Concerns about cybersecurity are overtaking those about physical security in the banking sector, although perhaps most front-burner have been issues that cross over into both realms.
While the federal Bank Protection Act long has required banks to designate a chief physical security officer, it’s only in recent years that chief information security officers have become more ubiquitous, says Doug Johnson, senior vice president, payments and cybersecurity policy for the American Bankers Association (ABA).
“Physical security is a much more mature discipline in general,” he says. “It’s only recently that there’s been more consideration given from an examination standpoint, by agencies or businesses, that you need chief information security officers. They’re increasingly invaluable.”
The Bank of Tampa, with nine branches and bank offices in the Tampa Bay area and about $1.5 billion in assets, sees cyber fraud as a larger day-to-day concern than anything on the physical security side, says John Deerin, vice president and security director.
“We continually evaluate and tighten down our procedures,” he says. “We have annual training for all our employees on fraud awareness, and that’s combined with money laundering awareness that’s sent out regularly. We have regular bank alerts that go out to all our personnel, in terms of current fraud activity in the area.”
The Bank of New Hampshire, with 24 offices and $1.4 billion in assets, finds that human error leads to cybercrime far more often than faulty firewalls, says Eric Carter, senior vice president – electronic banking manager.
“Some customers give up their credentials, and the fraudsters are in.” Perhaps mind-bogglingly, that includes situations where people get “married” over social media to someone they have never met in person – and then give that person their financial information. “There’s no regulations for being naive and giving up your information,” he adds. “They just get taken to the house.”
Meantime, bank executives face a difficult business environment with heavy stock pressure, and security measures are erroneously seen as detracting from the bottom line, says Michael Bacon, managing partner at security consulting firm Rezolvrizk and a former chief security officer at Wells Fargo.
“Security continues to be seen as a cost center,” he says. “They’re the first area that’s asked to be cut. We haven’t progressed as far as I would like as an industry.”
As such, banks need to develop more effective leadership around security, says Bacon, who worked in the banking industry for 27 years. “How can they be more effective leaders, develop the program, sell the program, develop the business case?” he says. “You have to prove yourself, prove that your program is comprehensive, prove that you’re needed, quite frankly.”
Working in Tandem
A long-term challenge as the focus on cybersecurity evolves has been to ensure that cybersecurity and physical security operations are working together and complementing one another’s efforts rather than working in silos, Johnson says.
“The most successful organizations are those that have a fairly high degree of integration between what they’re doing on the physical side and what they’re doing on the cybersecurity side,” he says. “Cybersecurity might be talking about access control, or devices to authenticate to access portions of the physical locations of organizations. … It’s what kind of physical security controls are we putting in place to protect cybersecurity infrastructure?”
That nexus of physical and cybersecurity is top of mind for Bacon. “To be truly prepared and properly respond, it takes a team,” he says. “You have to work as a concerted effort to properly address [security issues]. There’s a lot of work to get people together, do tabletop exercises and identify something as simple as roles and responsibilities. Some of this is very basic, but nobody is doing it.”
ATM skimming is one scenario where both sides of security need to work in tandem, Johnson says. “Physical security has to be working in concert with cyber to ensure that the type of anti-skimming devices that are placed on ATM machines are mitigating the threat,” he says.
The state of New Hampshire sees “a high number of cases each month” of ATM skimming, Carter says. That hadn’t been the case in the state until the past 12 to 18 months, he says. “It’s now in the backyard, which it never was. We do have processes in place where employees are required to look at ATMs.”
“It used to be that you worried about the ATM being physically assaulted by a crowbar,” adds Shaun Sanborn, senior vice president – security, facilities and safety for Bank of New Hampshire. “Now you’re more worried about the ATM skimmers. There’s no good method other than employee education and employees checking to see if they’re installed.”
On the inside, Johnson notes bank locations are currently evolving into what used to be called the “branch of the future,” with fewer customer service representatives and more opportunities for customers to be directed to videos on flat screen television or kiosks that have greater functionality than traditional ATMs. “The branch of the future is now,” he says. “You’ve got any number of deployments in branches and institutions with platforms that look quite dissimilar to what they looked like in the past.”
