Idan Koren, Author at Verkada

Vermont Bans Dahua and Hikvision Security Cameras

Earlier this year, Vermont became the first state to institute a government-wide ban on tech devices — including security cameras manufactured by several leading Chinese companies including Hikvision and Dahua.

According to state officials, the prohibition was instituted due to cyber security concerns that such technology could be used for espionage, cyberattacks, and unauthorized surveillance due to the providers’ ties to the Chinese government.

It includes leading camera manufacturers Hikvision and Dahua, as well as products built by tech giant Huawei, and came in a directive to all executive branch agencies and divisions in late February.

banned in vermont: Hikvisionm, Dahua“The intent is to make sure that this type of equipment can’t be used against us to steal information or be the front for a cyberattack against us,” John Quinn, state secretary of Vermont Agency of Digital Services, told the local Burlington Free Press in an interview.

In all, the ban includes Chinese companies Hikvision, Duhua, Huawei, ZTE Corp, and Hytera as well as AO Kaspersky Lab, a Russian cyber security firm best known for its Kaspersky Anti-Virus software that the U.S. federal government began prohibiting in 2017.

 

 

Implications Beyond Vermont

While Vermont is the first state to formally issue such a sweeping ban, several other states have opted to avoid contracting with certain Chinese companies as the potential risks have gained wider attention throughout the U.S. cyber security community, according to the Burlington Free Press report.

Given the ongoing concern, this big blow to camera makers Hikvision and Dahua may be just the first domino to fall as companies from the country increasingly come under the crosshairs.

Thus far, Huawei has drawn the most notoriety, remaining in the news with negative headlines since its CFO Meng Wanzhou was arrested by Canadian law enforcement last December. A range of charges against the company followed in United States for bank and wire fraud, obstruction of justice, and violating Iran sanctions.

This development came not long after the United States, in the 2019 National Defense Authorization Act passed last August, formally prohibited any government agencies from using technology provided by Chinese companies Huawei and ZTE. Hikvision and Dahua cameras were also included in that prohibition, which will go into effect later this year, as part of an amendment proposed by U.S. Congress Rep. Vicky Hartzler (R-MO).

“We must face the reality that the Chinese-government is using every avenue at its disposal to target the United States, including expanding the role of Chinese companies in the U.S. domestic communications and public safety sectors,” said Hartzler in statement. “Video surveillance and security equipment sold by Chinese companies exposes the U.S. government to significant vulnerabilities and my amendment will ensure that China cannot create a video surveillance network within federal agencies.”

Hikvision, which lobbied against the amendment, has denied that there is any risk to public agencies in the United States or elsewhere in the world from its products. “Hikvision is a commercial entity that operates globally and strictly conforms to business ethics and all relevant regulations,” said Hikvision in a statement after the House of Representatives initially banned the company in its version of the defense spending bill. “We are dedicated to the advancement of safety in all countries and regions.”

In further-reaching fallout, a recent analysis from the National Cyber Security Center in the United Kingdom pointed to specific vulnerabilities in Huawei devices and even NATO is currently weighing its response to the concerns surrounding technology from the company.

Recommendations for Security Camera Users

Enterprises currently using (or considering the implementation of) Hikvision and Dahua cameras should naturally be concerned about the ever-widening fears surrounding Chinese tech manufacturers.

As always, cyber security should be paramount for all firms and this only goes double for users whose operations could be disrupted by more states — or countries — placing prohibitions on devices from these manufacturers.

Those that are already using these cameras should currently be undergoing a review of their surveillance strategy to determine how much they may be affected, both now and in the future.

At a minimum, these organizations must:

  • Conduct a full audit to determine their use of Hikvision and Dahua cameras, both in Vermont and in all locations where the organization operates
  • Consider how much a wider ban of Hikvision and Dahua cameras — in larger-population states like California or the entire U.S. — would impact your operations, including the cost and downtime of replacing all these devices
  • Analyze the IT budget to determine whether moving to a different provider is feasible over either the short and longer term
  • For a more in-depth breakdown of how to maximize your video surveillance security, click here to read the free Verkada whitepaper “How Secure is your Video Surveillance.”

