Financial Activities

 

 

https://sm.asisonline.org/Pages/Business-Theft-and-Fraud--Detection-and-Prevention.aspxBook Review - Business Theft and Fraud: Detection and PreventionGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a43444652017-07-17T04:00:00ZJames R. Youngblood, CPP. Reviewed by Paul Barnard, CPP<p>​<strong>Business Theft and Fraud: Detection and Prevention.  CRC Press; crcpress.com; 338 pages; $79.95.</strong></p><p>More than two-thirds of employee theft cases occur in small business operations, and more than half of victimized businesses have fewer than 25 employees. These statistics, from <em>Business Theft and Fraud: Detection and Prevention</em> help explain why even the smallest organizations need to know how to detect and prevent fraud and theft.<br><br>With experience in the military, law enforcement, and the private sector, and degrees in financial management and criminal justice, author James Youngblood, CPP, has the appropriate credentials to write a definitive book on the subject. He understands the differences between the operations of small and large businesses, and he offers techniques to thwart theft in all types of organizations.</p><p>For instance, background investigations for potential employees are important for all organizations Small companies may be hindered from conducting adequate background investigations due to budgetary restrictions, time constraints, and reduced applicant pools. Large organizations have greater monetary resources for background checks, are able to distribute the workload until replacement help is acquired, and usually attract more applicants for various reasons.</p><p>In any case the insider threat is a primary concern of the text. Other timely topics include the protection of brand integrity and brandjacking, the sale of bogus or counterfeit brand name merchandise, cybersecurity, technology-based fraud, data breaches, and ransomware. Encompassing a breadth of information for those concerned with theft and fraud, this book explains such important concepts as how to identify sales underreporting, track sales by shifts, and educate employees to be aware of computer scams. Throughout the work the thread of internal theft and shrinkage is prevalent.</p><p>Some suggestions to enhance the utility and flow of the book include using a linear presentation of information for easier understanding. Chapters of few pages could be consolidated with other relevant chapters, and many sub-topics could be combined. For example, both chapters 4 and 5 deal with financial statements: consolidation of these might be more effective. While some sub-headings are presented as questions, others are statements, possibly creating some confusion. The explanatory endnotes might better be incorporated into the text, while a bibliography would help readers find further resources in some subject areas.</p><p>The overall visual presentation is professional with quality materials and clear typeset. Two appendixes list organized retail crime associations and examples of phishing emails, and there is an extensive index. This book is recommended for security and business management professionals as well as loss prevention practitioners desiring a roadmap for the detection and prevention of business theft and fraud. It could also be used as a primary or supplemental textbook in college courses focusing on internal and external theft and fraud, as well as cyber issues.</p><p><em>Reviewer: Paul D. Barnard, CPP, CISM (Certified Information Security Manager), SFPC (Security Fundamentals Professional Certification) is an adjunct professor in loss prevention and security management programs. He has been a member of ASIS International since 1975</em></p>

Financial Activities

 

 

https://sm.asisonline.org/Pages/Business-Theft-and-Fraud--Detection-and-Prevention.aspx2017-07-17T04:00:00ZBook Review - Business Theft and Fraud: Detection and Prevention
https://sm.asisonline.org/Pages/Accesos-Bajo-Control.aspx2017-06-01T04:00:00ZAccesos bajo Control
https://sm.asisonline.org/Pages/Teller-Trouble.aspx2017-03-01T05:00:00ZTeller Trouble
https://sm.asisonline.org/Pages/Access-to-Bank-On.aspx2017-01-01T05:00:00ZAccess to Bank On
https://sm.asisonline.org/Pages/Access-Under-Control.aspx2015-08-10T04:00:00ZAccess Under Control
https://sm.asisonline.org/Pages/Diebold’s-Responsive-Banking-Concept-Enhances-ATM-Security-and-Service.aspx2014-12-02T05:00:00ZDiebold’s Responsive Banking Concept Enhances ATM Security and Service
https://sm.asisonline.org/Pages/fincen-releases-culture-compliance-guidance-financial-institution-leaders-0013620.aspx2014-08-14T04:00:00ZFinCEN Releases 'Culture of Compliance' Guidance for Financial Institution Leaders
https://sm.asisonline.org/migration/Pages/fincen-releases-culture-compliance-guidance-financial-institution-leaders-0013620.aspx2014-08-14T04:00:00ZFinCEN Releases 'Culture of Compliance' Guidance for Financial Institution Leaders
https://sm.asisonline.org/Pages/Banking-on-a-Security-Upgrade.aspx2014-02-01T05:00:00ZBanking on a Security Upgrade
https://sm.asisonline.org/Pages/cybersecurity-money-laundering-are-top-threats-facing-financial-industry-2014-0013072.aspx2014-01-07T05:00:00ZCybersecurity, Money Laundering Are Top Threats Facing the Financial Industry in 2014
