printer friendly version

Protecting people’s money, and their data

The temptations inherent to the banking sector, and financial institutions more generally, pit them in an eternal and increasingly high-tech battle to secure themselves against threats from within and without. They also have a responsibility to protect their customers and their data from unauthorised access, and since bank branches are essentially businesses they are seeking ways to improve the customer experience in similar ways to the retail sector.

Addressing all these concerns requires a highly integrated approach that uses the cutting-edge of security technologies across the board. We asked IDEMIA, Cathexis Africa and CA Southern Africa how their companies’ particular areas of expertise are being leveraged in the financial sector.

Nicolas Garcia.

“In recent years we have seen a significant shift amongst the world’s largest financial institutions, toward frictionless biometric technology, which is driven by several key factors,” comments Nicolas Garcia, regional director of sales at IDEMIA SA. These factors include security standards compliance and resultant audit pressures which have increased dramatically around the globe in recent years (for both physical and logical security). This has been driven in part by the large number of high-profile insider and outsider breaches/attacks seen in the past five years.

What’s more, the world’s major financial institutions are competing for both the best customers and the best employees. They are always looking for ways to attract top talent, and are focusing heavily on workplaces that are high-tech, safe, and attractive to employees. Also, the access control technology is highly visible to any visitor entering the lobby, and plays a significant role in reinforcing the message of how serious the bank is about security.

There is a need within these entities to securely manage very large workforces, often exceeding 200 000 or 300 000 employees globally. “These employees are of course spread across many sites, but in most large corporate locations there is a need to ensure that tens of thousands of employees can securely access the buildings efficiently at peak times. For example in major cities or at campuses, employees usually arrive in waves during peak hours as they utilise public transport such as subway trains or shuttles. This puts a concentrated throughput demand on the system during these times,” says Garcia.

Another challenge faced by large institutions is the sheer variety of building types and locations in which the access control technology needs to operate. Large organisations need to standardise as much as possible in order to have the best control over their systems, and over costs. The variability, not only from site to site, location (indoors/outdoors) but also by time of day or even by season, has meant that contact fingerprint technology was the most widely adopted solution in the past, due to its immunity to most of these external factors.

Contactless biometrics

“Changing the environment or trying to compete with nature to make a system work is extremely costly, and rarely works, which is why so many facial and iris-based systems have had much more limited adoption in true access control applications,” Garcia continues. “With recent advances in 3D imaging technology, algorithms and processing power, it has become possible to capture more biometric data, more accurately, and without physical contact. The more biometric information you have to analyse, the more accurately you can tune the system for high-assurance matching.”

These gains have become most readily applicable to touchless/contactless fingerprint technology. Since every single fingerprint is unique, by simply waving one’s hand over a sensor, four unique credentials can essentially be tied to one human being, i.e., each of the four fingers, omitting the thumb due to its relative orientation compared to the four fingers. Scanning these fingers in 3D and without contact means more information can be analysed from each finger, without the concerns of hygiene or people having wet or dry fingers, or touching the sensor too softly or too hard.

“Being able to do all of this in even less time, and with less effort than traditional contact biometric systems, has catapulted this technology into the mainstream,” says Garcia. “IDEMIA pioneered the concept of frictionless biometrics over 10 years ago with the first generation of the technology now known as MorphoWave. The intense R&D and field testing over the past decade make this technology fully viable in the real world. As a result, MorphoWave is the most used touchless biometric technology for high-throughput, secure access in the financial sector, including an impressive array of the most recognisable banking and credit brands on the Fortune 500 list.”

Augmented identity

In the workplace, the same frictionless technology regularly extends to time and attendance, cafeteria payments, gym access, parking and other services. This feeds into IDEMIA’s ‘augmented identity’ concept, central to which is the idea that leveraging our identity must be not only a secure process, but also natural and convenient. This extends well beyond traditional access control and security applications into other areas such as eKYC, voting systems, civil ID programmes, border control and passenger facilitation, amongst others.

“IDEMIA’s facial recognition and analytics solutions provide an additional layer of security designed to complement traditional access points by extending the reach of security well beyond the physical doors and barriers. By fusing detection and tracking of persons or objects with accurate facial recognition algorithms, a powerful early warning system and investigative tool provides for much higher ROI (return on investment) of the customer’s existing surveillance infrastructure,” Garcia says. The technology can provide alerts based on any number of watch-lists for a variety of purposes ranging from detecting known bank robbers to identifying VIP customers.

IDEMIA’s biometric technology plays a key role in providing better security to both banks and their customers. Biometrics can be used to verify the identity of a customer when opening a bank account and/or to detect if that same customer has previously existed in the system under a different name. That biometric technology is also integrated into ATMs and branch teller solutions around the world to provide secure authentication of customers.

IDEMIA also offers a secure bank card with embedded fingerprint sensor, known as FCode. This allows a customer to scan their fingerprint directly on their banking card to authorise a transaction, instead of relying on a traditional PIN or signature.