Enterprises that are currently planning to implement or expand their video camera surveillance are in a better position. As they move forward, they should continue to monitor these news and be sure to:

  • Look for vendors that are neither based in China nor manufacture in the nation
  • Look for vendors that place a large priority on cyber security including:
    1. End-to-End encryption of footage in transit and at rest
    2. Architecting cameras that only send outbound protocols
    3. Auto-updating software and firmware regularly

As more headlines continue to question the security of these manufacturers, all enterprises must recognize that the concerns about China are real and growing.

For a more in-depth breakdown of how to maximize your video surveillance security, click here to read the free Verkada whitepaper “How Secure is your Video Surveillance.”

Massachusetts to Award $7.2 Million in School Safety Grants

In yet another sign that safety has become a top priority in the world of education, Massachusetts is offering $7.2 million school safety grants to improve security.

The funding, which will be administered by the Office of Grants and Research’s Justice and Prevention Division, will be preferentially awarded to support initiatives at schools deemed to have the greatest need as well as proposals that prove to be the most cost effective, according to the state government.

“Consideration will also be given to schools that are taking meaningful steps to establish a more safe and supportive school climate in order to reduce instances of violence,” stated the office of grants in its announcement.

Both school districts and charter schools are eligible to submit applications by the April 3 deadline. (Each district, however, may only submit one application.) Before applying, the school must also already have implemented the state’s Multi-Hazard School Emergency Threat Assessment and Response Plan.

The grants office stated that it expects to announce the award recipients on April 26 and begin allocating funding to schools on May 1.

All the details of the $7.2 million in grants and the application process can be found on the website of the Massachusetts Office of Grants and Research’s Justice and Prevention Division.

This new, one-time $7.2 million in grants builds upon previous efforts in Massachusetts to improve school safety. In 2014, for example, the state created the Safe and Supportive Schools Commission within the wider Safe and Supportive Schools Framework Law, which sought to reduce the impact of gun violence.

The multi-hazard threat assessment program, which is supported  by the Massachusetts Department of Elementary and Secondary Education, was later launched in 2015.

In response to the overwhelming support for school safety grants, Verkada has decided to provide educational pricing discounts. To learn more, contact your Verkada representative.

 

Reducing Bandwidth Consumption of a Cloud Camera to 20kbps

On-premise video security solutions are hard to access remotely and securely. On the other hand, many organizations that have adopted cloud surveillance systems have encountered that having all the cameras stream footage simultaneously to the cloud consumes more WAN bandwidth than their networks can accommodate, making it expensive or impossible to scale. Verkada’s hybrid-cloud camera architecture bridges the gap to deliver the best of both worlds.

Rethinking Cloud-Based Surveillance with Hybrid Cloud Architecture

At Verkada, we have taken a different approach to unlock the benefits of the cloud without hindering bandwidth. Unlike most cloud video security solutions, Verkada’s cameras were designed to store footage on an internal solid-state drive engineered to withstand 10-year lifespan – storing 30-120 days of continuous video. Thus videos stream only when an authorized user requests live or recorded video.

In order to provide organizations with the best user experience, but still keep bandwidth limitations in mind, the Verkada team built an interface that operates on a camera’s “steady state”. In this steady state, Verkada cameras send a constant metadata stream consisting of encrypted thumbnail images, related metadata (including analytics) to the cloud approximately once every 20 seconds using a WAN bandwidth uplink of no more than 20 kbps per camera.

With a bandwidth footprint of 20 kbps per camera, an organization can have over 100 cameras on the same connection (~ only 2mbps) in contrast with one traditional cloud camera which tend to stream at 1-2 mbps.

The thumbnail images uploaded from each camera in the steady state create a historical timeline view, which allows for time/date-based search, motion-based indexing, additional features, without the need to retrieve hours of history video. While users can choose to stream a live feed or view recorded footage from any particular camera, this interface greatly reduces the amount of continuous video most users will need to stream for incident resolution.  

Example 1: Heatmaps and Previews
Example 2: Motion Grid Search


The graph below provides an example where a user remotely connects to a camera to view footage in SD (720p) increasing the bandwidth uplink to approximately 300 kbps for the time that viewing is taking place.

