Rob banks of security threats

Banks are responsible for the security of countless personal, corporate and national assets, making them obvious targets. Conditions in today's economy unfortunately attract more unwanted attention to vaults and online transactions, and financial institutions are demanding more up-to-date security solutions and services that are closed in terms of protectability and yet open in terms of expandability. In this feature, a&s looks at modern security measures and protocols for valuable-handling establishments, discussing how various technologies should be deployed and integrated.

According to the FBI, there were 5,014 bank robberies reported in the U.S. alone in 2011. In 1,242 of the incidents, the use of a firearm was involved. In all, these acts of violence resulted in 30 people being taken hostage, 88 injuries and 13 deaths. During these incidents, more than US$38 million was taken, and only about $8 million or 21 percent was recovered and returned to the financial institutions. That is to say, the average loss after the recoveries was $5,952 per incident. What's wrong with this picture?

Of the incidents, video surveillance cameras were operational 97 percent of the time, and alarm systems were triggered 89.5 percent of the time. In spite of the security systems in place, a small percentage of the cameras (1.5 percent) and alarm systems (1.3 percent) did not properly capture footage or activate. Even more alarmingly, approximately 1 percent of the victim financial institutions did not have cameras, and another 1 percent did not even have an alarm system. “Those statistics tend to be downplayed,” according to one industry source. “On average, 20 percent of all cameras in large bank networks are not operational because management does not even check whether cameras are working, unless something comes up that requires going back to the video footage. Cameras may not be operational for a number of reasons: they might have been accidentally disconnected, moved due to maintenance or janitorial work, degraded due to normal wear and tear, maliciously sabotaged or simply covered by dirt or a spider's web.”

This year in particular, the banking sector has been hit with a great deal of fraud, from issues with ATM skimming to major hacking attacks. "Financial institutions and the banking industry at large are aggressively seeking more secure and effective ways to secure sensitive information and authenticate the identities of their customers to minimize exposure to fraud," observed Anthony Antolino, CMO at Eyelock. 
 
                                                                                                                           (Source: Frost & Sullivan)

Divide & Conquer
For better security, a holistic approach — both physical and logical — is often adopted by bank security managers and their trusted systems integrators. In practice, different areas or choke points of an establishment require different products or features to maximize security coverage and facilitate incident resolutions or investigations.

Entrance and ATMs
Most, if not all, banks are located in highly visible locales and are almost always encircled by glass, which allows full saturation of the sun's rays into the bank. While this may provide a pleasant environment for customers waiting in line, the possible image contrasts wreak havoc for surveillance cameras. Direct sunlight into the lenses virtually “blinds” cameras by washing captured images into a brilliant, undetectable white or shrouding them in darkness. Newly waxed or glossy flooring can also reflect unwelcomed light into the lenses.

Analog and IP cameras alike, those nasty shadows, glares, reflection and direct sunlight have always been the Achilles' heel of video surveillance; megapixel and HD cameras with their superior quality images exacerbate the problem. Image how easily such “evidence” can be thrown out of a court of law. For this reason, more and more countries have regulations that stipulate the use of WDR-enabled cameras for entrances and ATMs, in order to capture true footage that facilitates proper facial feature identification for prosecutions.

Many ATMs are equipped with two day/night cameras. One of the cameras (usually a vandal-proof dome) is clearly visible. In addition to being a crime deterrent, it is also used to capture a subject's face at a 1:1 ratio, undistorted. “This camera is positioned at a precise angle in order to capture a clear and unobstructed image of the user's face, and as it turns out this angle also captures a clear view of the number pad, so the password input process is also inadvertently captured,” said one industry executive. He recommended an easy and effective way to circumvent this — use one hand as a “shield” to cover the other hand while the password is being keyed in. He also indicated that some ATMs, by means of VCA, will issue an alarm when more than one person's face is present.

The second, hidden camera is used to provide wide-angle viewing. “It is preferred to replenish cash during regular business hours, as frequent foot traffic creates natural obstacles for potential perpetrators, thus minimizing threat of the operation,” said Jerry Feng, Head of Security and Investigative Services for Taiwan, Citibank.

Financial institutions are typically passive as opposed to proactive. Many banks tend to wait until they have been attacked with a skimmer before they take any type of action. Losses associated with skimming incidents have risen, and these skimming losses cost US banks about $1 billion annually. This averages to about $50,000 per incident, and this does not include expenses relating to investigation or affected customer notification efforts.

