Banking on Security
Print Issue: March 2013
WHEN BANKS ARE ROBBED, the perpetrators are not always toting guns and wearing ski masks. Financial institutions can also fall victim to other types of theft, from high-tech ATM skimming to old fashioned check kiting. Following are the stories of two financial institutions that are using technology to stop these types of incidents.
Dime Savings Bank
In 2011, two thieves stole $1.8 million from 1,400 customer accounts at banks in New York City. They committed their crimes by placing a special type of electronic skimming device on an ATM. Users swiped their bank cards into the device because they thought it was part of the ATM. The device then recorded—or skimmed off—each card’s magnetic stripe information. The scheme also included the use of a hidden camera installed near the ATM to record the PIN numbers that customers entered with their cards. The thieves later retrieved the device, and using that information along with the camera footage, they created duplicate counterfeit bank cards.
Chief Security Officer Steve Varriale of Dime Savings Bank in Brooklyn, New York, says that even though his bank was not among the victims of this incident, the attack on a nearby bank and the general sense that there has been an increase in skimming thefts convinced him to seek out a solution.
Skimming has grown dramatically over the past several years. It’s no surprise that thieves are attracted to this type of crime. It can be hard to catch the perpetrators, and it can be very lucrative in a short time frame. Varriale explains that a thief will put a skimming device on an ATM on a Friday and capture information all weekend. Then, the thief will come back to the ATM and remove the device on Sunday. The bank, meanwhile, is unaware that anything has happened.
With fraudulent bank cards in hand, the thieves move to a new location and start withdrawing the maximum amount of money allowed in withdrawals. The thieves usually start after 11:30 p.m., explains Varriale. Because, for most banks, midnight is the start of another day, the thieves can then begin withdrawing the daily limit again at midnight. “Because of this method, even one event can cost a lot of money,” he says.
Dime Savings, which was established in 1864, has 26 branches located primarily in New York City and in nearby Nassau County, New York. The bank has a little over $4 billion in assets, and $2 billion in deposits.
Each Dime Savings branch has at least one ATM. Most ATMs in the city limits are located in the outer lobby of the branch, while branches in suburban areas are more likely to have drive-up ATMs.
Even before the concern over skimming, the bank had some security for ATMs. During bank hours, the external doors are open. But after hours, the lobby doors are only accessible by a debit or credit card. “The lobby puts in that extra step of a door access requirement,” according to Varriale.
The bank follows state lighting and signage requirements for ATMs. Dime Savings also equips the ATMs with an integrated camera and alarm system. All of the cameras and alarms are monitored remotely by a third party. The video is primarily for after-action response and investigations. However, if an alarm is triggered, the corresponding camera will be viewed by the monitoring company.
In addition to physical alarms on perimeter doors and on the ATM to detect break-ins, the bank has seismic alarms that alert if the ATM is moved and heat alarms that are triggered if someone is trying to burn their way in.
Despite these security precautions, skimming incidents remained a threat. “There wasn’t much of a solution to skimming,” says Varriale. “You could put an armed guard in every location. But that’s not a good solution.”
Varriale explains that the primary purpose of the existing ATM cameras is to capture the person using the ATM. This focus means that the camera is trained directly at the person’s face. The camera does not record what the person is doing on the machine.
Other cameras cover the lobby. But when people are using the ATM, they have their backs to the lobby cameras. “Those tampering with the ATM could easily look like they are making a transaction,” he says. “It is difficult to see whether they are doing anything illegal.”
While attending a conference in 2011, Varriale saw a demonstration of the Tyco Anti-Skim ATM Security Solution. “Once I found out how it worked, I immediately went back to the bank with a proposal to implement,” he says.
The antiskimming device is placed inside the ATM and is not detectable from the outside. This means that would-be skimmers will not be able to detect the device nor will they be able to disable the unit.
The security device works by sensing when the card reader—where a thief would place a skimming unit—has been covered. Once the card reader is covered for more than 30 seconds, the device emits a magnetic pulse rendering the skimming device inoperable and disabling any financial transaction. If the skimming device is taken off, after a certain period of time, the ATM will come back into use. For example, if a customer accidentally puts his or her hand over the card reader for 30 seconds, the antiskimming device will disable the machine. When that person moves, the device will, within a certain time frame, allow the ATM to work again.
The device provides banks with the option of disabling the antiskimming device but allowing financial transactions to continue. Varriale decided not to go that route. “We want nothing to work. This device will scramble all the information, so the skimming device will not capture the mag stripe information but the real card reader will also not capture information, and the user will not be able to complete the transaction,” Varriale explains.
Some banks, notes Varriale, may not like the idea of inconveniencing customers, but Dime Savings decided that allowing the transactions to go through wasn’t worth the risk. “We use the device in the way it protects the customers the most.”
When the antiskimming device is triggered, a silent alarm goes to Tyco, which monitors the alarm. Though Varriale could be notified as well, he chose not to be alerted when an antiskimming alarm goes off. “We can research after the fact,” he says. “Since no customer accounts can be compromised, there is no need for me to be notified.”