Another area of crossover is electronic wire transfers, which used to be under significant physical security lockdown, Johnson says. “You had to have a good reason to be in that room,” he says. “In this day and age, there’s less physical security, in some instances, surrounding the capacity to send electronic wires, [and more] to make sure credentials aren’t compromised. … That’s another thing where institutions have to marry the need for security on both sides and understand how they’re morphing over time and how best to understand the requirements.”
Bacon sees another area of crossover vulnerability in Internet-enabled physical security devices such as cameras or card readers. “You’re not just hanging a camera or an access system,” he says. “There’s vulnerability in people trying to hack the endpoints. A lot of people have bought security technology only now to find out that camera that’s IP-enabled, or the card reader, is a prime hacking access point.”
The financial sector has seen devices on Internet of Things targeted, says Lee Beachy, senior vice president – information security, Bank of New Hampshire. Such endpoints are “tremendously insecure in most cases,” he says. “The malicious underground is very, very sophisticated. If they want to come after you, they’ll get you. It’s raising the stakes.”
More squarely on the physical security side, institutions are facing issues that stem from having fewer numbers of customer service representatives. The security vulnerabilities of a bank branch change as the environment changes; for example, if there are no tellers, there is no one to hold up, Johnson says.
“We’re so accustomed to protecting the cash,” he says. “I always kid about the bank robber who hasn’t properly cased the branch, and he can’t find the teller line. But where do I go now? I probably have to just leave.”
Still, Bacon encourages banks and clients in other industries to prepare for active shooter incidents ranging from workplace violence to terrorist acts. “There’s a lot of work being done in that area, with procedures, training and lockdown protocols,” he says. “Do we handle each location? If we’re a global company, how do we assess the risks?”
As branches continue to shrink, Johnson can imagine when they will start experiencing issues more common to, say, service stations. “It’s not here yet, but you can foresee a day where you’ve got to develop procedures for single-employee openings of branches,” he says. “Where the branch only has a customer service rep, and you don’t need anybody else. How do you address the security concerns of having one individual open the branch?”
Physical security programs are more likely to be audited than in the past, which has upped the ante for zeroing in on the right procedures and equipment, Bacon says. “Information security individuals are now looking hard at the security equipment,” he says. For example, “there are more camera companies now than ever. There’s pressure to truly understand products’ capabilities and business implications, and find the right product for the right reasons. You used to follow your provider and integrator blindly. That’s quickly becoming not the case.”
Bells and Whistles
The ABA has a bank security committee that continuously revises recommended bank robbery procedures as the environment changes, Johnson says.
“There’s no shortage of bells and whistles that are out there that institutions have to choose from, and vendors to choose from,” he says. “What that creates is an environment where institutions have some level of leverage; to the extent one type of security measure could be more successful if improved in a certain manner, the vendor community really listens to that.”
Such conversations between customers and vendors help move along needed technology in dynamic fashion, Jonson says. “That benefits the entire industry,” he says. “You’ve got the larger bank security directors that have relationships with the vendor community who can influence a lot of change within that community. That benefits the community bank environment as well. That’s true on both the physical as well as the cybersecurity side.”
The Bank of New Hampshire uses a layered approach of access control, key systems, video, and signing profiles for individuals to access various areas of the bank’s buildings, Sanborn says. But that technology is only as airtight as the people who use it, he says.
“Some employees borrow access cards from one another when they left theirs at home. They allow other people to ‘tailgate’ in through the door, which creates a potential risk to not only the employees but customers or vendors in the bank. That could lead to an active shooter type of situation,” he adds.
The Bank of Tampa deploys an array of alarms, access systems, cameras and security officers to deter crime on the physical side and to pass muster with regulators, Deerin says. But his bank is more concerned about cybersecurity and in particular the fraud issue.
The Cyber Side
Cyber fraud typically takes two forms, says Deerin. The first is external fraud that’s impacting bank customers and “resulting in bogus email requests, primarily for wire transfers,” he says. “We intervene in those matters quite frequently. Fortunately, most of the time we’re able to mitigate fraudulent wires. Some customers have had malware put on their machines and takeover of their online banking accounts.”
The second issue is internal threats to the Bank of Tampa’s own network and data, Deerin says. ‘They’re coming at us on a regular basis,” he says. “We have invested a lot of time and money into our network firewalls and our network security. More and more stuff is moving to the cloud environment and applications. We have to ensure that the cloud environment that our data is residing in is completely secure.”