In another scenario, when a different user remotely connects to a camera to view footage in HD at full resolution of the camera, this will result in an increase in the bandwidth (to approximately 1 Mbps of upload bandwidth) for the time period that viewing occurs. Each time a user stops viewing, the bandwidth usage returns to steady state.

Multiplexing

When multiple users are accessing cameras simultaneously, the amount of upload bandwidth that is consumed by streaming videos can be especially problematic. Unlike an NVR/DVR-based solution, which requires opening an individual connection for each user, Verkada multiplexes live video streams in its cloud service. As a result, unlimited users can watch the same live stream without increasing the individual camera’s uplink consumption. When accessed remotely, video is proxied through the cloud and cached to speed retrieval times and playback, reducing the impact on the local area network.

 

Multiplexing in the cloud allows unlimited users to take advantage of one channel’s uplink to view footage

Local Viewing
For authorized users on the same local area network as the camera, Verkada supports a local stream. Local streaming has two major benefits including no WAN bandwidth impact beyond the steady state and lower latency.

Advanced Video Security for the Modern Enterprise

By using Verkada’s hybrid cloud architecture to avoid bandwidth limitations, organizations can finally realize the full benefits of using a cloud video security solution for deployments of all sizes. Yuma Union High School District’s CIO, Dean Farar, has seen significant reductions in “network bandwidth and storage requirements” since deploying over 900 Verkada cameras on campus. In addition, Garrett Bradlyn of City of Parkersburg has installed over a hundred cameras on mobile cradlepoints that operate with LTE connection.

We’re excited to continue building on the success of the world’s most bandwidth friendly camera, if you’d like to try a camera please request a free trial and contact us with ideas for further improvements.

How to Write an RFP for a Video Security Installation

In some cases, a new video security installation will begin with a request for proposal (RFP). This is especially true in the public sector. For many enterprises, crafting the RFP will be the first time they lay out the entirety of a project in a single, overarching document.

This endeavor should be conducted as a joint effort between IT, security, facility managers and other key personnel as the organization advances its plan to purchase a video surveillance system.

While the process of drafting an RFP is routine for those with experience, others struggle when it comes to properly preparing the document. The details and formatting standards can be confusing, particularly when the project is highly technical and it is the organization’s first time soliciting bids for video security.

Fortunately, it doesn’t have to be that difficult. While each proposal process is unique, adhering to the guidelines laid out below can help create an RFP that will be suited to any organization’s video security specifications.

Review Public Video Security RFPs

The best way to start out, especially for organizations crafting their first RFP, is by looking at some examples. Because public institutions (including many local governments and schools) are often required to create a formal proposal, there are many available to review.

The four listed below represent a few recent video security RFPs, which can be used as models:

As evidenced by these examples, a typical RFP is at least a dozen pages and larger projects can lead to significantly longer documents. But the objective is not to get the document to a certain length. Instead, aim for a complete breakdown of the project needs and expectations, formatted in clear manner.

This should be done by subdividing the document into separate categories. These sections won’t cover every single aspect of a surveillance installation, but each key section listed below should be incorporated into a final RFP.

Background

After creating a cover page with identifying information and a table of contents, the first main section of the document should describe the overall scope and vision of the project. This is necessary so that anyone responding to the RFP will have a full understanding of the current security environment.

Include details about all the different sites that will require video security and the nature of any pre-existing surveillance technology. Be specific, listing the make and model of cameras and other equipment that are already in operation. If there is no established pre-existing structure, note that as well.

For the locations themselves, be sure to also lay out everything, including the address of each property and any distinguishing features. Network capabilities at the sites and any technology-related issues that might be relevant to an installation should also be communicated.

Overall, this an opportunity to identify all of the places that will need to be covered by the plan. Some elements will likely be adjusted in consultation with the selected provider, but try to include as much information as possible about the what and the where.

Objectives

While the first section is about logistics, this category should highlight the goals that need to be accomplished. Don’t focus on technological details or a specific number of cameras. But at the same time, don’t be overly vague.

Simply stating an objective, like “increasing security,” is not enough. Yes, thinking about the larger purpose is essential. But drilling down into distinct needs, such as “complete coverage of all entrances” or “parking lot monitoring,” is equally important.

Ultimately, the specifics of the project will be based upon these high-level objectives. So work closely with all the stakeholders in operations, IT and each facility to pinpoint the most pressing security goals.

