The problem with money is that it attracts criminals intent on wresting it from its legal owners. Securing the financial sector presents a special challenge since institutions need to attract and welcome clientele, while simultaneously ensuring that money is secure. Hi-Tech Security Solutions looks at how balance is achieved.
Logan Naidoo, a director at CKR Consulting Engineers, says that typical installations at banks and financial institutions include access control, CCTV surveillance and intruder detection, with panic buttons. Entry and exit points are monitored and mantrap cubicles and revolving doors prevent tailgating.
Rian Giesing, head of safety and security at Rand Merchant Bank (RMB), says that the organisation has a very specific leadership philosophy that empowers employees to make decisions that will provide tangible improvements to the business’s systems and structures. He explains that security is evolving within the RMB environment and is characterised by a high level of personal relationship development and caretaking, while also implementing security services, policies and procedures.
He continues that creative thinking is important for the successful adoption and buy-in of a system, which is not acquired through rules adopted only at the institution’s whim, but by what users actually need. Because all companies are different, the application of new electronic security measures should be adapted without losing the key principles aligned to a company’s culture, industry and philosophy. Correctly conveying the purpose of changing to a biometric system, for instance, as well as managing expectations pertaining to access control and data retention and eventual investigative purposes, is key.
Christo Coetzee, security manager at FNB, says that proper communication between management and staff members will create a culture within the business whereby they will trust, use and rely on new technology, not only to secure the business, but also to improve on business efficiencies and productivity. Management can ensure their involvement by emphasising that security systems are installed for their safety and wellbeing.
Most solutions are designed to address a specific security or business requirement, but it is the responsibility of the end user to incorporate the solution into the business strategy and processes. Coetzee advises doing a proper impact analysis before you even start testing or buying hardware. It is a common occurrence that employees will arrive at work only to discover that management had a new time and attendance reader or an office camera installed, without communicating the real purpose of the new system. This will lead to the common misconception that management is spying on employees and it will be difficult to convince them otherwise.
He says that good quality equipment that is user friendly should be the norm. Often the simplest technology is preferable, since high-tech equipment that is not user friendly can lead to operational frustrations and the system being bypassed by operators. He says that biometric readers are considered to be the most trustworthy personal identification devices on the market.
The role of biometrics
Naidoo says that biometric access control is typically used in areas where high levels of security are required and are individually programmed for each specific zone in terms of authorised personnel and relevant time periods. Fingerprint biometrics is the most commonly used but the company has had instances where facial recognition biometrics is being used in the larger corporations for, typically, data collection and recovery centres as well as for cash counting facilities.
Biometrics play a role in securing higher risk areas such as data centres and IT systems within RMB. Giesing says that RMB considered employing a biometric system in the main reception area but decided to revert to a more low-key approach by using access cards for entry and exit, after establishing that the company culture was not quite ready to accept biometrics.
The key drivers to be considered, however, should be identification and controlled access to the building, retention of data as well as follow-through of information gained, and not outright detection, unless reasonable grounds exist for an investigation. Health and safety concerns have also been mentioned as points of concern in the use of biometrics. He adds that the current Ebola scare, for example, poses the question as to whether the disease can be transferred by biometric devices. It is highly unlikely, as is the transfer of other diseases, but the question remains especially when having to change to a new system.
Coetzee says that biometric readers started out as a personal identification medium in the security industry, but soon other business units realised the benefits of accurately and securely capturing and confirming personal identities with such devices. It is now commonplace to use biometric readers for time and attendance purposes and even to securely and accurately manage production processes.
Establishing an identity chain
The PoPI (Protection of Personal Information) Act will play a large role in security systems within the financial sector. This complements the existing Financial Intelligence Centre Act (FICA), 38 of 2001, which is designed to combat money laundering.
Sections 21 and 22 of FICA require all South African Banks to ensure that they have correct details for all of their customers by establishing and verifying certain customer details. These sections of FICA, which directly impact service to customers, are known as Know-Your-Customer (KYC). As such, existing and potential bank customers will already be well known to the financial institution.
Coetzee points out that identity theft is a huge concern, especially in financial institutions, where fraudulent transactions happens every few seconds. The audit process (establishing who, what, where, why and when) creates the identity chain between authentication (is this person really who he says he is, or his access card states he is supposed to be?) and authorisation (giving him/her permission to do that specific action, whether withdrawing money from an ATM or entering a specific area).
