns is required. Banks and other organisations would do well to implement an automated customer behaviour monitoring platform that monitors activity patterns. An example would be where the majority of a customer’s transactions are conducted between 07:00 and 18:00 on weekdays, and any activity outside this time zone would be flagged and produce an automated alert to the consumer/customer care centre. This would also apply to unusually large transactions. The consumer/business would then be required to verify or reject the transaction,” said Gerber.
Another trend which is gaining momentum is credential theft through keylogging. “Syndicates are targeting both individuals and businesses with keylogging hardware and software. They will either install the device/program onto a workstation themselves or coerce an employee/colleague to do so. The keylogger then records keystrokes, allowing outsiders immediate access to usernames, passwords and important intellectual property by simply downloading the captured data onto their own system,” said Gerber.
The keyloggers are very unobtrusive, with the hardware version plugging into a USB port on the back of the PC and being virtually invisible unless one is looking for it. Gerber said that the challenge is to make organisations understand that nothing is completely tamper- or fool-proof. “We need to make it as difficult as possible for criminals in terms of both internal and external threats. We therefore advocate providing organisations with the tools and knowledge to mitigate against this risk and assist them in identifying from where the threats emanate.”
Bridging the gap
COO of IBSS (Ideco), Marius Coetzee, said that criminals use the weaknesses of organisations on a cyber level to enter the breach and steal intellectual property and funds. “When you consider that an organisation like RSA, a premier provider of security, risk and compliance solutions which purportedly “helps the world’s leading organisations succeed by solving their most complex and sensitive security challenges, including managing organisational risk, safeguarding mobile access and collaboration, proving compliance, and securing virtual and cloud environments” was recently the victim of an extremely sophisticated cyber attack, you realise that nobody is exempt from cyber assault.”
Coetzee said that Ideco subscribes to the three ‘Ps’ in risk mitigation – property (physical and intellectual); processes (authorisations etc) and people. “On the physical level biometrics will manage ‘who’ is ‘where’, ‘when’ and ‘why’. The rules of access will then be defined based on time, zones and class for instance. We are seeing some interesting applications in cyber-security for the financial sector. We advocate identification as a business tool. This identifies who the person actually is, based on their fingerprint, and what rights they have within certain zones.
“Cybercrime is typically internal and in the case of password and PIN code theft can be achieved either with or without the knowledge of the authorised holder. However, in the former case, this is hard to prove and often companies can only apply reasonable doubt to the scenario. As a result, we envisage a gradual move from cards and other forms of accessing accounts to a biometric mode of account access. The security chain will therefore start with a password or PIN and end with a biometric sign-off.”
Trials are currently underway in which the system requires personal details (through FICA, for instance) and fingerprints of one or two fingers on each hand. “Once the Department of Home Affairs’ database is complete, we will then be able to verify the authenticity of a person based on these parameters. In future ATMs and POS (point of sale) will have some form of biometrics as fingerprints, iris or facial recognition, or in a multimodal approach.”
Coetzee is enthusiastic about the advantages of biometrics as a security measure on financial risk mitigation. “Apart from identity verification against internal and national registers, it provides non-repudiable evidence in criminal investigation procedures.”
The importance of integration
According to Bosch Security Systems’ three divisional product managers – Elaine O’Gorman, Colin Kahn and Jaco Liebetrau – the trend is definitely towards seamless integrated security solutions.
O’Gorman said that they have seen an increased demand for controlled evacuation systems which react to fire and explosion detection and notify bank visitors accordingly. “An estimated 80% of the people in a bank at any given moment are visitors and are therefore not familiar with evacuation procedures and routes. By automatically linking a public address system – that gives the public precise instructions on evacuation – to the fire, gas and explosion detection system, it reduces the sense of panic that naturally sets in when a threatening situation is perceived.”
Kahn said that the requirements for fire/gas/explosion detection systems vary according to the physical size of the bank. “Facilities like multibuilding head office parks would naturally have more extensive needs than your smaller banking facilities, so the system is tailored to accommodate varying parameters such as sophistication, application and physical coverage. Generally, standalone bank buildings would specify and order their own systems whereas banks situated inside other buildings and malls would be governed by and catered for by the building/mall owners, with some extras added on when agreed to by both parties.”
Kahn decried the fact that although fire detection installations are governed by regulations that are in accordance with current building management regulations, many suppliers and installers do not adhere to these regulations. “It is contingent upon the South African security industry to start coming to the party to ensure the safety of the general public and bank employees.”
Kahn added that in the larger facilities access control becomes a critical factor. “With an increased number of people entering the larger banks there is a need for more sophisticated and intelligent integrated systems that will not only monitor risk but will in fact predict it and institute the required measures to automatically manage access control. In these instances where a higher level of sophistication takes precedence, the most obvious choice is biometrics. This then takes the form of proactive security and prevents unwanted/unauthorised people entering and/or leaving the facility.” Kahn cited mantraps and anti-passback systems as examples of the growing level of technological demand by financial institutions.
Other technology that Kahn points out as being of growing importance to customers is the use of advanced detection systems geared around detecting possible forceful intrusions. These systems would then be responsible for alerting security personnel as well as deploying preventative measures to ensure the situation is contained as quickly and easily as possible. “There is a wide variety of elements that can be proactively measured and detecting including seismic events (blasts and jackhammer activity) as well as infrared for movement.
“In instances where there is a great deal of sensitivity to gas, such as in IT rooms, we are seeing gas suppression systems being installed. This would be particularly relevant to the financial sector where the security of IT infrastructure is critical.”
With regard to the protection of bank vaults, Liebetrau said that Underwriters Laboratories (UL) classification will determine the insurance risk, which in turn determines the level of fire security required. “Typically one could use the more sensitive smoke and combustible gas detectors in vaults, together with aspiration detectors.”
Liebetrau pointed out that Bosch’s biggest client in the banking arena is the regionalised cash counting centres. “This includes both singular bank counting facilities as well as collective counting facilities and the focus is on the monitoring of staff handling the money. One finds rows of dome cameras mounted at 1 metre intervals. In this way there is complete overlap of surveillance to ensure that the counting area is completely covered. High-quality footage is the norm since sleight of hand can often be hard to see if the recording quality is not adequate.”
Liebetrau added that while Bosch has communicated with the banking institutions regarding monitoring of ATMs, the network connections required because of the variable location are quite extreme. “We have our own patented IVA (intelligent video analysis) system which, amongst other capabilities, detects idle/removed object, loitering and line-crossing. When configured in the correct manner, this can be extremely useful to intelligently detect risky behavioural patterns at ATMs.”
Barry Kasselman, technical support and design engineer at Schneider Electric, agrees that high-resolution video images will provide strong evidentiary support and also allow security personnel to react proactively to threatening situations. The Pelco Analytics Suite comes standard with Sarix Extended Platform Series CCTV cameras and generates an alarm when specific scenarios are perceived as broaching specific predefined parameters. These include safe zones, object removal, abandoned objects, loitering etc. “In addition, we also utilise third party analytics-specific software from ObjectVideo for those customers who want the highest level of video analytics.”
© Technews Publishing (Pty) Ltd | All Rights Reserved