27-11draft
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Cards<br />
connected at work:<br />
Pictured: Michael Graham<br />
of Wells Fargo speaking<br />
to the ATM and cyber<br />
security conference at<br />
the Park Plaza Victoria<br />
in central London last<br />
month<br />
Photo by Mark Rowe<br />
Badge challenge<br />
People should be<br />
challenged for not<br />
wearing an ID badge<br />
(at a workplace where<br />
they are required to),<br />
the consultant Aidan<br />
Anderson told Consec,<br />
the annual conference<br />
of the Association of<br />
Security consultants,<br />
last month. He admitted<br />
that’s ‘incredibly difficult’;<br />
and the larger the<br />
organisation and the<br />
smaller the security<br />
team, the more difficult<br />
it becomes. The former<br />
British Army man<br />
was speaking on the<br />
importance of controls<br />
and processes for<br />
‘protection against<br />
diverse threats’, and<br />
to turn information into<br />
intelligence. “I have to<br />
say the security industry<br />
as a whole, from people<br />
I have spoken to, are not<br />
there yet.” p<br />
36<br />
IDs as backbone<br />
for smart<br />
buildings<br />
Trusted identities can serve as the<br />
backbone for smart buildings and<br />
a connected workforce, according<br />
to a recent study by IFSEC Global,<br />
sponsored by manufacturer HID.<br />
Such a system can connect disparate<br />
systems for monitoring and a better<br />
user experience as people enter and<br />
move around. The study found most<br />
access control systems are already<br />
integrated with other buildings<br />
systems, such as heating. And most of<br />
those surveyed believe that having all<br />
on one ID card or mobile device will<br />
provide operational efficiencies.<br />
Progression<br />
Sue Woodcock, Sales and Marketing<br />
Manager at Essentra Security said<br />
they have seen the same progression<br />
in smart card applications. “The<br />
changes can be seen in traditional<br />
verticals such as education and<br />
government, where demand for a<br />
‘one card, multi-application’ solution<br />
to meet campus security, student<br />
and staff ID that supports the battle<br />
against fraud and unauthorised<br />
access, sits alongside a growing need<br />
for a multi-purpose card to provide<br />
services such as cashless vending,<br />
transport or copying services. The<br />
development of mobile credentials,<br />
sit alongside multi-application smart<br />
cards, adding value to the market<br />
as the technology develops, most<br />
users are seeing the benefit of using<br />
both technologies, visible ID and<br />
the convenience of smart phone<br />
technology. Other sectors that are<br />
leading the technology curve for<br />
smart cards are in the banking and<br />
finance and retail markets as the<br />
demand increases for high security<br />
smart credentials for securing access<br />
to facilities and IT resources. There<br />
has been significant growth in the<br />
area of our business relating to smart<br />
card credentials and as a complete<br />
ID solutions provider, we enable<br />
companies to identify and secure<br />
their employees, students or assets<br />
through smart card and card printing<br />
technologies.” p<br />
NOVEMBER 2017 PROFESSIONAL SECURITY<br />
Six thousand branches; 13,000<br />
cashpoint machines, or ATMs; but<br />
there can be no taking of short-cuts<br />
in delivering ‘new toys’ to customers,<br />
a speaker told an ATM and cyber<br />
security conference in London.<br />
He was Michael Graham, head<br />
of ATM and branch hardware<br />
strategy at Wells Fargo. In<br />
banking for 25 years, he was asked<br />
in 2015 to take on ATM hardware<br />
at the North American bank. More<br />
customers are using their mobile<br />
phones as ‘wallets’; in other words,<br />
going card-free. But he reported that<br />
customers even with smartphones are<br />
still using bank branches. As another<br />
speaker at the London event pointed<br />
out, at least with the ATM, the owner<br />
of it has physical control over its<br />
security; not so with the customer’s<br />
phone. An app, that 20m customers<br />
have, and authentication of the user<br />
with a one-time pass-code gives<br />
access to the ATM, for withdrawing<br />
of cash, without using a card. That<br />
does mean that ‘skimmers’, devices<br />
attached to cashpoints to steal data,<br />
are ineffectual, Michael pointed out.<br />
Speed to market<br />
On the balance between security, and<br />
user convenience, he stressed that<br />
‘speed to market’ is important, but<br />
so too is security embedded in the<br />
design, from concept to production.<br />
He recalled that the bank began<br />
thinking of use of NFC (near field<br />
communication) and those one-time<br />
pass-codes in 2014. The project<br />
Readers and mobiles<br />
More smart card readers are<br />
becoming mobile capable by<br />
default as manufacturers add NFC<br />
mobile communication, often at no<br />
extra cost to the user, according to<br />
market research firm IHS Markit.<br />
Access control firms are adding<br />
was risk-reviewed, several times, in<br />
terms of fraud, information security,<br />
customer expectation and bank<br />
reputation. “We wanted to make sure<br />
we had all angles covered, from a<br />
risk perspective.” And the bank tested<br />
processes, ‘again and again’. The<br />
bank had and has hacking teams on<br />
retainers, to test code. The passcode<br />
of eight digits expires after 30<br />
minutes; and at the ATM the customer<br />
also has to enter their four-digit<br />
personal number. Michael offered<br />
some advice for other such project<br />
managers: “Hold fast to your appetite<br />
for risk.” Patching is still important;<br />
and hunt down your weak links. And<br />
‘ethical hacking’ is imperative. He<br />
admitted that it can be hard on the<br />
code-writers, to have their products<br />
tested, from before proof of concept<br />
to going live. He also made the case<br />
for making the banking industry safe<br />
and secure, against card skimming<br />
for example; the industry should<br />
continue to look for products for<br />
universal adoption. He agreed that<br />
banks had more to do on security. As<br />
bank jobs change, from the traditional<br />
teller behind a counter to ‘hybrid’<br />
jobs, how to inform those staff<br />
about security threats? And how to<br />
educate the customers about risk? A<br />
question from the floor asked about<br />
where the balance lies between the<br />
institution, and the customer, having<br />
responsibility for security? That was<br />
asked also of the opening speaker<br />
at the London Fraud Forum, two<br />
days later, City of London Police<br />
Commissioner. He was (as he said)<br />
careful in his reply, but spoke at<br />
length - a sign that it’s unresolved. p<br />
Bluetooth modules. These are not<br />
competing against physical cards,<br />
but are marketed as an add to<br />
traditional products. Building sites<br />
with contractors, and universities<br />
and hotels that have to replace lost<br />
cards, are most likely to go mobile<br />
credential-only, IHS suggests. p<br />
www.professionalsecurity.co.uk<br />
p36 Cards <strong>27</strong>-11.indd 1 14/10/2017 11:04