In its RFP for an IP security camera solution last year, Wyoming’s Fremont County School District #1 outlined its aims succinctly while acknowledging that it would need further consultation with experts to determine the end result.

“The Fremont #1 School District is seeking to replace a collection of old, standalone, disparate, proprietary security camera systems with a single, unified, modern system,” stated its RFP. “The total number of cameras needed is not set. The district is looking for a reasonable recommendation and discussion between a qualified vendor and the district.”

System Requirements

This section should provide the most detail. Primarily, it will stipulate what technology specifications are necessary.

As video surveillance technology has evolved in recent years, the cloud has become an increasingly important factor in selecting a security camera system. So along with other specs, indicate any preference the organization has for using a modern, cloud-based system or a traditional setup that requires a central network video recorder (NVR) or digital video recorder (DVR). Many vendors have already moved to the cloud and some organizations are highlighting their desire to go that way as well.

“Preference will be given to ‘cloud-based’ camera systems that do not require the presence or management of any onsite hardware (other than cameras), the installation and maintenance of onsite software and/or proprietary software to manage cameras, or the configurations of firewall exceptions to allow offsite access,” stated Fremont County School District #1 in its RFP.

After addressing the core makeup of the system, highlight the other necessary specs. Are capabilities like motion detection and night vision appropriate? What level of remote access is expected? Are there minimum retention times for footage? What resolution and frame-per-second rates are required? What security protocols must be imposed?

As these determinations are made, be sure to evaluate how the new system will align with pre-existing infrastructure. This was a crucial factor for the City of Cleveland Department of Public Safety in its 2016 plan to expand video surveillance. “All video surveillance extension equipment must be capable of being integrated into the existing video management system (NICEVision),” stated the document, crafted by the city’s department of public safety.

Scalability is another key consideration. Vendor experts can offer recommendations for how many cameras each location needs. But organizations should also include an estimate, and note any expansion plans that will require the installation of additional devices. Will that number increase over time as the organization expands? All of that is information that should be considered and detailed in this section.

Beyond the technology and size of the project, this part of the RFP is also an opportunity to address longer-term system administration, support, maintenance and any special circumstances that could pose challenges for the installation. A final aspect to include here is the level of cybersecurity that will be mandated across the network and how it will be managed.

Sample Questions

As explained above, the aim of an RFP is to provide a general overview of the project along with enough specifics for suppliers to understand what is needed.

In addition to the other aspects, consider asking the following technology-focused questions of potential vendors as part of the process:

  • Does the system allow cloud services be utilized for archiving purposes?
  • Does the system require the installation of a server, port forwarding or open firewall ports to enable remote access or storage?
  • Is footage downloadable in MP4 or other standard formats?
  • What bandwidth does the system utilize?
  • Does the system provide manageable user accounts?
  • Does the system provide analytics (including usage and up-time data)?
  • Is there an automatic footage upload if the camera is moved, hit with an object or the image is blurred?
  • Does the system provide additional tamper resistant protections?
  • Does the system automatically provide notifications if it goes offline?
  • Does the system possess a self-contained power supply backup?
  • Does the system require setting up a VPN connection?
  • Does the system utilize any unencrypted protocols (e.g., RTSP streams) or make any unencrypted connections?
  • Does the system support two-factor authentication (2FA)?

This list is merely a small selection of some of the relevant factors to take into account. Additional questions and considerations can be found in Verkada’s Security Vendor Evaluation Checklist.

Budgeting and Pricing

Cost should never be the only determinant, but the final price tag will obviously be one of the biggest differentiators between the bids an organization receives. After laying out the entirety of the project—from background and objectives, to system requirements and detailed questions—providing potential video security vendors with some guidance on how to formulate their proposal can also be beneficial for both parties.

This likely won’t be the first time these vendors will be responding to an RFP. But it can help to request that all solicitations be broken down into categories such as hardware, software, installation, maintenance, training and other expected costs.

Be sure to also consider the timeline of the installation and any future services that will be delivered. This will ultimately depend upon how the project’s budget is structured. But ask for cost expectations in subsequent years if the vendor will provide ongoing operations, maintenance and training services, or if the installation will conducted in phases.