Giesing emphasises that while the implementation of technology is desirable, it must be in compliance with company policy and legislator compliance requirements. For example, online digital signing of documents means that the security process eventually becomes less onerous than the traditional paper trail, but it must be subject to infallible storage and data retention as well as eventual destruction, policy and procedure as required by law.
Many companies are currently investigating the PoPI Act, its requirements and impact on their systems, policies and procedures with eventual compliance in view, before venturing into biometrics. Auditable access to information holding systems by designated people, as well as protocols and robust internal procedures will help make sure shared employee or client information is safe. RMB is currently investigating the use of a dual verification system for access to systems and physical access to buildings and rooms using a USB key.
Giesing believes that the weak links in applying a biometrics system, as well as the legal requirements associated with it, will be human error, system choice, and the maintenance and management thereof. Once initial hurdles have been overcome, such as informing users of the system’s capabilities, actual purpose as well as initial operational testing, biometric security should become accepted by both clients and employees.
Naidoo believes that it is critical to capture the correct client information from the outset. The PoPI Act will play a large role in the way personal data is captured, but the company says its customers are already experiencing resistance to the capturing of fingerprints and other personal information. In many cases, the CKR has been forced to install dual access equipment – card readers and biometric fingerprint readers – to achieve buy-in from employees and visitors.
Coetzee believes that best security practice within financial institutions would be to standardise on the capturing or identifying process, including all available authentication levels to be used. Authentication devices compare the presented template/ID with the authorised template stored in the database and only provide authorisation if it is a perfect match. Authentication devices should be able to present templates with the same accuracy as that which was used to capture the stored templates. To prevent unauthorised activities, the audit process must be as accurate and effective as possible. This can only be achieved by authentication and authorisation processes of the highest standard.
He adds that the biggest problem around access control seems to be the security and validation of identity. The problem with access control systems to date was that the identity of the card/PIN/password holder could not be verified/validated with the actual individual holding that card/PIN/password. Biometric systems overcome this as the identity of an individual is linked with a physical attribute like his fingerprint, vein, face or iris – an attribute unique to that person. Furthermore, advances in technology make it highly unlikely that these systems could be fooled.
Securing card transactions
Susan Potgieter, general manager: CCO at SABRIC (South Africa Banking Risk Information Centre) says that in order to ensure secure card-based transactions, all stakeholders in the supply chain need to take heed of the Payment Card Industry (PCI) Data Security Standard (DSS) rules and standards.
She points out that a number of risks are involved in card-based transactions, whereby criminals will attempt to dupe cardholders out of their money by gaining access to their card data and PIN and even their physical card.
With data and its security being so important stakeholders need to understand how critical it is for them to take responsibility for their own area of involvement. This stretches from the consumer, to the merchant, data transmission service providers and payment aggregators through to the acquiring (merchant’s) bank and the issuing (cardholder’s) bank.
A new trend is that criminals attempt to compromise bulk data. Potgieter says that this is considerably more attractive to them than the smaller sums of money they can pilfer from individual’s cards. This is especially prevalent where vulnerabilities in company data warehouses are apparent. The criminal employs devious methods to target the less visible stakeholders in the process, so buy-in to PCIDSS standards compliance is absolutely essential.
Criminals employ people in their ranks to find the weak links in the card payment value chain. Potgieter says it is advisable for consumers and companies to recognise and accept that every point in the data aggregation process is potentially vulnerable.
She adds that because of the complications involved in investigating data theft, especially once the theft happens over our borders and the clandestine nature of the crime, the anonymity and time delays mean that the criminals have long since moved on before they can be identified and apprehended. Credit cards are interoperable internationally, a feature which allows consumers to swipe their cards virtually anywhere in the world. This advantage is also the biggest disadvantage, since it makes credit card fraud more attractive to criminals who can perpetrate these crimes anywhere in the world.
Vigilance and a strong dose of common sense remain the best weapons a consumer can employ against card fraud. Never accept help from anybody at the ATM and always cover the hand that types the PIN so that nobody can see it. Never let your card out of your sight and register for SMS notifications.
For online shopping, consumers must register for 3D secure products offered by their bank that provide an extra layer of security as dynamic passwords will be required to complete online transactions.
Tel: | +27 11 543 5800 |
Email: | [email protected] |
www: | www.technews.co.za |
Articles: | More information and articles about Technews Publishing |
© Technews Publishing (Pty) Ltd. | All Rights Reserved.