Ironically, many anti-skimming devices used by banks actually look very much like the skimming devices that criminals use. This is particularly worrisome to discerning customers. Newer anti-skimming kits, which consist of a small control panel installed inside the ATM, trigger an alarm that can generate audible and visual warnings on the control unit and screen when a skimming device is detected. In addition, newer kits, which can be integrated with a bank's alarm and video surveillance, also emit a magnetic pulse that prevents the skimming device from reading a cardholder's data and password.

Useful ATM Security Measures:
* Surveillance cams with WDR capability for high-contrast scenes; 600 dpi minimum
* Motion detectors for camera/DVR and light activation
* Vibration and temperature sensors and alarms
* Audio recording during events or when the sound level surpasses the preset threshold
* Two-way, live communication with the central control and/or patrolling guards

Lobby and Counters
Aside from deploying typical surveillance cameras, bulletproof glass and panic buttons, a growing number of banks opting for VCA to monitor both suspicious activities and business operations/VIPs can be witnessed. These days, installations are requiring more cameras than ever before, translating to even more recorded video. As a result, events and activities might be easily missed, and suspicious behavior is not noticed until after a crime has been committed. A quality and properly installed surveillance system with facial recognition capability, among other VCA features, will enable a financial institution to better cope with customers with disgruntled expressions, unexpected long lines, suspicious loitering and so on; such a system can also ensure staff members man their appropriate areas, recognize blacklisted people and maintain access control of restricted areas, said an industry source.

VCA for security and business operations:
- Recognize faces that are of registered VIPs, blacklisted or concealed
- Alert management to long lines or disputes
- Detect and identify suspicious activities:
   * Trajectory tracking, such as straying from the customary path after entering/leaving the bank (for example, not   heading toward the counter upon entering the premises)
   * Loitering or walking back and forth
   * Frequent head turning akin someone who is surveying the environment
   * Idle objects, lack of or even too much movement (for example, someone stands still for an unusual period of time)
   * Not doing what they should be doing (for example, someone is at the ATM, but is not making any transactions)
   * Particular types of body movement or clothing

Watch Your Back
One of the most common security risks in access control is simply user carelessness, such as a misplaced badge or token, or not closing the door right away for tailgating. “Security management for banking is a discipline unlike any other; it is always a good idea to have a ‘twin,' meaning that it requires two bank personnel's physical attendance in order to unlock and access the vaults and cash depositories,” Feng said. Citibank actually had its RFID entry cards custom-made, so it is virtually impossible to duplicate them without proper authorizations.

“A dependable method to counter the false use of access control cards would be the use of dual-factor authentication, for example facial recognition plus access cards,” said Charles Smith, Product Manager at Omniperception.

The greatest risk in any security system is the staff, cautioned Michael Brown, IT and Computers Director for VideoControlRoom. Vulnerabilities include staff opening or closing a branch; early mornings when there are few people around and the alarm is disarmed; the authorities may be slow to respond due to rush-hour traffic. “System designers need to think of security from all risk angles and cover the people aspect just as much as the ‘armed state' intrusion aspect.”

UPS
Security and video surveillance systems for financial institutions are mission-critical, given that they must be available 24/7. For this reason, UPS systems are a must. A well-maintained power protection system will ensure the integrity and availability of power to critical installations, such as intrusion detection sensors, fire sensors and bank vault sensors. “The highest priority is clean power, which means investing more in quality power-filtering UPS systems,” Brown added.

Seismic Sensors
Seismic sensors can detect both heat variations and vibrations resulting from attempts to disturb solid structures such as ATMs, bank vaults and safes — even in noisy environments. In addition, some seismic sensors are even equipped with light-sensing features. An added advantage is that they can be installed in existing legacy security systems to offer a higher level of protection over traditional shock sensors, which often lack the ability to discriminate between ambient vibrations and real attacks (such as heavy strokes from sledgehammers, repeated knocks from hammer and chisel attacks, drilling, mechanical cutting, acetylene torches, diamond drills and hydraulic jacks).

Unlike auxiliary/emergency power systems or standby generators, reliable UPS systems will provide near-instantaneous protection from power interruptions. While the primary role is to provide short-term power when the input power source fails, most UPS systems can, to a certain degree, correct common power problems such as:
- Voltage spike or overvoltage
- Momentary or chronic reduction in input voltage
- Noise, defined as a high-frequency transient or oscillation