And because deadlines are important to the enterprise, make that clear to the vendor as well. Ask that all bids include projected dates by which each task will be completed (in terms of days, weeks or months) after the contract begins.

Selection Process

Most vendors that submit a proposal will understand that they are just one of several companies in the running. Nevertheless, the RFP should outline how the selection process will be conducted, including a forecasted timeline if one has been established.

This doesn’t need to be overly specific. But it should provide something in the way of expectations. If nothing else, this should be included for legal reasons.

In its 2016 surveillance system RFP, the Fountain Valley Police Department in California crafted a clear, concise statement that provided all the necessary information.

“The Fountain Valley Police Department Selection Committee will review all proposals received by the submittal deadline and will then narrow the number of acceptable vendors down to a short list of semi-finalists based upon the best overall fit and compliance to the RFP requirements,” stated the department. “Using subsequent interviews, demonstrations, reference checks and site visits, the city will select a vendor.”

Definition of Terms and Conditions

One final thing to consider is adding a section that defines the terminology used throughout the RFP. This provision is helpful to ensure that everyone is on the same page.

Add a few sentences of context to what is meant by terms like “Consideration of Proposals,” “Contract Award Process” and “Supplemental Agreements.” This language should be crafted with the assistance of legal counsel, and other potential elements to include can be found in some of the example RFPs included above.

It may also be useful to explicitly list any “Mandatory Requirements,” for the bidders to meet. This should also be done alongside an attorney knowledgeable about state and local laws such as permitting, insurance and compliance.

In its proposal, Jefferson City Schools, for example, listed the the following requirements: the “contractor must be licensed to perform all elements of this contract in the state of Georgia,” and the “contractor must not currently be suspended or debarred from any governmental contract or have been so within the past five years.”

Crafting a Comprehensive Video Security RFP

In most cases, the more comprehensive the RFP, the better outcome in terms of final video security installation. There are many critical considerations any enterprise must make before selecting a vendor, and the best practice is to address as many of these upfront as possible.

Trying to include literally every component of a video security system in an RFP, however, is not only impossible, but counterproductive. The broad goal is to communicate both the big-picture needs and the absolute must-have details. As the right partnership moves forward, additional issues will come up and certain specifications will be altered during the consultation phase. In other cases, organizations will receive bids from vendors that can offer advanced and proprietary technology that they didn’t even know was available.

So the best bet is to be as thorough as possible, without spending an entire year putting together the proposal. After all, any reputable, modern vendor will come to the table with ideas of their own on exactly how an organization can be best served.

With an RFP that follows the basic outline described here, any project can get off to a great start—putting the organization on track to find a solution that serves it well, both now and long into the future.

To learn more about selecting the right vendor and solution, check out our latest eBook: How to Choose the Right Video Security System for Your Organization.

Lessons Learned and Advice from Verkada’s Hans Robertson

Hans Robertson is one of Verkada’s co-founders and the executive chairman. Prior to Verkada, he co-founded Meraki—an enterprise cloud managed networking solution that was acquired by Cisco in 2012 for $1.2 billion and now has more 230,000 customers and revenue in the billions.

Recently, Hans offered some advice based on lessons he’s learned first-hand while building companies from the ground up over the past decade. Watch to see how prioritizing effectively from day one can help build companies into powerhouses.

View the full Hans Robertson interview and check out the Building Effective Partnerships Between Security Experts and Security Vendors webinar for more insight on the state of the industry.

Is a Cloud-Based Video Surveillance System Secure?

Since the inception of the cloud, security concerns have been the biggest factor limiting its wider adoption. While apprehension has eased considerably over the past decade, these worries persist, and they are keeping many chief technology officers (CTOs) from migrating more of their enterprise processes to modern, cloud-based solutions.

A risk-averse approach is certainly understandable. It fits the old adage of “if it ain’t broke, don’t fix it.” But this mentality is not just slowing down cloud adoption, it is hindering companies with systems stuck in the past.

Video surveillance is one area where we are still seeing this in 2018. Organizations continue to employ outdated, unwieldy camera systems—simply because they are concerned that a modern solution will bring new, unfamiliar cybersecurity risks.

