Transition Times for Bank and Financial Services Security
By Bill Zalud
So you want to rob a bank; not saying you should, but... the “best” day is Friday, and the best time is between 9 and 11 a.m. So set your cellphone to an early wake-up call. Concentrate on a branch in a commercial section of the city. Go up to the teller counter and say your threat or hand over a note. Avoid an act of violence; only three percent of incidents of robbery, burglaries and larcenies resulted in violence in 2014. By the way, vastly more perpetrators are killed in a bank robbery compared to customers or employees.
It’s a hardscrabble life as a bank robber.
So it’s not surprising that there is a shift by bank and financial service firm security executives from physical robbery risks (3,961 incidents in 2014 – very low and continuing to fall) to fraud, more sophisticated ATM incidents such as skimming and cybersecurity disruptions, identity theft and wholesale money transfers. Want to rob a bank? Stay at home even if your home is in St. Petersburg, Russia.
Security technology likewise is transitioning. Back in the day, retail banking first used still cameras, and film had to be sent elsewhere for developing while FBI agents, local law enforcement and bank security waited. Nowadays, there are video cameras as banks and financial service firms transition from analog to network video and even to high definition when it makes business sense. Video technology is playing a greater role for security and beyond with in-the-cloud applications, analytics for better operations and to handle high-end customers and a personalized banking experience.
From Bank Safes to Integrated Security
If any integrator and service provider knows banking and security, it’s Diebold, established in 1859 first with safes, vault doors and later even the first robber deterrent system that flooded a bank lobby with tear gas, causing bandits to flee. The company transformed through the years into a total solutions company with obvious strength in ATMs as well as designing in bank security technology and providing central monitoring. It recently acquired Phoenix Interactive Design, which pioneered many of the banking industry’s most dramatic innovations such as independent multi-vendor ATM software, server-based ATMs, deposit automation, personalization and retail branch banking transformation.
And, according to Jeremy Brecher, vice president technology, electronic security at Diebold, transformation of retail banking is impacting the ways banks and financial institutions view security of their facilities and networks. Banks are, after all, businesses with a sharp eye to the bottom line. Banks and their branches are seeing value in automating more customer services, less tellers and more sales people while still maintaining security, regulatory and compliance needs, he says.
At the same time, security technology continues to transform. Not too long ago, for example, banks used still cameras to capture images of robbers. The film would be sent to Diebold or others for developing for law enforcement use – not the quickest of processes. And when banks first moved to video cameras, the FBI was none too pleased with the lack of quality of the images.
Shift to today, and, says Brecher, there is a standardization of cameras, remote site viewing of them, extended storage, more advanced video applications and migration [from analog] to IP video. He adds that IP video in banking is a slow but sure process. The end game: high-definition security video, sharing of video instantly as well as images useful on the business side as well as security. Especially with bank emphasis on customer service, video can provide online-accessible information concerning better handling of queues, training and other operational needs. There is also license plate recognition for drive ups and to better and more quickly serve top banking customers, says Brecher.
But bank use of video, especially in branches, can prove tricky. It’s a matter of lighting at times, more open layouts, large glass windows, for instance, says Brecher.
More Out of Panels
Concerning intrusion detection and access controls, it’s also a matter of change. Banks look for getting more capabilities out of their panels related to risk mitigation as well as return on investment. It’s also important to keep a low-cost profile, says Linda Birnbaum, business development manager at Honeywell Security Group. Since late 2014, Diebold has made Honeywell’s Pro-Watch enterprise security management solution available to its customers to protect people, secure assets and ensure regulatory compliance by combining access control, digital video, intrusion and other functions into one seamless system.
Of course, backing up retail bank branches are headquarter facilities, distribution and call centers where electronic card access controls are more typical. No doubt, however, “the majority of banks still use keys” for access into their branches, says Brecher, who points out there is a shift to electronic access controls and even wireless solutions. Adds Birnbaum, emerging are innovative uses of sensors to leverage more out of panels and more remote applications to assist branch managers.
While people may think bank branches are popping up all over, as of mid-2014, there were 94,725 bank branches in the United States, according to the Federal Deposit Insurance Corporation. That was the lowest reported figure since 2005, as banks have been closing branches across the U.S. in recent years.
