Banking Battlegrounds: Cyber and Physical Security Risks Today
What reporting strategies should your enterprise adopt?
If Bonnie and Clyde were alive today, they might very well be hackers.
In the early years of the 21st century, banks and other financial institutions have added cyberspace security to their traditional concern about locking down their physical premises, and some say the former is at the forefront of their security-related concerns. This has put encryption, firewalls and cloud providers’ policies alongside alarms, security cameras and keycards in their toolbox.
Cincinnati-based Fifth Third Bank, with more than 1,300 branches in 12 Midwestern and Southern states, has turned to Diebold for a variety of security systems, including cameras, keycards and devices that protect against ATM theft. In doing so, the bank attempts to think strategically about systems that can be used for non-security purposes, as well, so the cost can be shared across different lines of business, says Mike Neugebauer, vice president and senior manager of corporate safety and security.
“If I use those solely as a security device, getting the funding for them would be very difficult,” he says. “I’ve learned that we can share certain information on those, and it makes sense to share the cost across different lines of business.”
Fifth Third’s 1,700 digital video recorders and 17,000 cameras throughout its footprint are also used, for example, when heavy weather such as blizzards in Michigan or hurricanes in Florida make it difficult for security personnel to assess physical damage to buildings – or whether parking lots have been plowed in a snowstorm, Neugebauer says. “Those kinds of information help retail [branches] make a decision on whether they should even open for the day,” he says.
About 900 of the 1,300 branches have key card access that enables managers to set precisely who’s allowed to go in which doors, and when. Contractors hired for housekeeping or telephone repair are given limited time windows, perhaps on the evenings or weekends. Tellers have wider access throughout the day but are only authorized to enter certain areas, Neugebauer says. “If there’s not a business need [for a particular person] to go into the mechanical room or the IT closet, we can exclude those.”
When a bank employee loses a card, Neugebauer’s office can turn it off immediately and replace it for less than $10, whereas rekeying a set of locks can cost $4,000 to $5,000 depending upon the location and how many doors are involved.
Fifth Third has reduced its losses due to ATM “skimming” by 90 percent in one year by deploying anti-skimming devices, Neugebauer says. “Skimming can be a huge loss for financial institutions or other companies that have any type of device with a card reader,” he says.
At Midland States Bank, based in Effingham, Ill., the security focus has definitely shifted to cybersecurity, says Bradley Schaufenbuel, director of information security. The bank uses multiple vendors in a “best of breed” strategy to build a “pretty industry-standard set of security technologies,” he says. These include a firewall, anti-virus and anti-malware, e-mail and Web content filtering, encryption and security information management systems, which log unusual activity.
Midland States layers those tools on top of one other as part of a “defense and depth program,” Schaufenbuel says. “The goal is the same for all of them: helping us safeguard customers’ personal and financial information, and employees’ information. … If we don’t implement some of these controls and something happens, we’ll be found to be negligent for not having them in place.” Plus, he adds, “If we were to have a breach, that would be pretty damaging to our brand and reputation. It keeps us out of the news.”
In addition, regulators want to know that banks have a thorough due diligence process in place that also thoroughly vet the security wherewithal of third-party contractors, says James Stewart, senior director of risk management. “There’s a lot of focus on the fact that companies contract out a lot of operational control to third parties,” he says. “You can get into a web of due diligence. It’s much, much more demanding than perhaps it was.”
Schaufenbuel sees three major trends in banking security: leveraging big data and running it through advanced analytical capabilities to get a more holistic view of threats across banking channels; information sharing across and among institutions to counter organization and coordination among the “bad guys;” and the shift of focus away from prevention toward rapid recovery. “There’s industry recognition that breaches are almost inevitable and that the focus of security programs needs to shift away from ‘we’re going to stop the bad guys,’ to ‘when the bad guys go in, how do we respond and recover?’”
Credit unions are also beefing up and modernizing their security measures. The 32-branch ORNL Federal Credit Union based in Oak Ridge, Tenn., has issued employee badges that provide customized access to parts of the facility instead of keys.
The credit union contracted with Fleenor Security Systems first for central alarm system monitoring and then the Galaxy Control Systems badge product. When an employee is out on vacation and a colleague covers for them, their badge can be temporarily reprogrammed to give them access to a different than usual branch.
