Often I see environments where “Security” is a nebulous term that primarily focuses on the physical side of things, i.e. locking the vault and how to react in a robbery and not so much on the informational side of things, like keeping customers private information secure. That in itself isn’t a bad thing, the best security posture for a financial institution should account for all aspects of securing that institutions resources, including it’s data, monetary assets, and most importantly it’s people. Many times while looking for data classification policies I’ll stumble across the institution’s procedures and policies for handling robberies. I refer to them as “Old fashioned, Bonnie & Clyde, John Dillinger, hands up in the air, public enemy no. 1” type robbery as opposed to “Operation Swordfish/Firewall/evil Russian h@x0r” stuff. It’s a good read and interesting to note the similarities from one client to the next. They usually include some, or all of the following:
- Stay calm. (It will be over in a few seconds.)
- Do exactly as told by the robber, either by his/her words or actions. (Follow the instructions very carefully, but do not help the robber)
- Give exactly the amount demanded – include bait money. (Do not give more, as this may cause the robber to get scared or mad, thinking you are tricking him)
- Be polite, courteous and observant. (Remember what he says, does, where he stands and what he touches) Practice this procedure.
- Form a good mental picture of the robber. Visually identify him or her. If there is more than one robber, try to concentrate on the one nearest you.
- Utilize customer identification techniques. (Concentrate on his speech or mannerisms, etc.)
- Presume that the robber has a weapon, and that it is real.
- Retain evidence, such as a note.
- Activate the alarm and camera when it is safe to do so.
- Observe the direction of the escape, description of the get-away car, color of car, make of car, license number or plate.
All good stuff, and it’s included in almost every robbery procedures training I can imagine… with the exception of Central Kansas Credit Union branch in Hutchinson, Kansas. According to the Hutchinson Kansas News a robbery attempt was thwarted by the teller insisting that the potential robber could not receive any cash because the potential robber didn’t have an account with the credit union. It starts out like this: a woman enters a branch and demands money…
The teller at the window, however, decided she first should find out how much money the woman wanted. “When the employee questioned her how much, the subject replied ‘The entire contents of your drawer,’ ” South Hutchinson Police Chief Scott Jones said. Then, the teller asked if the woman had an active account at the credit union. The woman, described as white, in her mid-40s with brown hair and graying roots held in a ponytail, replied that she did not have an account. “The bank employee made it clear to the subject that the business could not help her with her wishes,” Jones said. Unsatisfied, the woman decided on a different course of action. She “claimed she would contact her boyfriend and have him come back with a weapon,” Jones said. Then she left.
This is amazing on so many levels. First, it goes to show that Meth must be one helluva drug. 🙂 Second, it’s safe to assume that this wasn’t the way the teller was trained to handle such a situation (or was the teller trained at all?). While this story is funny, it could have turned tragic had the teller been wrong in her assumption that the robber was unarmed. Third, threats and risk are inherent in all aspects of banking. How an institution handles those threats and mitigate those risks can vary widely. No solution is “one-size fits all” and institutions should assess risks accordingly. I’m not saying that any bank should train their tellers to discourage would-be robbers by requiring them to open an account; but I do encourage them to consider alternatives to solutions that promise benefits regardless of the situation. E-Banking authentication is a perfect example: Many vendors have implemented multi-factor authentication that is a “one-size-fits-all” solution for accounts that are lower risk (basic DDA accounts) and higher risk (cash management accounts). Across all of our clients and contacts throughout the industry, we have discovered that most e-banking solutions are secure in and of themselves, however the end users’ systems are vulnerable to keyloggers, trojans, worms and other malicious code. To mitigate these risks, true two-factor authentication (one thing you know and one thing you have) such as a PIN and Token combination are the only method that makes sense to prevent threats from keylogging.
Thinking of “Old fashioned, Bonnie & Clyde, John Dillinger, hands up in the air, public enemy no. 1” robberies across the midwest has my imagination and interest piqued. I’m going to the theater to see “Public Enemies” starring Johnny Depp, and find out why John Dillinger never had to open an account or threaten to come back with his boyfriend.