Still, there are many banks with a truly massive, nationwide presence. The 10 banks with the most branches together accounted for almost one-third of all locations in the U.S. Wells Fargo leads the nation, with 6,314 branches. JPMorgan Chase and Bank of America also have more than 5,000 branches each.
There is slight growth in branches. It’s a matter of portfolio management as banks transition to fully functional ATMs with fewer tellers. They are testing new concepts. But security still has to be an integrated function, says Brecher, who emphasizes collaborative innovation and new solutions through collaboration with manufacturers such as Honeywell and integrators like Diebold to work more closely with their bank and financial institution customers.
Specific to automated teller machines, according to the National ATM Council, there are approximately 425,000 ATMs in the U.S. from financial institutions and independent ATM deployers. According to recent Federal Reserve Bank statistics, consumers made 5.8 billion ATM withdrawals totaling $687 billion in value. So security is critical. There is physical security, including embedded cameras as well as seismic and heat sensors. In high risk locations, there may even be GPS, says Brecher.
More Diversity of Risks
When viewing the big picture, there is a growing diversity of risks through more unmanned services, ATMs with more cash, branches with more open formats with fewer tellers. Video verification plays a greater role. And there is more emphasis on mitigating fraud as compared to robberies. Brecher also predicts more specialized camera apps, more remote viewing and in-the-cloud uses.
Doug Johnson, senior vice president, payments and cybersecurity policy at the American Bankers Association (ABA), also sees more automation and more complexity, which translates into diverse and critical security strategies. There still is emphasis on robbery deterrence but there is a growing need for “utilization of existing and new skill sets” for security as it uses different approaches to different risks, comments Johnson. In this transitioning bank world, while not completely cashless, automation means that some robbers can’t find the teller line and turn around and leave. However, there are more customer fraud attempts at teller windows and, according to ABA’s Johnson, vastly more electronic fraud incidents.
Such electronic crimes are premediated and often very sophisticated. With skimming, there needs to be physical security and more monitoring of ATMs. It calls for a higher level of integration between security and fraud prevention with dotted line responsibility and beyond. It’s important to clarify the roles of the different groups, advises Johnson.
When it comes to video, especially in branches, the ABA executive sees a healthy ongoing transition to higher definition cameras and even to fewer cameras but capturing higher resolution, wider view images so that bank security and law enforcement can zoom in with greater clarity.
There is a migration to IP, agrees Matt Frowert, director of marketing for financial services and government at Tyco Integrated Security. However, most big banks are on multi-year planning cycles, so it will take time to transition from analog. High-definition cameras do have an attraction in post incident investigations and prosecutions, he points out. In addition, there is a bottom line savings with fewer cameras but more clarity and coverage.
Concerning the “branch of the future,” Frowert believes bank security has the opportunity to start fresh as a “universal banker” emerges who has more and diverse things to do. Simplify, for example automate openings and closings, he says. Special time zones can be established for vendor partners to allow them into a facility or part of a facility. He adds that analytics can be applied to enhance the customer experience. There will be significant growth in identity management internally and externally. For high-value customers interacting on the phone, the future may be authentication though voice recognition, as one example.
When it comes to ATMs, there are anti-skimming solutions, but also helpful are risk reviews per individual location. It’s important to meet lighting level standards as well as such details as trees or bushes around a location.
Cybersecurity is another kettle of fish. “You have to consider connectivity, especially not to needlessly connect,” ABA’s Johnson says. “Enhanced visibility through regulatory cybersecurity audits. You have to also more closely manage third party risks.”
Better Protection Inside Cards
Concerning use of ATMs, credit and debit cards, Johnson believes one solution is the EMV chip transaction at point of sale. It’s more difficult to clone an EMV chip card.
EMV, which stands for Europay, MasterCard and Visa, is a global standard for cards equipped with computer chips and the technology used to authenticate chip card transactions. In the wake of numerous large-scale data breaches and increasing rates of counterfeit card fraud, U.S. card issuers are slowly but surely migrating to this new technology to protect consumers and reduce the costs of fraud. Approximately 120 million Americans have already received an EMV chip card and that number is projected to reach nearly 600 million by the end of 2015, according to Smart Card Alliance estimates.
“It will always be a constant case of playing some catch up” with fraudsters and cyber criminals, says the ABA executive. The bad folks spend all their time on their efforts while banks and financial services firms must do others things to handle their businesses. The bottom line: “Perpetually look at risks; make it a dynamic process. Vulnerabilities are in the humans. They need to understand the culture within organizations” to understand, appreciate and anticipate risks, Johnson contends.