“It’s just so simple to go in and add someone or to de-activate a badge,” says Nancy Ballard, physical security administrator at the credit union. “I’ve had employees who used to be afraid to tell me that they couldn’t find their badge – but now it’s no problem; I just tell them I can deactivate the lost badge and reactivate it when they find it, and they’ll be good to go.”
Physical and Cyber
Retail branches tend to be more focused on the physical side, says Lisa Ciapetta, senior director of marketing and technology at Protection 1. They need a burglar alarm, fire alarm, anti-skimming device at the ATM, and cameras positioned in various ways – to get an overview of the activity, to get a shot of people at eye level and probably at the drive-up. Central data centers where private customer information is housed are more focused on the cybersecurity side.
During the past 15 years, those two sides of security have increasingly converged, Ciapetta says, with technology-enabled “smart” systems for burglary and fire that tie into a computer network rather than operating over phone lines.“It’s really starting to happen right now,” she says of the convergence, adding that people can see the value in real-time information.
Cameras used in banks have become considerably more megapixelated, Ciapetta says, which has given bank personnel and law enforcement a much greater ability to identify perpetrators.
BAE Systems Applied Intelligence, which focuses primarily on cybersecurity, has seen significant growth in banks’ Web and mobile transactions, says Mark Fishleigh, head of financial services. What that means is the banks are absolutely, rightly, taking advantage of this opportunity in becoming more connected to cyberspace, he says. That means more and more attack vectors, both traditional and cyber, sometimes blending those two together in a way that makes them much harder to defend against.
Fishleigh cites a case in which a Middle Eastern bank was attacked by hackers who cloned pre-paid debit cards, distributed them among a group of mules, and those mules used the pre-paid cards to withdraw a total of $45 million in cash.
Companies like BAE Systems are developing solutions that go beyond traditional firewalls and trace the relationships among different parties to a transaction, to track any behaviors that look suspicious, Fishleigh says. Such products are designed to help organizations monitor what’s going on, he says. When you see increased activity from either a financial crime group or a cyber group, it allows you to turn up your security measures because you have reason to believe you’re the subject of an attack.
Cloud computing is another area that banks and financial institutions are increasingly turning toward, which brings its own set of security concerns, says Elad Yoran, chairman and CEO of Vaultive, which focuses on that area. He says the cloud is the first technology he’s seen in the past 20 years in which banks have lagged the rest of the business world due to heightened concern over control of their data.
One global financial services firm with which Vaultive works was considering outsourcing its e-mail servers, and the CSO expressed the concern that while four people had access to the firm’s administrative servers, in the third-party cloud provider there would be 400 people with such access.
“That’s two orders of magnitude more. It’s a big worry to a chief security officer of a bank,” Yoran says. In addition to hackers, part of the worry stems from the specter of a government subpoena, since many cloud storage companies have policies that they reserve the right to do as they see fit if such a situation arises. “Banks are asking themselves a very simple question: if a third party can turn over our data without authorization, do we own our data?” he says. “There’s an obvious answer to that question, and it’s scary to a lot of people.”
To protect against such loss of control, Yoran recommends that banks encrypt data before putting it into the cloud, encrypt it persistently – whether in transit, in use or at rest – and hold onto the “encryption keys” yourself. “The golden rule is, whoever controls encryption controls data,” he says. “All of these are not security issues in the traditional sense of the word – it’s not anti-virus or firewalls. This has to do with how one maintains control over their data. It’s really a governance discussion.”
‘Inner Fingerprints’ Being Used to Access ATMs
Customers at Brazil’s second largest state-owned bank, Caixa Economica Federal (CAIXA) no longer use traditional PINs to authenticate their identities. Instead, they swipe their fingerprints and withdraw money, thanks to new multispectral imaging (MSI) fingerprint technology.
CAIXA has deployed 3,500 biometric-based ATMs, made by Diebold, into which customers insert their cards and then touch the fingerprint reader to withdraw money. The MSI technology, developed by Lumidigm, part of HID Global, extracts unique fingerprint characteristics from both the surface and subsurface of the skin.
This “inner fingerprint” lies undisturbed by moisture, dirt or wear, which the bank says makes the results more consistent, inclusive and tamper-resistant than previously developed fingerprinting technologies.
The move toward this technology was inspired by the Bolsa Familia Program, which makes payments to low-income families to help keep their children in school, many of whom don’t have bank accounts and only use ATMs once a month to get their payments. The 58 million registered customers of this program tended to forget their passwords and take up bank managers’ time in getting them renewed or changed.