27-11draft

Cards
connected at work:
Pictured: Michael Graham
of Wells Fargo speaking
to the ATM and cyber
security conference at
the Park Plaza Victoria
in central London last
month
Photo by Mark Rowe
Badge challenge
People should be
challenged for not
wearing an ID badge
(at a workplace where
they are required to),
the consultant Aidan
Anderson told Consec,
the annual conference
of the Association of
Security consultants,
last month. He admitted
that’s ‘incredibly difficult’;
and the larger the
organisation and the
smaller the security
team, the more difficult
it becomes. The former
British Army man
was speaking on the
importance of controls
and processes for
‘protection against
diverse threats’, and
to turn information into
intelligence. “I have to
say the security industry
as a whole, from people
I have spoken to, are not
there yet.” p
36
IDs as backbone
for smart
buildings
Trusted identities can serve as the
backbone for smart buildings and
a connected workforce, according
to a recent study by IFSEC Global,
sponsored by manufacturer HID.
Such a system can connect disparate
systems for monitoring and a better
user experience as people enter and
move around. The study found most
access control systems are already
integrated with other buildings
systems, such as heating. And most of
those surveyed believe that having all
on one ID card or mobile device will
provide operational efficiencies.
Progression
Sue Woodcock, Sales and Marketing
Manager at Essentra Security said
they have seen the same progression
in smart card applications. “The
changes can be seen in traditional
verticals such as education and
government, where demand for a
‘one card, multi-application’ solution
to meet campus security, student
and staff ID that supports the battle
against fraud and unauthorised
access, sits alongside a growing need
for a multi-purpose card to provide
services such as cashless vending,
transport or copying services. The
development of mobile credentials,
sit alongside multi-application smart
cards, adding value to the market
as the technology develops, most
users are seeing the benefit of using
both technologies, visible ID and
the convenience of smart phone
technology. Other sectors that are
leading the technology curve for
smart cards are in the banking and
finance and retail markets as the
demand increases for high security
smart credentials for securing access
to facilities and IT resources. There
has been significant growth in the
area of our business relating to smart
card credentials and as a complete
ID solutions provider, we enable
companies to identify and secure
their employees, students or assets
through smart card and card printing
technologies.” p
NOVEMBER 2017 PROFESSIONAL SECURITY
Six thousand branches; 13,000
cashpoint machines, or ATMs; but
there can be no taking of short-cuts
in delivering ‘new toys’ to customers,
a speaker told an ATM and cyber
security conference in London.
He was Michael Graham, head
of ATM and branch hardware
strategy at Wells Fargo. In
banking for 25 years, he was asked
in 2015 to take on ATM hardware
at the North American bank. More
customers are using their mobile
phones as ‘wallets’; in other words,
going card-free. But he reported that
customers even with smartphones are
still using bank branches. As another
speaker at the London event pointed
out, at least with the ATM, the owner
of it has physical control over its
security; not so with the customer’s
phone. An app, that 20m customers
have, and authentication of the user
with a one-time pass-code gives
access to the ATM, for withdrawing
of cash, without using a card. That
does mean that ‘skimmers’, devices
attached to cashpoints to steal data,
are ineffectual, Michael pointed out.
Speed to market
On the balance between security, and
user convenience, he stressed that
‘speed to market’ is important, but
so too is security embedded in the
design, from concept to production.
He recalled that the bank began
thinking of use of NFC (near field
communication) and those one-time
pass-codes in 2014. The project
Readers and mobiles
More smart card readers are
becoming mobile capable by
default as manufacturers add NFC
mobile communication, often at no
extra cost to the user, according to
market research firm IHS Markit.
Access control firms are adding
was risk-reviewed, several times, in
terms of fraud, information security,
customer expectation and bank
reputation. “We wanted to make sure
we had all angles covered, from a
risk perspective.” And the bank tested
processes, ‘again and again’. The
bank had and has hacking teams on
retainers, to test code. The passcode
of eight digits expires after 30
minutes; and at the ATM the customer
also has to enter their four-digit
personal number. Michael offered
some advice for other such project
managers: “Hold fast to your appetite
for risk.” Patching is still important;
and hunt down your weak links. And
‘ethical hacking’ is imperative. He
admitted that it can be hard on the
code-writers, to have their products
tested, from before proof of concept
to going live. He also made the case
for making the banking industry safe
and secure, against card skimming
for example; the industry should
continue to look for products for
universal adoption. He agreed that
banks had more to do on security. As
bank jobs change, from the traditional
teller behind a counter to ‘hybrid’
jobs, how to inform those staff
about security threats? And how to
educate the customers about risk? A
question from the floor asked about
where the balance lies between the
institution, and the customer, having
responsibility for security? That was
asked also of the opening speaker
at the London Fraud Forum, two
days later, City of London Police
Commissioner. He was (as he said)
careful in his reply, but spoke at
length - a sign that it’s unresolved. p
Bluetooth modules. These are not
competing against physical cards,
but are marketed as an add to
traditional products. Building sites
with contractors, and universities
and hotels that have to replace lost
cards, are most likely to go mobile
credential-only, IHS suggests. p
www.professionalsecurity.co.uk
p36 Cards 27-11.indd 1 14/10/2017 11:04