Are these fears justified? Can companies trust cloud-based surveillance cameras? Is a cloud-based video surveillance system secure?

Traditional Video System Security

To assess the security of cloud solutions, it first makes sense to look at the traditional options. In theory, a system that uses an air-gapped network video recorder (NVR) is the most secure option. But such an installation largely defeats the purpose of having a security camera system in the first place. If it is walled off from the network, the footage would not be accessible for remote viewing to anyone off-site required to respond to an incident in real time.

So, once you do make a system based on an NVR or digital video recorder (DVR) more usable, both the device itself and the attached CCTV security cameras become highly susceptible to hacking exploits. This helps explain why, in its benchmark 2018 Internet Security Threat Report (ISTR), Symantec ranked DVRs second on its list of vulnerable devices involved in the Internet of Things attacks against its honeypot last year. After an IT team configures its IP address for VPNs and opens ports to enable remote access to a wifi security camera, the NVR immediately becomes one of the most hackable devices in the entire network.

The biggest real-world implication is that IT teams often fall into a false sense of security. They know that an air-gapped NVR is foolproof, but they fail to recognize that introducing port forwarding to their surveillance infrastructure introduces some of the greatest risks to their camera system. This leads to longer-than-acceptable delays when it comes to updating firmware.

Cloud-Based Video System Security

With a cloud-based system, IT professionals are able to easily install hardware and software updates as soon as a vulnerability is identified. With increased vigilance and faster reaction times,the risk of physical and cyber attacks is ultimately reduced.

The ease of installing security patches fosters a culture of ongoing risk mitigation, rather than one that falls victim to a false promise of security, which vanishes once a camera system is configured to enable remote access.

Furthermore, today’s leading cloud-based IP cameras offer end-to-end encryption and additional security features like two-factor authentication and single sign-on, that enable the latest security standards. Whether video data is at rest or in transit, using modern standards for data encryption and network security ensures that video stored beyond the camera’s hard drive,is protected in the event that hackers ever manage to breach the system.

The Proactive Security Mindset

In wider-reaching terms, there is another key reason that cybersecurity concerns are falling. In the past, manufacturers and service providers offering cloud-based solutions largely left the end user to fend for themselves. Instead of a dedicated service team, end users would have to resort to third party support technicians or even web browser research to to resolve their issues. This is changing. There is a new attitude emerging from the mega-players (like Amazon and Google), to industry leaders in many sectors and even smaller providers offering niche products.

Kalev Leetaru, a data security expert who has served as a Google developer expert and a council member of the World Economic Forum’s Global Agenda Council on the Future of Government, has broken down this trend. He characterized the evolution as, “the growing emphasis cloud vendors are placing on helping businesses reimagine how they manage their data in a threatening world.”

Writing for Forbes, he welcomed a shift to companies becoming more proactive in their security support and offering more realistic insight to clients about the dangers inherent in any device connected to a network.

“Unlike the VPN castle defenses of past, in which companies surrounded their assets with extensive monitoring, but blindly trusted anyone that got inside, cloud vendors are pushing businesses towards their own ‘trust nothing’ model that better reflects the reality of the uncertain world in which we live,” wrote Leetaru.

Constant Vigilance to Threats

Whether it’s home security or enterprise level surveillance, nothing will ever be 100% impenetrable. Understanding that is half the battle. This mentality allows decision makers to properly gauge the actual risk that exists in their video surveillance system.

Compared to the alternatives, cloud-based video surveillance is now—at worst—on par with any other option on the market. And because it promotes easier firmware and security updates, offers high-level encryption for live streaming and stored footage, and encourages an overall culture of risk avoidance, it is proving to be a effective way to keep the cameras rolling and trust that the enterprise is as fortified as possible.

To learn more about cloud-based video security, check out our Cybersecurity for Video Surveillance Systems whitepaper.

Fight These 3 Trends in ATM Fraud with Video Surveillance Technology

Notorious outlaw, Willie Sutton, was once asked why he robbed banks. As the legend goes, he had a simple answer: “That’s where the money is.”

The banking industry became an early adopter of video surveillance technology as soon as it was practical for business. Due to the philosophy espoused by Sutton (and who would know better than a bank robber?) the move to upgrade security certainly makes a lot of sense.