The antiskimming device project had two phases. Phase one was to determine which ATM locations were most likely to be a target. This took place over the latter part of 2011 through early 2012. This step involved conducting a risk assessment on the ATM locations.
First, the bank listed the ATMs according to level of activity. Then, Varriale began researching the locations of the busiest ATMs. Varriale looked at both lobby and street ATMs to see which ones were placed so that someone could easily put a skimming device on a machine and then take it off at a later time. For example, some of the ATMs were too active for skimming devices. “Some places had so much traffic that a bad guy wouldn’t have time to activate and deactivate a device,” he explains.
Other locations were eliminated because of existing security measures. “We do have a few ATMs at a local racetrack. These are guarded 24 hours a day so they were excluded,” says Varriale.
From the list of ATMs that could be targeted, Varriale picked the ones that would give the bad guys the most hits. These ATMs—Varriale did not want to disclose the exact number—were equipped with the antiskimming devices.
The final installation was finished in October 2012. And while the bank has yet to experience an incident, Varriale is fine with that. “We feel better knowing that our customers are protected, and they can have confidence using our ATMs,” he says. “We don’t want to be the one in the newspaper who is having the problem.”
Denali Alaskan Credit Union
Denali Alaskan Federal Credit Union in Anchorage, Alaska, has 18 branches and two back office sites spread out over six Alaskan cities. When Security Director Kirby Milham began working at Denali, the bank had 300 analog surveillance cameras to protect its branches and its 44 ATMs. While those cameras may have been state of the art when installed, their performance had become less than optimal.
“Video was choppy and grainy,” notes Milham. Also, storage was inadequate, and the system could not be expanded; moreover, the system was slow when it came to retrieving images. “It took several hours to do a single search for a transaction,” he says.
Milham began doing research into new video systems. His concerns in terms of the threats he sought to reduce were more traditional bank crimes than ATM skimming. Based on the bank’s needs and what the systems had to offer, he was able to narrow the field to four products. Those four vendors were asked to come out to Denali and demonstrate their products.
With this information in hand, Milham hit the Internet. “I did my research on each product online to see what other users’ comments were,” Milham says. While he didn’t give much weight to any one person’s comments, he took note when he read “the same thing about a product over and over again. This helped us anticipate problems as well as look closely at a singular feature that others praised.”
Milham chose the VIP S-Series by 3VR based on its performance and positive comments about its search capabilities. The VIP S-Series network video recorders come paired with the company’s VIMS 7.x video management software. “We were really impressed with the overall performance of the product,” he says. “We can adjust the system depending on what quality of video we need.” In addition, Milham notes that the system had the search, storage, and scalability capabilities that he sought.
Searching through video footage when something needs to be investigated is a primary part of Milham’s job. Branch managers or members of the risk management department might ask Milham to investigate an ATM transaction or video of a customer suspected of passing a bad check, for example. He has been pleased with how easy it is to pull out video and export it for evidentiary purposes. “In the old system, it required more steps, and it took a lot longer,” he says.
That makes a big difference because Milham might be asked to conduct as many as three searches in one day. “With the new system, that takes me 30 minutes now. But it would have taken many hours with the old equipment,” he says. “The time savings is a big deal.”
Not surprisingly for a bank, the incidents that Milham is typically asked to research relate mostly to financial crimes, but the parking lot cameras do capture other types of incidents, such as minor traffic accidents and customers who have fallen and injured themselves. Those images can help the bank clarify what actually happened. In other cases, they might help the institution defend itself against liability claims if someone says they fell but did not, for example.
Milham tests the cameras in the system once a week to confirm that everything is working properly. Cameras are not monitored live but video is stored in case it needs to be reviewed.
The old system could only hold 60 days’ worth of video. The new system stores video for up to a year. Long-term retention of video is especially important to financial institutions like Milham’s employer because they often have to deal with repeat offenders, such as check kiters.
With the old system, the credit union wasn’t able to retain the video long enough for investigations. “When I had a major incident with a serial abuser, sometimes the footage of prior events would be gone,” he explains. “Now, I have access to video that I previously wouldn’t have had.”
As a part of the upgrade, the bank is also moving from analog to digital cameras. The new digital cameras are being phased in. Thus far, Denali has replaced approximately 100 of its cameras. It plans to replace all of them and add new ones where necessary. “We are changing over more every day,” says Milham. “As fast as the old ones die, we are replacing them.”
The number of cameras can also be easily expanded. Milham recently purchased eight additional IP cameras and integrated those on a 3VR unit that already held 32 existing analog cameras. “Before, I would have had to buy more equipment to expand the number of cameras,” he says.
Tech support has also been more than satisfactory. One of the first units 3VR delivered didn’t work as anticipated. “Tech support came out and worked for some time,” says Milham. “It turned out to be a software glitch but I got unlimited support until the issue was resolved.”
In the future, Milham plans to purchase 3VR’s facial recognition cameras for use on perimeter doors. By identifying known forgers, for example, Milham hopes to stop a crime before it happens. Similarly, plans are underway to subscribe to 3VR’s CrimeDex program. CrimeDex is a searchable international database of white collar crime incidents and perpetrators. The network is free to law enforcement agencies and available to private companies for an annual fee.