https://sm.asisonline.org/Pages/Virtual-Money-Real-Crime.aspx2014-01-01T05:00:00ZVirtual Money, Real Crime
https://sm.asisonline.org/Pages/using-economics-fight-terrorists-0013004.aspx2013-12-13T05:00:00ZUsing Economics to Fight Terrorists
https://sm.asisonline.org/Pages/visa-discusses-efforts-prevent-fraudulent-transactions-0012832.aspx2013-10-17T04:00:00ZVisa Discusses Efforts to Prevent Fraudulent Transactions
https://sm.asisonline.org/Pages/data-brokers-0012627.aspx2013-08-01T04:00:00ZFTC Warns Data Brokers
https://sm.asisonline.org/migration/Pages/dunbar-digital-armor-announces-partnership-with-nasdaq-0012531.aspx2013-06-13T04:00:00ZDunbar Digital Armor Announces Partnership with NASDAQ
https://sm.asisonline.org/Pages/top-10-performing-security-industry-stocks-february-0012386.aspx2013-05-01T04:00:00ZTop 10 Performing Security Industry Stocks for February
https://sm.asisonline.org/Pages/top-10-performing-security-industry-stocks-january-0012327.aspx2013-04-01T04:00:00ZTop 10 Performing Security Industry Stocks for January
https://sm.asisonline.org/Pages/Banking-on-Security.aspx2013-03-01T05:00:00ZBanking on Security
https://sm.asisonline.org/Pages/top-10-performing-security-industry-stocks-december-0012009.aspx2013-03-01T05:00:00ZTop 10 Performing Security Industry Stocks for December
https://sm.asisonline.org/Pages/presidio-combats-fraud-with-ironkey-0011372.aspx2013-01-01T05:00:00ZPresidio Combats Fraud with IronKey

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/Diebold’s-Responsive-Banking-Concept-Enhances-ATM-Security-and-Service.aspxDiebold’s Responsive Banking Concept Enhances ATM Security and Service<p>​</p><p>Diebold has fielded an array of new technologies and capabilities in what the company describes as a branch transformation solution. The solution, unveiled at last month's Money 20/20 conference in Las Vegas, consists of an ATM that weaves innovations in security, design, technology, user experience research, and feedback from financial institutions. Diebold describes the result as four distinct "experience zones" designed to blur the lines between face-to-face, online, and mobile banking. Security technologies such as IP video, privacy glass, and directional audio are key factors in the solution.</p><p>Customers are initially greeted with video tower walls designed to attract passersby with dynamic content management. The kiosks use near-field communication, proximity sensors, and motion detection to securely identify customers. Cardless transactions are authenticated by smart phones that then become the primary user interface for the banking transaction. Those without smart phones can still use 19-inch touch monitors that protect sensitive information with a privacy filter that limits visibility of sensitive information. A smaller secondary touch screen on a lower work service provides an even greater degree of privacy and accommodates customers with accessibility requirements. </p><p>Customers unfamiliar with the service or who have more complex transactions are able to bring up additional assistance in the form of and "intelligent" avatar that uses natural language recognition to interact with the customer and handle more advanced tasks. Customers are also able to connect through two-way video with remote financial advisors who can provide the personal consulting previously only available in a branch location. </p><p>The responsive banking concept is intended for high-traffic areas such as transportation hubs, shopping centers, and retail locations. Another use case in the financial sector is branch lobbies, affording customers more accustomed to banking in a branch with an opportunity to have bank staff assist as needed and facilitate the transition. </p><p>"All of our customers are engaged in branch transformation projects aimed at transforming their branch networks to be more cost effective while better promoting their products and services," says Devon Watson, Vice President of New Business & Solution Incubation for Diebold. For such in-lobby uses, Diebold offers a app that from which bank staff to monitor operations such as cash levels and assist customers whose transactions are taking longer than average. </p>GP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Access-Under-Control.aspxAccess Under Control<p>​<span style="line-height:1.5em;">Companies spend significant resources on access control equipment. Estimates of the size of the global market range from about $6 billion to around $22 billion, and a recent ASIS survey indicates that 57 percent of U.S. businesses will be increasing access control spending through 2016. </span></p><p>Upfront costs are just the start. Security professionals take time to determine which doors need to be locked and when.  They decide where to install readers and decide how to pro­cess visitors. Despite the effort spent on the access control equipment layout and maintenance, over time the access control database can become mismanaged. Requests for tweaks to reader groupings and access levels are continuous. One group may want time restrictions for the janitorial crew; another group may need access to one door but want to restrict others. If these accommodations are made without regard for the overall system, over time a complicated tangle of access control levels is created. The next thing you know, security no longer controls access; access control takes charge of the organization’s security, resulting in a chaotic mess.