For banks insured by the Federal Deposit Insurance Corporation (FDIC), it is a requirement. And some states, including New York, have detailed regulations governing how and where locations must be monitored by video.

While some bank robberies do still occur, reality is typically no match for the spectacular scenes found in heist movies. It simply isn’t as lucrative or easy as it was in the days of Butch Cassidy and the Sundance Kid. With fewer actual bank branches being built, most enterprising criminals are realizing that digital defenses are easier to breach.

ATMs, however, are one type of physical location that is still being hit hard. Whether by brute-force assaults on the actual machine, technology tools that seek to steal data or good old-fashioned social engineering tricks, culprits are still continuing to go where the money is.

The following reports represent just some of the ATM fraud incidents and scares that have made news of late. There seems to be no sign of attacks slowing down any time soon, so it remains vital for operators and security officials to stay on high alert.

Cloned Cards

The FBI stunned security experts this summer when it was learned to have issued a warning to banks that an “unlimited ATM cash-out” is being plotted across the world. The note to financial institutions, which was obtained and reported by security expert Brian Krebs, stated that criminals may soon mount a coordinated withdrawal from a massive number of machines using illegally obtained card information.

By then, it was too late to stop the thieves from getting the banking info necessary to commit the crime. But banks were warned to be on watch and told that this could become more commonplace going forward.

“Historic compromises have included small-to-medium size financial institutions, likely due to less robust implementation of cyber security controls, budgets, or third-party vendor vulnerabilities,” stated the FBI’s alert, according to Krebs. “The FBI expects the ubiquity of this activity to continue or possibly increase in the near future.”

For consumers, protecting yourself from such a large-scale, coordinated attack is naturally difficult. But if you have been a victim in the past or have reason to believe the your card data may be compromised, it would be wise to request a new card be issued. Or, at the least, change your security PIN and digital access passwords.

Shimming: The New Illicit Card-Reading Technique

A few years ago, “skimming” (a crime that involved modifying physical ATMs) was all the rage. Criminals would attach a false card-reading device within the slot where the card is placed. During a transaction, a small piece of technology was stealing the information contained within the card’s magnetic strip, allowing it to be cloned and used elsewhere in the future. Users would then withdraw their money and card, completely unaware of what had just occurred.

When issuers moved to chip-based cards, the effectiveness of this method decreased substantially. But now a similar, new variation—called “shimming—has begun to pop up. Because these homemade readers are smaller than their predecessors, they can be installed beyond ATMs. These devices have even found in “point of sale” payment terminals within stores.

Fortunately, they remain quite rare, and a cloned chip card should not work with any merchant that has followed proper modern payment protocols, a group that includes the bulk of retailers in the United States.

Still, there have been U.S. victims of this easy-to-install and hard-to-detect scheme. One thief reportedly managed to steal some $25,000 from a federal credit union near Los Angeles this year, and international locations may be even more vulnerable.

Financial executives and security officials have tried to dismiss the shimming concern as overhyped. But operators cannot afford to ignore this type of threat. It still is possible to execute, and everyone should be aware of the risk.

Social Engineering Schemes

ATM crime is far from solely a U.S. problem. Throughout the developing world, many people have only recently joined the formal banking sector and received debit and credit cards. Cash machines in these areas remain a hotbed for theft.

Recently in Colombia, for example, online videos went viral online showing how an old trick (that has been used by con artists) can still catch people off guard. The method involves two perpetrators, one of whom casually looks on as an unaware banking client types their PIN code. Next, an accomplice distracts the ATM user to make them look away from the machine. Generally, this is done by acting as a “good samaritan”—making the victim think they have dropped something. The PIN watcher quickly takes the opportunity to grab the card from the slot in the ATM. The nefarious duo then sneak away, with both the plastic and the security code to withdraw funds.

At this point, it becomes a race against time. Their goal is to hit another cash machine and extract as much as possible before the person cancels the card. And given the often-slow response times by local banks or the need for a tourist to make an international phone call—perhaps with only limited mobile data on their phone while on vacation—it can be an effective way to dupe someone out of as much cash as their bank will allow the assailants to withdraw.