On the cyber side, banks, credit card companies, corporations and government agencies are coming together to better collaborate concerning threats and prevention strategies. On example: The Apollo Education Group, the University of Phoenix and STEMconnector recently hosted the National STEM Forum on Security Risks and Emerging Workforce Solutions Roundtable at the National Press Club in Washington, D.C. National security experts discussed the lack of qualified security professionals to sufficiently meet industry demands and how to provide concrete resolutions to meet and overcome this workplace gap.
“The security industry is rapidly changing and the skill sets necessary to safeguard businesses, government agencies and individuals are changing along with it,” says Major General James “Spider” Marks, executive dean, University of Phoenix College of Security and Criminal Justice. “In order to arm today’s security professionals with the tools and education they need to succeed, we need to come together to identify market needs and match them to the education we are offering those in the industry.”
A Proactive Approach
Adds John Ferranti, University of Phoenix program dean for physical and cyber security management: “The roundtable was a success. People from all different sectors attended. Cybercrimes can damage a brand as well as customers. But we are seeing a more proactive approach.” he says, “Banks are critical infrastructure. There is an interesting dynamic. Rob a bank, and you get $1,000 if you’re lucky. Chances are that the bank robber will be caught. With cybercrimes, (chances of) being caught are slim; prosecutions are very slim to nothing.”
Ferranti thinks chief security officers and chief information security officers are crucial as they communicate effectively. It’s time to “think ahead of what might happen.” The University of Phoenix dean predicts that there will be more than 32,000 jobs in top security management positions and risk managers with 13 percent annual growth in the near term.
Charles Andrews, with Butchko Inc., a security firm and ASIS regional vice president in Texas, agrees that one of the greatest bank security challenges is cybercrime with “criminals so sophisticated.” He also agrees with ABA’s Johnson when he suggests that human beings are the greatest security challenge but adds that the C-suite may still not understand the extent of the diverse risks. “We live in the world of the [security] breach. There are shifting sands.”
Michael Neugebauer, director and vice president safety and physical security manager at Fifth Third Bank of Cincinnati and chair of the ASIS International Banking & Financial Services Counsel, agrees with the FBI and the ABA. “Robberies are trending down. Skimming is peaking. But there are challenges with crimes just outside of banks and branches and lighting around ATMs and branches, too.” Neugebauer, as well as many other bank security executives, has a mix of analog and IP video in his organization yet sees it easier to get funding “by sharing such as use of video to detect a water leak or snow that needs shoveling.”
Transition to Electronic Access Control
While many bank branches still use keys for the doors, Neugebauer sees a transition to card access control for “protection of customer information and the audit trail that access control allows which makes a business case” for switching to electronic access control.
At conferences and networking among bank executives, one major topic is the “branch of the future,” says Larry Brown, senior vice president, risk management at First Citizen’s Bancshares, the bank holding company based in Raleigh, North Carolina. Brown is also a member of the ASIS International Banking & Financial Services Council as well as being involved with the ABA. “Things continue to evolve over time,” he says, pointing out the over-arching importance of knowing when and where security can add value to the enterprise. “Act as a trusted advisor” while understanding and working with internal and external players.
Brown matches others when seeing the migration to IP video and the business benefit of audit control when it comes to electronic access control over keys. “And you don’t have the expense of replacing keys constantly,” he adds. The First Citizen’s Bank executive also uses security officers. “We have used different companies in the past, but AlliedBarton is the best. It’s important because, often, the security officer is the first impression” that customers have of a facility.
To complement the bank’s culture and its focus on customers, officers wear blazers, ties and slacks. “It’s important to have a professional look,” Brown says. Overall, he believes that it is as important for security professionals to know their company’s business as it is to know security technologies and risk management issues.
By the way, the ASIS Counsel brings together banking and financial services security executives monthly for a sharing and networking dialog. “We discuss physical security countermeasures with a full flow of information, and we have worked closely with organizations such as the ABA,” adds Neugebauer.
According to Stanley Security Solutions’ Chief Technology Officer Bob Stockwell, the transition to IP video is more profound today in banking and financial services. There is migration from standalone DVRs to NVRs, too. He comments that technology is also used at mortgage operations and in specialty needs to protection safe deposit box areas. He is seeing use of facial recognition, going keyless at branches and mobile credentialing through near field communications or Bluetooth.