The Bank of New Hampshire faces much the same dual vulnerability. On the exterior, many if not most of the bank’s business customers are small and family-owned, Beachy says. “We’re a community bank,” he says. “These owners can barely get time to think about IT, let alone security for their IT. It’s fairly unusual that they will have it outsourced to a competent IT shop.”
The Bank of New Hampshire urges its customers to pay attention, Carter says. But in some cases “they’ve got a 19-year-old who can plug in a computer, or who learned on Google or YouTube how to set up a network,” he says. “Funding isn’t being put in the right places with these companies to protect not only their employees but their clients.”
Internally, Bank of New Hampshire filters employees’ Web browsing, although some estimates say that up to 70 percent of online malware comes through compromised but legitimate websites, Beachy says. But up to 90 percent of total compromises come via email, and the bank is in the process of migrating to a “more solid email platform” while outsourcing its log check review and analysis to search for anomalies.
“There’s an awful lot of information in [those logs],” he says. “You can find the needles in the haystack. The volume is getting such that we need to outsource.”
Social Engineering and Ransomware
Johnson says that time-honored approaches to hack into systems and servers such as phishing emails remain very common. “Let’s just do the social engineering,” he says hackers think to themselves. “Let’s just find employees, and let’s get some email addresses which are very similar to the email of the businesses. Let’s send employees an email purportedly from the boss, with additional social engineering to get an idea of how the boss might couch his name in the signature.”
Bad actors then send out an email that says something like, “Please send a payment out to this customer tonight, ASAP.” Johnson adds that “the employee does it because they think it’s coming from their boss. They don’t realize it until it’s too late. One of the things we fall victim to is the elegant, simple compromises of systems based on things like social engineering.”
This happened to a customer of Bank of New Hampshire just recently, Carter says. The clerk of a commercial customer received what appeared to be an email from her boss asking that money be wired internationally. She complied without calling her boss to verify the request.
Carter knows of an IT person at another “large New Hampshire-based company” who downloaded what appeared to be a free firewall, but it turned out to be malware. “That’s one of the strategies, to get an employee to panic over the situation through a phone call or pop-up window, to call this 800 number that we’ve detected a problem,” Beachy adds.
The Bank of Tampa regularly fields not only phishing emails but even social engineering attempts over the phone, Deerin says. “Suspicious individuals call in and try to get customer information,” he says. “That’s pretty low-tech stuff that we constantly train our employees not to fall victim to.”
Bank of New Hampshire hears about customers receiving calls at home on almost a daily basis, Carter says. Typically the scammers will tell them there’s a virus on their computer and ask for their credit card number so the scammer can supposedly remove the virus. Those calls most often target seniors, he adds, but “they will go after just about anybody. … A lot of people are still very trusting and will give up their information.” Then they wonder if they’ve been scammed and call the bank, except that it’s too late.
By and large, banks are very aware of this danger and continuously training employees, Johnson says, but that necessarily protect them. “That’s something we’re continually trying to work through with customers and employees: ‘Be very wary of what you get by email, and know how to protect yourself,’ ” he says. “It’s amazing how many sophisticated exploits, or even unsophisticated ones, start with a phishing email because people are still vulnerable to that.”
Often tied to phishing emails are cases of ransomware, where the consequence of clicking on the phony link is that data or other information are essentially held hostage until the bank or other business pays the ransom. Banks deal with this both internally and externally through their customers, Johnson says.
“It’s not unusual for a financial institution to get a call from a customer asking what to do. We’re seen as a trusted third party,” he says. “We certainly can’t provide consulting in that vein. We can’t provide recommendations as to whether or not to pay the ransom. We do spend a fair amount of time trying to educate banks and bank customers as to the vulnerabilities associated with ransomware.”
The Bank of Tampa has seen customers fall victim to ransomware, Deerin says. “It’s mostly our commercial customers – that’s where the perpetrators find the most fruit,” he says.
Some criminals are essentially building ransomware “kits” that people can buy and install even if they have no computer expertise, Johnson says. “This is something that through the rest of this year and into 2017, we’re going to see as a particular challenge to our organizations, both within the bank and with our customers,” he says. ‘‘It’s not about the drive in your PC: If you’re in a network in a shared-drive environment, they all can be infected. That will not tend to make you a very popular person in your office.”