ATM Security: Staying Ahead of the Crooks

Society is rapidly moving more and more to digital payments. But for now, physical cash and cards are still the norm. And as long as they are, crooks will be on the prowl to devise new ways to defraud people out of their hard-earned income.

This is why all banks and ATM operators must have proper security strategies in place. These should include physical protections, video monitoring and other best-practice deterrents. Many of today’s most successful organizations have gone beyond the use of traditional camera systems. They recognize that a comprehensive video surveillance technology should also include secure, end-to-end, encrypted hybrid cloud system architecture with an intelligent, centralized, remote-access software platform.

Criminals will always be working to find a way around even the strongest safeguards. But staying out in front and utilizing modern technology in this ongoing battle will help ensure that clients can access their money without becoming the next victim.

For a real-world look at how one of Pennsylvania’s top financial institutions is using hybrid cloud security technology to fight ATM fraud and other threats, check out the Susquehanna Community Bank customer story.

What’s the Difference Between a Cloud vs. Hybrid Cloud Security Camera System?

What are Cloud Security Camera Systems?

With the rise of IoT in recent years, many enterprises, hospitals, schools, and other multi-location organizations have considered the benefits of shifting their video surveillance security system to the cloud.

Cloud security systems consist of surveillance system cameras that stream network video directly to the cloud with the major advantage of being able to remotely view footage from any device. In addition, computationally challenging tasks can be done in the cloud to improve camera security, efficiency, and ROI. However, this wireless security system architecture presents several drawbacks.

  1. Uncertainty regarding what happens to the surveillance cameras footage when there’s an internet outage.
  2. Insufficient network bandwidth for multiple indoor and outdoor security cameras streaming 1080p hd video simultaneously.
  3. Inability to comply with IP security and regulations like the PCI Standard and other governmental statutes, which require at least 90 days of video retention locally and in a separate hard drives backup location.
  4. Concerns about the effectiveness of the video surveillance system’s overall security.

How is a Hybrid Cloud Security Camera System Different?

Unlike a typical wireless security camera system, a hybrid cloud security camera system consists of an on-site video surveillance storage solution as well as one located in the cloud. This hybrid PoE security infrastructure allows the system to address many of the difficulties IT departments and physical security teams have experienced with a pure cloud video surveillance security system.

Verkada: Enterprise Cameras Backed by Hybrid Cloud Architecture

All Verkada cameras come with up to 120 days of in-built video storage and processing power. In the case of an internet outage, the PoE cameras can keep recording and super hd footage can be viewed locally on the network. When internet access is restored, the footage in question is uploaded to the cloud (AWS).

The majority footage of IP cameras is motionless. A hybrid cloud architecture enables PoE security camera systems such as Verkada to send encrypted outbound metadata and short video clips, at less than 20 kbps every minute. When the PoE cameras detect motion, they can send these video clips more frequently. A streaming channel at higher bandwidth is opened only when an end user wants to remotely stream a PoE security camera feed. This intelligent bandwidth management allows indoor and outdoor security cameras to work flawlessly on any network, regardless of bandwidth limitations or the number of PoE video cameras installed.

Finally, the question of cyber security is fraught with controversy. While an air-gapped NVR security system is technically the most secure solution, it also presents many operational limitations that defeat the original intended purpose of keeping an organization safe. As soon as channel NVR ports are opened or forwarded for remote access, the NVR becomes one of the most dangerous technologies that exist. With a hybrid cloud security camera system like Verkada’s, the vendor (not the organization’s IT department) is responsible for the cyber security of individual IP cameras as well as the video surveillance system as a whole. Auto-updating PoE IP camera software and proactively patching firmware to the Powered over Ethernet camera enable Verkada’s systems to remain as secure as possible. End-to-end encryption also ensures that the footage cannot be stolen locally, further minimizing cyber security exposure.

Side-by-side feature lists can only provide a limited view of how a cloud and hybrid cloud security camera system compare. Taking a contextual look at the architecture of these systems can demonstrate how hybrid cloud surveillance solves a series of deep-rooted constraints in the video security space—helping to reveal new benefits, updated workflows, and more seamless administration.

Want to learn more about the hybrid cloud security camera system? Check out our latest eBook, The Future of Enterprise Video Surveillance: The Shift from Traditional to Hybrid Cloud Security Systems.