Stockwell adds that panels now can handle access through partitioning and there is growing use of fingerprint and iris biometrics for customers’ convenience as well as for worker security in backrooms and bank headquarters. There are also after-hours workers who can cause false alarms. With mobile or monitored video, you can dial in and determine if there is a threat as well as reset the alarms remotely, lock doors and turn off lights, Stockwell says. There is growth in private banks, he observes, and technology is responding by recognizing special high net-worth customers.
SIDEBAR: Federal Cyber Uncertainty
The Federal Reserve Bank, the U.S. Departments of the Treasury and Commerce all play a significant role in banking and financial services and their health. So it is troubling that the Federal government is vulnerable after all the breaches and headlines. Recently, it was revealed that the Russian government scooped up unclassified emails from the White House.
MeriTalk, a public-private partnership focused on improving the outcomes of government IT, has a shocking new report, “Federal Cyber Uncertainty – KVM XYZ,” underwritten by Belkin Government. The number of incidents reported by Federal agencies to the Federal information security incident center has increased nearly 680 percent in the past six years. To defend against increasing threats, agencies must comply with various cybersecurity mandates – CDM, FISMA, HSPD-12, TIC – that often fail to take the user experience into account. As agencies look for ways to enable productivity while ensuring air-tight seals between networks, protecting from both internal and external threats, keyboard-video-mouse or KVM switching devices may be the answer, the report contends.
SIDEBAR: A Money and Time Saving Upgrade to Cut Fraud
With limited staff and video that was difficult to search without watching in real time, Tom Southern, risk management officer for Harborstone Credit Union, Tacoma, Washington, needed a video solution that would help to reduce investigation times, solve crimes and automate several IT management functions as fundamental as ensuring accurate tracking of time for all DVRs across the enterprise.
In less than two months, Harborstone fully deployed its branches with upgraded technology [3VR’s P-Series appliance enterprise servers] to manage cameras across the bank’s 12 branch locations. In addition, Harborstone has been an active participant within the CrimeDex network. CrimeDex is an online network leveraged by thousands of fraud, loss prevention and law enforcement professionals collaborating to prevent fraud, shoplifting, organized retail crime and other white collar crimes. It allows professionals to share, search and leverage relevant information on criminals between businesses and law enforcement.
The approach helped Southern solve several issues he had faced in the past, including challenges in synchronizing accurate time for cameras and DVRs across the enterprise, lengthy investigation times that burdened his staff with large caseloads, the slow retrieval of video and video quality issues that limited Harborstone’s ability to identify scammers and to provide evidence for conviction to authorities.
It all started when a person with a non-Harborstone credit card came into a branch and requested a $5,000 advance. The teller called the number on the back of the card for authorization, checked the person’s identification and believed that the transaction was legitimate. However, about a week later, Southern received a rejection notice from the credit card company, realizing that Harborstone was the victim of a scam artist.
The upgrade gave Southern the ability to remotely search video captured from cameras. As a result, Southern, with the time and location the fraud took place, was able to obtain video of the incident in less than an hour, something that could have taken days just a few months prior.
Harborstone plans to augment its current implementation with additional advanced video intelligence technologies to include:
- Transaction system integration to allow video search by ATM or teller transaction number, in addition to event time.
- Facial recognition to provide real-time alerts across the Harborstone enterprise and proactively prevent scammers from casing multiple branch locations.
- License plate recognition to monitor drive up ATM locations.
SIDEBAR: Don’t Listen to This Guy, But…
Author Wes Kussmaul in his recent book Don’t Get Norteled says that C-suite executives need to hear about security from sources other than “security experts,” whose methods have utterly failed their companies, he contends.
Kussmaul claims that “almost all information security technology depends upon the ability to determine the intentions and character of the sender of a stream of bits. Isn’t that like asking your building’s lobby receptionist to determine the intentions and character of everyone who walks through the door? Doesn’t your common sense tell you that’s impossible?
“Instead, your receptionist asks for ID, establishing who’s accountable for what happens while the visitor is in the building. That’s much more effective than trying to guess whether they’re friend or foe, good guy or bad.”
Kussmaul further asserts that security tools built upon flawed friend-or-foe assumptions are ineffective, and top management is starting to sense the problem.