</p><p>BB&T, a large financial services institution headquartered in Winston-Salem, North Carolina, has protocols in place that ensure appropriate and accurate administration of access control systems at its corporate locations. The Fortune 500 company has more than 1,800 financial centers in 12 states.  In addition, it has approximately 120 corporate buildings–data centers, operations centers, call centers, corporate and regional headquarters–that have access control systems. ​</p><h4>Challenges</h4><p>Regulatory developments over the last decade make it necessary to closely maintain access control data. The Health Insurance Portability and Accountability Act of 1996 and Gramm-Leach-Bliley Act of 1999 require health­care and financial organizations, respectively, to keep strict watch over sensitive and personal information. The Sarbanes-Oxley Act of 2002 forced a strengthening of internal controls within corporations. More recently, the Payment Card Industry Data Security Standard requires that companies keep tight control over credit and debit card data. </p><p>These regulations, as well as others that affect specific industries, have brought more scrutiny to the administration of access control data. Most large organizations, especially those in regulated industries, have experienced an increase in audit activity as it relates to physical access controls. This means that regular reviews of access reports are required in many cases. For this reason, it is critical that the data in a company’s access control database be clean and accurate.  </p><p>Numerous challenges can arise from failing to properly maintain an access control system. Maintenance lapses can result in thefts when, for example, terminated employees get into a facility. What good is an access control system if, due to negligence in maintaining the system, people can enter places they shouldn’t? If your access control database has been around for years and has turned into a Byzantine web of access permissions, what steps can be taken to get control over the data? </p><p>Access control database administrators must have an ongoing process of maintaining the accuracy of the data. A standards-based approach must be taken to manage any effective access control program. Standards include defining the types of users in the system–employees, vendors, visitors, temporary card users– and establishing credentials for which each of these user categories will be managed and reviewed. Once the user categories are defined, space definitions and ongoing maintenance procedures must be established. ​</p><h4>Database management</h4><p>BB&T categorizes its cardholders into three groups based on the users’ network login ID. There are employees and contractors with a company network login ID; vendors, tenants, and others without a company network login ID; and temporary users. BB&T uses the network login ID for employers and contractors because the network ID is also used in the IT security database. This allows security to match the IT access records to the physical access records. Human resource data was considered for this match, but the bank determined that many vendors, temporary employees, and contractors who have a BB&T network login ID are not included in its human resource system. Matching the network login ID covers a majority of the organization’s users. If the records do not match, the user’s access is terminated.   </p><p>For cards not involved in the matching process, BB&T identifies a company employee who can serve as a sponsor for each vendor and tenant. The company conducts quarterly reviews of those cards, during which the company sponsor ascertains whether the vendor or tenant employee still works for the third-party company and still needs the BB&T card.</p><p>All temporary cards in the system are assigned to the individuals who have the cards in their possession. The temporary cards may be used by visitors, trainees, vendors, and employees who forgot their badge at home. Information on the cardholder is housed within the access control database. Quarterly reports for all temporary cards are sent to one person who is responsible for ensuring that their temporary cards are accounted for.  ​</p><h4>Space</h4><p>BB&T has established criteria and definitions of the physical space in its environment and categorizes space into three categories: critical, restricted, and general. Criteria are established for each category of space. The critical category is reserved for high-risk, critical infrastructure areas, such as server rooms or HVAC sites. Restricted space is office space for departments that the company deems restricted. All critical and restricted space is assigned a space owner. The space owner is then responsible for approving or denying people’s access to that area. General access areas are common doors and hallways.</p><p>For each category of space, standards are established on how access is governed. For example, the data center standards might state that janitors or nonessential personnel are not granted access without an escort. Standards also dictate who can approve access to that space and how often access reports should be reviewed. For example, critical and restricted space reports are reviewed monthly or quarterly.</p><p>Access devices are grouped together based on the categories of space and the users that access the space. This streamlines the access request process and makes it easier for the requestors to understand what access they are selecting. Grouping as many readers together as possible minimizes the number of possible groupings meaning that there are fewer choices for those requesting access. It also makes it easier to ensure that access reports are accurate, and it simplifies the process of approving access and access report reviews. If all readers for critical space to a building are grouped together, only one approval would be required for critical space and only one report would need to be reviewed.  </p><p>However, in some cases, minimizing groupings may not possible. For example, one group of users may be allowed into the IT area but only a subset of that group has access to the server room that resides within the lab. In this case, groups would be categorized by the users rather than the readers.</p><p>It’s also important to make sure that access levels and device groupings don’t overlap. This can complicate the request process and the report reviews and could cause access reports to reflect an incomplete list of users who have access to a space. For example, in a building with three readers, grouping one may include the front and back doors, and grouping two may include the communications room. If, in addition to these two groupings, there is an overarching grouping three that includes all three readers, this could create a problem since each of the three individual readers belong to two different groupings. In this scenario, if a request is made to determine who has access to the communications room, rather than producing a report of the communications room reader group, an additional report of the group of all three readers would need to be provided. In many organizations, this second step is missed, causing an inaccurate representation of those with access to a specific area. This can be a major issue if discovered during an audit.</p><p>Another way to remedy this issue would be to run reader reports on individual doors, in this example, a reader report on the communications room only. Most access control systems allow for this type of report. However, in companies with a large number of individual card readers, this would require many more reports. The same users often need access to multiple doors, so combining them into groupings that don’t overlap makes more sense than running individual reader reports. As a rule, BB&T does not allow a reader that has been deemed critical or restricted to belong to more than one reader grouping. This ensures that access reports are accurate and complete.  It does, however, require that a user who needs access to a full building, such as a janitor or security officer, request access to each area of the building rather than requesting overarching access to the entire building. This is beneficial, not only for reporting reasons, but also because it requires that space owners approve all users who have access to their space and holds the space owners responsible for knowing who is entering their space. Controls in the report review process can be set up to ensure that a space owner does not remove access for a janitor or security officer. Some systems allow cards to be flagged and would require a higher level of scrutiny before access is removed. Nonetheless, this is a cleaner way to set up access levels and ensures that space owners will review a report of all users that have access to their space, which is what most auditors are looking for.   ​</p><h4>Clean-Up</h4><p>If an access control system has become muddled over time, a database clean-up is recommended. A good place to start is to deactivate all cards that have not been used in a specific timeframe, such as the previous six months. Thus there will be fewer cards to review. Then, security can find a common piece of data with another database in the company that provides a match of current employees. Human resource or information security data is best to determine whether active cardholders in the system still work for the company. Of the remaining cards for nonemployees, visitors, tenants, and contractors, security should research whether the card users can be associated with a manager or employee within the company. Security can work with these internal partners to implement an ongoing review of access cards. ​</p><h4>Maintenance</h4><p>Performing a regular match of human resource or information security data ensures that cards are deactivated for users whose information does not match that on the card. If a user is not captured in the match, that person should be assigned to a sponsor for quarterly review to determine whether any credentials need to be terminated. Access reports should be reviewed for all nongeneral space to ensure that users still need access to the designated areas. Such reviews should take place at regular intervals–not more than quarterly. An important piece of the access request process is to ensure that all necessary information is captured to support the new standards and to support the report review. For example, if the request is for a visitor, security should capture the name of the person who will have that card in their possession during the request.   ​</p><h4>Automation</h4><p>BB&T is working to upgrade the auto­mation of its access control request and audit reporting system by the end of 2015. It is considering software that automates the entire access control database management process from the onboarding human resource system to the access control system. This would include a software interface that would be fully integrated with the information security credentialing system. The ideal software would fully integrate with the access control system where approved access is automatically provisioned with no human intervention.</p><p>Cost is a major factor in implementing such automation. Some companies choose to automate pieces of the process. Some use a simple Web portal form that sends e-mails to approvers and ultimately e-mails the request to the team that provisions access or provides a dashboard for the access control team to view requests. Many companies have integrated with human resource or information security data to update their access control system, which allows for the automatic deactivation of cards for terminated employees, vendors, or contractors. Others have found a way to automate the report reviews. Few access control manufacturers provide these additional software tools in combination with their access control software. Some will work with or direct their customers to third-party solutions, while others are beginning to see the need for automation and are incorporating pieces into their standard software package, such as more robust reporting capabilities.  </p><p>These efforts may seem daunting, but once the standards are set and the database is cleaned up, ongoing maintenance is initiated, and some level of automation is implemented, the system will be under control. It is imperative that security professionals see beyond the equipment and installation and not rely solely on these for protection. A sound maintenance program ensures that, should access control processes be called into question, security can be confident that the company’s program is under control.  </p><p>--</p><p><em><strong>Briggette Jimenez, CPP,</strong> is physical security manager at BB&T where she manages the company’s security command center, security operations, and workplace violence prevention programs.</em></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Banking-on-Security.aspxBanking on Security<p>​</p><p>WHEN BANKS ARE ROBBED, the perpetrators are not always toting guns and wearing ski masks. Financial institutions can also fall victim to other types of theft, from high-tech ATM skimming to old fashioned check kiting. Following are the stories of two financial institutions that are using technology to stop these types of incidents.</p><p>Dime Savings Bank<br>In 2011, two thieves stole $1.8 million from 1,400 customer accounts at banks in New York City. They committed their crimes by placing a special type of electronic skimming device on an ATM. Users swiped their bank cards into the device because they thought it was part of the ATM. The device then recorded—or skimmed off—each card’s magnetic stripe information. The scheme also included the use of a hidden camera installed near the ATM to record the PIN numbers that customers entered with their cards. The thieves later retrieved the device, and using that information along with the camera footage, they created duplicate counterfeit bank cards.</p><p>Chief Security Officer Steve Varriale of Dime Savings Bank in Brooklyn, New York, says that even though his bank was not among the victims of this incident, the attack on a nearby bank and the general sense that there has been an increase in skimming thefts convinced him to seek out a solution.</p><p>Skimming has grown dramatically over the past several years. It’s no surprise that thieves are attracted to this type of crime. It can be hard to catch the perpetrators, and it can be very lucrative in a short time frame. Varriale explains that a thief will put a skimming device on an ATM on a Friday and capture information all weekend. Then, the thief will come back to the ATM and remove the device on Sunday. The bank, meanwhile, is unaware that anything has happened.</p><p>With fraudulent bank cards in hand, the thieves move to a new location and start withdrawing the maximum amount of money allowed in withdrawals. The thieves usually start after 11:30 p.m., explains Varriale. Because, for most banks, midnight is the start of another day, the thieves can then begin withdrawing the daily limit again at midnight. “Because of this method, even one event can cost a lot of money,” he says.</p><p>Dime Savings, which was established in 1864, has 26 branches located primarily in New York City and in nearby Nassau County, New York. The bank has a little over $4 billion in assets, and $2 billion in deposits.</p><p>Each Dime Savings branch has at least one ATM. Most ATMs in the city limits are located in the outer lobby of the branch, while branches in suburban areas are more likely to have drive-up ATMs.</p><p>Even before the concern over skimming, the bank had some security for ATMs. During bank hours, the external doors are open. But after hours, the lobby doors are only accessible by a debit or credit card. “The lobby puts in that extra step of a door access requirement,” according to Varriale.</p><p>The bank follows state lighting and signage requirements for ATMs. Dime Savings also equips the ATMs with an integrated camera and alarm system. All of the cameras and alarms are monitored remotely by a third party. The video is primarily for after-action response and investigations. However, if an alarm is triggered, the corresponding camera will be viewed by the monitoring company.</p><p>In addition to physical alarms on perimeter doors and on the ATM to detect break-ins, the bank has seismic alarms that alert if the ATM is moved and heat alarms that are triggered if someone is trying to burn their way in. </p><p>Despite these security precautions, skimming incidents remained a threat. “There wasn’t much of a solution to skimming,” says Varriale. “You could put an armed guard in every location. But that’s not a good solution.” </p><p>Varriale explains that the primary purpose of the existing ATM cameras is to capture the person using the ATM. This focus means that the camera is trained directly at the person’s face. The camera does not record what the person is doing on the machine.</p><p>Other cameras cover the lobby. But when people are using the ATM, they have their backs to the lobby cameras. “Those tampering with the ATM could easily look like they are making a transaction,” he says. “It is difficult to see whether they are doing anything illegal.”</p><p>While attending a conference in 2011, Varriale saw a demonstration of the Tyco Anti-Skim ATM Security Solution. “Once I found out how it worked, I immediately went back to the bank with a proposal to implement,” he says. </p><p>The antiskimming device is placed inside the ATM and is not detectable from the outside. This means that would-be skimmers will not be able to detect the device nor will they be able to disable the unit.</p><p>The security device works by sensing when the card reader—where a thief would place a skimming unit—has been covered. Once the card reader is covered for more than 30 seconds, the device emits a magnetic pulse rendering the skimming device inoperable and disabling any financial transaction. If the skimming device is taken off, after a certain period of time, the ATM will come back into use. For example, if a customer accidentally puts his or her hand over the card reader for 30 seconds, the antiskimming device will disable the machine. When that person moves, the device will, within a certain time frame, allow the ATM to work again.</p><p>The device provides banks with the option of disabling the antiskimming device but allowing financial transactions to continue. Varriale decided not to go that route. “We want nothing to work. This device will scramble all the information, so the skimming device will not capture the mag stripe information but the real card reader will also not capture information, and the user will not be able to complete the transaction,” Varriale explains. </p><p>Some banks, notes Varriale, may not like the idea of inconveniencing customers, but Dime Savings decided that allowing the transactions to go through wasn’t worth the risk. “We use the device in the way it protects the customers the most.”</p><p>When the antiskimming device is triggered, a silent alarm goes to Tyco, which monitors the alarm. Though Varriale could be notified as well, he chose not to be alerted when an antiskimming alarm goes off. “We can research after the fact,” he says. “Since no customer accounts can be compromised, there is no need for me to be notified.”</p><p>The antiskimming device project had two phases. Phase one was to determine which ATM locations were most likely to be a target. This took place over the latter part of 2011 through early 2012. This step involved conducting a risk assessment on the ATM locations.</p><p>First, the bank listed the ATMs according to level of activity. Then, Varriale began researching the locations of the busiest ATMs. Varriale looked at both lobby and street ATMs to see which ones were placed so that someone could easily put a skimming device on a machine and then take it off at a later time. For example, some of the ATMs were too active for skimming devices. “Some places had so much traffic that a bad guy wouldn’t have time to activate and deactivate a device,” he explains.</p><p>Other locations were eliminated because of existing security measures. “We do have a few ATMs at a local racetrack. These are guarded 24 hours a day so they were excluded,” says Varriale.</p><p>From the list of ATMs that could be targeted, Varriale picked the ones that would give the bad guys the most hits. These ATMs—Varriale did not want to disclose the exact number—were equipped with the antiskimming devices.</p><p>The final installation was finished in October 2012. And while the bank has yet to experience an incident, Varriale is fine with that. “We feel better knowing that our customers are protected, and they can have confidence using our ATMs,” he says. “We don’t want to be the one in the newspaper who is having the problem.”</p><p>Denali Alaskan Credit Union <br>Denali Alaskan Federal Credit Union in Anchorage, Alaska, has 18 branches and two back office sites spread out over six Alaskan cities. When Security Director Kirby Milham began working at Denali, the bank had 300 analog surveillance cameras to protect its branches and its 44 ATMs. While those cameras may have been state of the art when installed, their performance had become less than optimal.</p><p>“Video was choppy and grainy,” notes Milham. Also, storage was inadequate, and the system could not be expanded; moreover, the system was slow when it came to retrieving images. “It took several hours to do a single search for a transaction,” he says.</p><p>Milham began doing research into new video systems. His concerns in terms of the threats he sought to reduce were more traditional bank crimes than ATM skimming. Based on the bank’s needs and what the systems had to offer, he was able to narrow the field to four products. Those four vendors were asked to come out to Denali and demonstrate their products.</p><p>With this information in hand, Milham hit the Internet. “I did my research on each product online to see what other users’ comments were,” Milham says. While he didn’t give much weight to any one person’s comments, he took note when he read “the same thing about a product over and over again. This helped us anticipate problems as well as look closely at a singular feature that others praised.”</p><p>Milham chose the VIP S-Series by 3VR based on its performance and positive comments about its search capabilities. The VIP S-Series network video recorders come paired with the company’s VIMS 7.x video management software. “We were really impressed with the overall performance of the product,” he says. “We can adjust the system depending on what quality of video we need.” In addition, Milham notes that the system had the search, storage, and scalability capabilities that he sought.</p><p>Searching through video footage when something needs to be investigated is a primary part of Milham’s job. Branch managers or members of the risk management department might ask Milham to investigate an ATM transaction or video of a customer suspected of passing a bad check, for example. He has been pleased with how easy it is to pull out video and export it for evidentiary purposes. “In the old system, it required more steps, and it took a lot longer,” he says.</p><p>That makes a big difference because Milham might be asked to conduct as many as three searches in one day. “With the new system, that takes me 30 minutes now. But it would have taken many hours with the old equipment,” he says. “The time savings is a big deal.”</p><p>Not surprisingly for a bank, the incidents that Milham is typically asked to research relate mostly to financial crimes, but the parking lot cameras do capture other types of incidents, such as minor traffic accidents and customers who have fallen and injured themselves. Those images can help the bank clarify what actually happened. In other cases, they might help the institution defend itself against liability claims if someone says they fell but did not, for example.</p><p>Milham tests the cameras in the system once a week to confirm that everything is working properly. Cameras are not monitored live but video is stored in case it needs to be reviewed.</p><p>The old system could only hold 60 days’ worth of video. The new system stores video for up to a year. Long-term retention of video is especially important to financial institutions like Milham’s employer because they often have to deal with repeat offenders, such as check kiters.</p><p>With the old system, the credit union wasn’t able to retain the video long enough for investigations. “When I had a major incident with a serial abuser, sometimes the footage of prior events would be gone,” he explains. “Now, I have access to video that I previously wouldn’t have had.”</p><p>As a part of the upgrade, the bank is also moving from analog to digital cameras. The new digital cameras are being phased in. Thus far, Denali has replaced approximately 100 of its cameras. It plans to replace all of them and add new ones where necessary. “We are changing over more every day,” says Milham. “As fast as the old ones die, we are replacing them.”</p><p>The number of cameras can also be easily expanded. Milham recently purchased eight additional IP cameras and integrated those on a 3VR unit that already held 32 existing analog cameras. “Before, I would have had to buy more equipment to expand the number of cameras,” he says.</p><p>Tech support has also been more than satisfactory. One of the first units 3VR delivered didn’t work as anticipated. “Tech support came out and worked for some time,” says Milham. “It turned out to be a software glitch but I got unlimited support until the issue was resolved.”</p><p>In the future, Milham plans to purchase 3VR’s facial recognition cameras for use on perimeter doors. By identifying known forgers, for example, Milham hopes to stop a crime before it happens. Similarly, plans are underway to subscribe to 3VR’s CrimeDex program. CrimeDex is a searchable international database of white collar crime incidents and perpetrators. The network is free to law enforcement agencies and available to private companies for an annual fee.</p><p>Teresa Anderson is senior editor at Security Management.<br></p>GP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465