“More major banks and credit providers are now integrating IDEMIA’s biometric technology into the payment experience,” Garcia states. “Secure payments using biometrics bring an important combination of both increased convenience and security at the same time. The expectations of today’s typical banking customer are very different than 10 or 20 years ago.

“Today’s customer grew up with a different level of technology accessibility and most are already completely comfortable using biometrics on their phone for a wide variety of authentication use cases including payments. Today’s customer expects that same capability to extend beyond their phone and into the retail space, whether at a shopping mall, concert or train station.”

Making use of video analytics

Gus Brecher.

Video management software (VMS) specialist, Cathexis Technologies, works with various entities within the financial sector. While its involvement has extended to the likes of institutions like the London Stock Exchange, the biggest component is the banks and their branches, according to Cathexis Africa’s managing director, Gus Brecher.

Integration is a big factor in the banking sector, says Brecher: “We have quite a lot of banking customers and in that sector we do a lot of integration with their fire systems, alarm panels and access control. Depending on the bank, many of them like to have a central monitoring capability, so they’ve got a hybrid scenario where they’ve got distributed recordings on site, a centralised monitoring facility for alarms, and the ability to view and store video off-site on request.”

Over and above access control systems deployed in the back-office areas, Brecher says banks are increasingly making use of video analytics. One way this can be used is to notify a branch manager if someone has entered the customer service area and not been served within a certain period of time, to enable the branch to improve its customer service levels. People counting can also be used to gain more insight into people’s comings and goings.

Analytics algorithms that identify loitering behaviour are also deployed outside banks and at ATMs. “We’ve also done some ATM integration where the standalone ATMs have small recording devices in them which can be correlated with the ATM transactions. However, because of privacy issues addressed by the likes of the PoPI (Protection of Personal Information) Act and GDPR (General Data Protection Regulation), this is typically limited to details like the time and type of a transaction, rather than details about the person performing the transaction,” Brecher says.

Cybersecurity must not be ignored

Gregory Dellas.

Whether crime is committed with a crowbar or a computer, the number one motivator for an attacker is greed, points out Gregory Dellas, security presales at CA Southern Africa. “It is for this reason that banking and financial institutions face the most persistent threat from the world’s assorted cybercriminals. While data has value and can be breached and sold off, it is the systems that handle the criminal’s true goal – money – that make the best targets,” he states.

According to SABRIC, 16 296 incidents were reported from January 2018 to August 2018 with losses amounting to more than R183 million for the banking industry. This is a 64,3% increase in the number of incidents over the same period in the previous year. On a wider scale, in the PwC 2018 Global Economic Crime and Fraud Survey, South Africa ranked number 1 globally for companies having experienced some form of economic crime, with a whopping 77% of all South African organisations being affected.

The largest increases in the sector were seen in insurance, consumer lending and retail investing. A contributing factor in this trend is the assumption that the established enterprises are the most at risk, when in fact, new entities including cloud-based services and digital banks are also highly targeted. Young organisations seeking to grow quickly and build security later make up the majority of these reported breaches.

Awareness versus alertness

“Awareness of these facts is an important step towards strong security but it is not enough,” Dellas insists. “The attacker is alert, prepared and 100% focused when exploiting systems. The staff of a financial services firm may be security aware but they are acting on routine, are distracted and not anticipating, for example, a potentially fateful social engineering phone call.

“This alertness shortfall can only be overcome with the right tools and a wide safety net strategy. Singapore based DBS bank provides a good case study, where a newly implemented CA Technologies automated identity and access management platform reduced risk of fraud, increased efficiency and improved customer satisfaction.”

Additional layers of defence include tools that manage privileged credentials which are the equivalent of the vault keys in a physical bank. Intelligent risk-based authentication can fill in the alertness gap should attackers gain access to systems or possession of employee credentials; they can be blocked based on thousands of hours of behavioural profiling.

“Many financial institutions are benefiting from benchmarking themselves against peer companies such as DBS. One good industry forum that helps address cybersecurity risk is the Financial Services Information Sharing and Analysis Centre (FS-ISAC). They conduct frequent cyber-range exercises and publish recommendations. Another excellent initiative is the Financial Data Exchange which seeks to create a common standard for data sharing across the financial industry.

“Reaching out to peers and partners familiar with the cutting edge of cybersecurity is an important step in boosting overall security posture. By continually adding additional layers of security, be they tools, processes or collaborative initiatives, best practices will ultimately keep financial institutions safe and secure,” Dellas concludes.

For more information contact:

• CA Southern Africa, +27 11 417 8594, [email protected], www.ca.com/za

• Cathexis Africa, +27 31 240 0800, [email protected], www.cathexisvideo.com

• IDEMIA, +27 11 286 5800, [email protected], www.idemia.com

Share this article:

Further reading: