Positive Technologies report black-box attack vulnerabilities in ATMs

Positive Technologies research finds ATM vulnerabilities enable illegal cash withdrawals, such as in Wincor Cineo ATMs

Positive Technologies researchers, Vladimir Kononovich and Alexey Stennikov have discovered vulnerabilities in the Wincor Cineo ATMs, with the RM3 and CMD-V5 dispensers (Wincor is currently owned by Diebold Nixdorf).

ATM cyber-attacks

With access to the dispenser controller’s USB port, an attacker can install an outdated or modified firmware version (for example, with disabled encryption), to bypass the encryption and make cash withdrawals. Diebold Nixdorf (Diebold Incorporated) has more than 1 million of its ATMs installed worldwide, making it one of the largest ATM manufacturers, with a 32 percent share of the global market.

Most previous generations of ATMs could not withstand black-box attacks. In such cases, a hacker connects to the dispenser, via a computer or mobile device, and sends a special code, which results in the ATM dispensing money. In research performed by Positive Technologies in 2018, 69 percent of ATMs turned out to be vulnerable to such attacks and could be hacked in minutes.

Modern ATMs with built-in protection against black-box attacks

Modern ATMs, including Wincor Cineo, have built-in protection against black-box attacks

Modern ATMs, including Wincor Cineo, have built-in protection against black-box attacks. This protection is achieved by using end-to-end encryption between an ATM computer and the dispenser. The computer sends encrypted commands to the dispenser and a hacker cannot withdraw money, without encryption keys stored on the ATM computer.

Vladimir Kononovich, Senior Specialist of ICS Security, at Positive Technologies, said “In the case of Wincor Cineo, we managed to figure out the command encryption used in the interaction between the PC and the controller, and bypass the protection against black-box attacks. At a popular website, we bought the same dispensing controller, as the one used in Wincor's ATMs.”

Issues of bugs in controller code and old encryption keys

Vladimir Kononvich adds, “Bugs in the controller code and old encryption keys allowed us to connect to an ATM, using our own computer (as in a classic black-box attack) and bypass the encryption, and make cash withdrawal. Currently, the attack scenario consists of three steps - Connecting a computer to an ATM, loading outdated and vulnerable firmware, and exploiting the vulnerabilities to access the cassettes, inside the safe.”

According to Vladimir Kononovich, some manufacturers rely on security through obscurity, with proprietary protocols that are poorly studied and the goal of making it difficult for attackers to procure equipment, in order to find vulnerabilities in such devices. However, the research shows that such equipment is not difficult to find on the open market and analyse, which can be used by criminal groups.

CVE-2018-9099 and CVE-2018-9100 vulnerabilities

The first flaw, CVE-2018-9099, was detected in the firmware of the CMD-V5 dispenser

Both vulnerabilities received a CVSSv3.0 score of 6.8. The first flaw, CVE-2018-9099, was detected in the firmware of the CMD-V5 dispenser (all versions up to and including - 141128 1002 CD5_ATM.BTR and 170329 2332 CD5_ATM.FRM). The second, CVE-2018-9100, was detected in the firmware of the RM3/CRS dispenser (all versions up to and including - 41128 1002 RM3_CRS.BTR and 170329 2332 RM3_CRS.FRM).

To fix the vulnerabilities, credit organisations must request the latest firmware version from ATM manufacturers. Moreover, as an additional security factor, the vendor should enable physical authentication for the operator during firmware installation.

hardwear.io security conference

On October 29, Vladimir Kononovich will talk about the detected vulnerabilities at the hardwear.io hardware security conference, taking place in The Netherlands. In 2018, Positive Technologies experts helped eliminate vulnerabilities in ATMs of another major ATM machines manufacturer, NCR (NCR Corporation).

Download PDF version Download PDF version

People mentioned in this article

In case you missed it

How should the security industry promote diversity?

Diversity in a company’s workforce is arguably more important now than ever. Societal awareness of the importance of diversity has grown, and many people see diversity as an important factor that reflects positively (or negatively) on a company’s culture and image in the marketplace. We asked this week’s Expert Panel Roundtable: What should the security industry do to promote workplace diversity?

Why face recognition as a credential is the ideal choice for access control?

In the field of access control, face recognition has come a long way. Once considered too slow to authenticate people's identities and credentials in high traffic conditions, face recognition technology has evolved to become one of the quickest, most effective access control identity authentication solutions across all industries. Advancements in artificial intelligence and advanced neural network (ANN) technology from industry leaders like Intel have improved the accuracy and efficiency of face recognition. However, another reason the technology is gaining traction is due to the swiftly rising demand for touchless access control solutions that can help mitigate the spread of disease in public spaces. Effective for high volumes Face recognition eliminates security risks and is also virtually impossible to counterfeit Modern face recognition technology meets all the criteria for becoming the go-to solution for frictionless access control. It provides an accurate, non-invasive means of authenticating people's identities in high-traffic areas, including multi-tenant office buildings, industrial sites, and factories where multiple shifts per day are common. Typical electronic access control systems rely on people providing physical credentials, such as proximity cards, key fobs, or Bluetooth-enabled mobile phones, all of which can be misplaced, lost, or stolen. Face recognition eliminates these security risks and is also virtually impossible to counterfeit. Affordable biometric option Although there are other biometric tools available, face recognition offers significant advantages. Some technologies use hand geometry or iris scans, for example, but these options are generally slower and more expensive. This makes face recognition a natural application for day-to-day access control activities, including chronicling time and attendance for large workforces at construction sites, warehouses, and agricultural and mining operations. In addition to verifying personal credentials, face recognition can also identify whether an individual is wearing a facial covering in compliance with government or corporate mandates regarding health safety protocols. Beyond securing physical locations, face recognition can also be used to manage access to computers, as well as specialised equipment and devices. Overcoming challenges with AI So how did face recognition become so reliable when the technology was once dogged by many challenges, including difficulties with camera angles, certain types of facial expressions, and diverse lighting conditions? Thanks to the emergence of so-called "convolutional" neural network-based algorithms, engineers have been able to overcome these roadblocks. SecurOS FaceX face recognition solution FaceX is powered by neural networks and machine learning which makes it capable of authenticating a wide range of faces One joint effort between New Jersey-based Intelligent Security Systems (ISS) and tech giant Intel has created the SecurOS FaceX face recognition solution. FaceX is powered by neural networks and machine learning which makes it capable of authenticating a wide range of faces and facial expressions, including those captured under changing light, at different resolution levels, and varying distances from the video camera. Secure video management system A common face recognition system deployment begins with IP video cameras that feed footage into a secure video management system connected to a video archive. When the software initially enrolls a person’s face, it creates a "digital descriptor" that is stored as a numeric code that will forever be associated with one identity. The system encrypts and stores these numeric codes in a SQL database. For the sake of convenience and cost savings, the video server CPU performs all neural network processes without requiring any special GPU cards. Unique digital identifiers The next step involves correlating faces captured in a video recording with their unique digital descriptors on file. The system can compare newly captured images against large databases of known individuals or faces captured from video streams. Face recognition technology can provide multi-factor authentication, searching watchlists for specific types of features, such as age, hair colour, gender, ethnicity, facial hair, glasses, headwear, and other identifying characteristics including bald spots. Robust encryption SED-compatible drives rely on dedicated chips that encrypt data with AES-128 or AES-256 To support privacy concerns, the entire system features an encrypted and secure login process that prevents unauthorized access to both the database and the archive. An additional layer of encryption is available through the use of Self-Encrypting Drives (SEDs) that hold video recordings and metadata. SED-compatible drives rely on dedicated chips that encrypt data with AES-128 or AES-256 (short for Advanced Encryption Standard). Anti-spoofing safeguards How do face recognition systems handle people who try to trick the system by wearing a costume mask or holding up a picture to hide their faces? FaceX from ISS, for example, includes anti-spoofing capabilities that essentially check for the "liveliness" of a given face. The algorithm can easily flag the flat, two-dimensional nature of a face mask, printed photo, or image on a mobile phone and issue a "spoof" alarm. Increased speed of entry Incorporating facial recognition into existing access control systems is straightforward and cost-effective Incorporating facial recognition into existing access control systems is straightforward and cost-effective. Systems can operate with off-the-shelf security cameras and computers. Users can also leverage existing infrastructure to maintain building aesthetics. A face recognition system can complete the process of detection and recognition in an instant, opening a door or turnstile in less than 500ms. Such efficiency can eliminate hours associated with security personnel checking and managing credentials manually. A vital tool Modern face recognition solutions are infinitely scalable to accommodate global enterprises. As a result, face recognition as a credential is increasingly being implemented for a wide range of applications that transcend traditional access control and physical security to include health safety and workforce management. All these capabilities make face recognition a natural, frictionless solution for managing access control, both in terms of performance and cost.

What are the challenges and benefits of mobile access control?

There is a broad appeal to the idea of using a smartphone or wearable device as a credential for physical access control systems. Smartphones already perform a range of tasks that extend beyond making a phone call. Shouldn’t opening the door at a workplace be among them? It’s a simple idea, but there are obstacles for the industry to get there from here. We asked this week’s Expert Panel Roundtable: What are the challenges and benefits of mobile access control solutions?

Mobile access articles

4 smart ways to use security to power the business of the future

In the new era of work, our relationship with the workplace is defined by flexibility and mobility. Employees are working across the home, office, and blended spaces more than ever before, as well as working varied hours to suit the modern work schedule. This new hybrid workforce model holds the potential for more diverse talent and better productivity, but it also comes with its challenges – one being how to ensure security, health, and safety in the workplace. Strong and smart security ecosystem While nearly one-third of companies report that they’ve implemented a hybrid model, according to a recent survey by STANLEY Security, many still have much to do to prepare their office for the future. Building a strong – and smart – security ecosystem is crucial in preparing for the future. As such, businesses should consider technologies that help protect their people, as well as safeguard their assets, optimise their operations, and secure their network. 1)Protect your people Implementation of a security ecosystem combines health, safety, and security hardware and software solutions seamlessly Nearly 60% of mid-market and enterprise businesses across the UK and US report that the health and safety of their employees and customers are a primary concern when implementing modern and hybrid working models. This begs the question: How can businesses create a safe and healthy work environment when 59% are planning to bring employees back on-site in some capacity within the next 18 months? The answer lies, in part, in the implementation of a security ecosystem that combines various health, safety, and security hardware and software solutions seamlessly. Integrating platform Nearly half (46%) of business decision-makers say they are interested in adopting an integrated platform such as this. This means integrating traditional and digital security solutions, then leveraging the data and insights they produce to further enhance the workplace experience. Take this example: With employees and visitors moving in and out of the office at different times, a business may lack oversight of occupancy or density levels, people flow, workspace scheduling, visitor check-in processes, and more. However, with visitor management, access control, and other building/business systems integrated, employees can reserve a workspace for a specific date and time and be granted access to the building. Leveraging AI and machine learning Visitors can pre-register, answer a health screening questionnaire, and receive a mobile credential before arriving. Once the visitor arrives on-site, the system can alert the respective department – all without the close contact typically required for traditional visitor check-in processes. When layering artificial intelligence and machine learning on top of the data, a business may identify trends in people flow and opportunities to optimise congested areas. They may also see that certain rooms within the building get more use than others and leverage these insights to manage their space more effectively. All of this is powered by a security ecosystem that can help a business better protect its people while realising other benefits in the process. 2) Safeguard your assets Businesses are concerned about the security of their assets when it comes to the hybrid workforce model Even more, businesses are concerned about the security of their assets when it comes to the hybrid workforce model. About 72% of leaders say this is, in fact, their primary concern with the hybrid approach. This figure isn’t surprising when you consider the impact of the pandemic, which left many businesses closed either temporarily or permanently, with few people allowed on-site to manage facility operations. As a result of the pandemic, we saw tech adoption accelerate at an astonishing rate – simply because businesses had to implement cloud and remote technologies to survive during a time when buildings were closed indefinitely. Remote management and visibility This was particularly true for security solutions, such as cloud video surveillance and cloud access control solutions like wireless IoT-connected locks. Nine out of 10 businesses (91%) report that they have already implemented cloud security technology; of those, nearly half (48%) stated that this was due to the pandemic. These technologies allow for remote management and provide visibility into business operations at the same time. In a retail setting, for example, cloud video surveillance allows businesses to identify and track not only criminal activity, but also foot traffic patterns, peak operating hours, staff shortages, and more. Loss prevention strategy When integrated with the retailer’s point-of-sale (POS) system, businesses can gain greater insights into their traffic counts, end cap effectiveness, loyalty card activity, and a variety of POS exceptions, such as high-dollar transactions, repeated transactions, excessive returns, employee discounts, and more. For retailers especially, a security ecosystem means a more efficient loss prevention strategy that helps safeguard assets and profits. 3) Optimise your operations The “future of work” is still very much a work in progress, but one thing is clear: Businesses are looking for ways to increase efficiencies, drive cost savings, and, ultimately, optimise their operations – especially now with the challenges posed by price inflation. A relatively untapped opportunity for businesses to achieve these goals lies within their security infrastructure. Security technology and solutions gather incredibly rich data which, when unlocked, can help businesses understand how their buildings are being used, when the busiest times are, where there are highly trafficked areas, and more. Leveraging cloud video surveillance systems, businesses could identify emerging staff training needs Cloud video surveillance systems For example, by leveraging the insights produced by cloud video surveillance systems, businesses could identify emerging staff training needs, which could ultimately result in improved employee satisfaction and reduced attrition. However, much of this data sits untouched within the infrastructure, leaving businesses unaware of the opportunities in front of them. 44% of businesses that currently use a cloud security system for its primary use say they want to know how else this technology can be utilised, and an additional 20% aren’t even aware that it could be used in other ways. AI and analytics The interest in adoption is promising for the office of the future, especially when we see that the majority of businesses (78%) would consider using AI and analytics technologies to optimise their operations, helping their business to operate more effectively and efficiently. The increase in adoption of cloud technology – paired with the rise in interest in AI, machine learning, and advanced analytics – could make it possible for businesses to uncover invaluable insights from their security infrastructure and leverage them to adapt and build business resilience. 4) Secure your network Advanced technology help businesses improve their cybersecurity, making it harder for hackers to gain entry With cyber threats becoming more prevalent, businesses are increasingly looking to secure their networks and protect their data. More than half (54%) of those surveyed expressed interest in using AI, machine learning, and advanced analytics to secure their network by identifying and eliminating cybersecurity threats. Advanced and automated technology can help businesses improve their cybersecurity, making it harder for hackers to gain entry to the larger corporate network. Modern cybersecurity tools that use AI and machine learning can detect anomalies in network traffic or alert and act on suspicious behaviour. Cybersecurity software For example, if an IoT device suddenly begins broadcasting and establishing connections with multiple devices, cybersecurity software could detect this abnormal behaviour, send an alert, and suspend traffic or quarantine an endpoint immediately – saving precious time during a potential breach. A single data breach could result in widespread distrust from workers and customers, potentially leading to decreased business as well as litigation issues. As such, businesses need to take action to update and strengthen their defences so that they can avoid downtime and continue to operate with peace of mind. Prepare your business for the future Businesses will continue to look for more ways to extract value out of their existing infrastructure, including their security technology. For many, the tools to do so are already in place, it’s just a matter of unlocking the insights with a security ecosystem. With such an ecosystem – one that helps protect a business’ people, assets, and network, while optimising operations – companies can better safeguard the future of their workspaces and usher in the new era of work with confidence.

Security Executive Council’s SLRI unveils 2021 Corporate Security Organisational Structure, Cost of Services and Staffing Benchmark

The Security Leadership Research Institute (SLRI), part of the Security Executive Council (SEC), has released the results of its 2021 Corporate Security Organisational Structure, Cost of Services and Staffing Benchmark. A few highlights of the new benchmark include: 41% of respondents operated at the Director level Average security budget reported was US$ 13,254,850 On average, respondents reported one security employee, for every 93 employees Results on SLRI's new benchmark Security leaders have used the budget, title and reporting data, provided by this benchmark, to avoid budget reductions Security leaders have used the budget, title and reporting data, provided by this benchmark, to avoid budget reductions and secure job title changes, so as to better reflect their level of responsibility. The 2021 Corporate Security Organisational Structure, Cost of Services and Staffing Benchmark results include more detailed data breakdown and more comparison data than previous versions of the benchmark. The full report includes: Report-to level by organisation revenue Domains managed compared to security budget Report-to function vs. reporting level Budget by square footage Budget as a percentage of revenue Budget by sites covered Budget per employee Uniformed security vs organisational employees Personnel cost as a percentage of budget Responses and respondents vetted for data accuracy The report also details security’s responsibility and accountability by programme (e.g., supply chain security, IT forensic investigation, business continuity, asset protection), broken down by revenue, the number of employees, budget, and more. The Security Leadership Research Institute (SLRI) carefully vets responses and respondents, in order to ensure a high level of confidence in the reliability and accuracy of benchmark data. No other organisation focuses exclusively on quality, meaningful research specific to the corporate security function.

Kathleen Kotwica of the SEC discusses the state of corporate security research on The Security Podcasts: Women in Security Edition

Kathleen Kotwica, the Executive Vice President and Chief Knowledge Strategist at the Security Executive Council (SEC) and Principal Analyst, Security Leadership Research Institute (SLRI), recently sat down with Layan Dahhan of The Security Podcasts: Women in Security Edition, to discuss her career in the security industry and the current state of corporate security research. The podcast celebrates influential women in the security industry. Research in corporate security Kathleen Kotwica discussed the challenges of conducting research in corporate security Kathleen Kotwica discussed the challenges of conducting research in corporate security, a field in which leaders frequently balk at the prospect of sharing information. She recognised early on that without industry-wide research, security leaders would forever be re-inventing wheels, from developing or enhancing security programmes to gaining traction with their senior management. Reliable trend data and benchmarks Kathleen Kotwica has spent the last 16 years developing, conducting and enhancing research that is specific to the corporate security function, in an effort to provide meaningful and reliable trend data, and benchmarks, not just for a few security leaders, but to improve the security industry as a whole. She has architected and directed what is believed to be the largest knowledge base on security programme and leader success. “What people need to know is the more they share, the more information and actionable resources we can create for them,” Kathleen Kotwica told the podcast.

3xLOGIC introduces all-in-one functionality for a variety of cameras

3xLOGIC, the provider of integrated and intelligent security solutions, has announced the availability of its All-in-One Functionality, currently available in its serverless camera bundle, indoor cube camera, and 56-degree thermal camera offerings. All-in-One cameras feature onboard storage and, with the purchase of appropriate licensing, allow the camera to function as a standalone VIGIL Server. The cameras can also be used in conjunction with a VIGIL DVR for redundant storage capability. Affordable, edge-based solution As a standalone camera, All-in-One models are compatible with the entire VIGIL Software Suite, including direct access through VIGIL Client and its mobile app View Lite II, as well as with VIGIL Central Management for remote health monitoring and notification. “As dealers and customers look for more ways to balance and optimise video delivery and video verification, the need for camera-based edge storage and remote accessibility has increased,” says Bill Hobbs, VP of Global Sales. “The new All-in-One feature addresses these needs with an affordable, redundant, edge-based solution.” All-in-One Functionality is available on the following new solutions from 3xLOGIC: Flexibility, functionality, scalability, and future-proofing are at the heart of the serverless camera bundle Serverless camera bundle Designed for small to medium-sized enterprises (SMEs), as well as being suitable for educational, retail, healthcare, and warehouse and distribution environments, the 3xLOGIC Serverless Camera Bundle offers organisations that don’t have support staff to maintain on-site servers and infrastructure, the opportunity to benefit from a cutting edge security solution. Flexibility, functionality, scalability, and future-proofing are at the heart of the serverless camera bundle. As the world moves away from on-premises servers and into the cloud, 3xLOGIC has provided an interim step with serverless cameras that offer a “per camera” alternative. However, recognising that requirements change, it is possible to add a server if required or transition to the highly cost-effective 3xLOGIC cloud solution. All-in-one functionality The serverless camera bundle incorporates 3xLOGIC VISIX devices that boast all-in-one functionality. Users can choose from the VISIX 5MP fixed 2.8mm lens indoor/outdoor vandal-proof mini-dome and VISIX 5MP fixed 4mm lens outdoor mini-bullet cameras, which are both available in 128GB or 256GB storage options. Both variants feature solid-state components, so there are no mechanical drives as failure points, and they can be configured using the VISIX Setup App. Remote access to live and recorded video is possible through VIGIL Client and/or the VIGIL View Lite II App. Indoor cube camera VX-2M-CPIR-IAW delivers recording at the highest quality while enabling fast live viewing The 2MP Indoor/Outdoor Multi-Sensor Cube Camera with Wi-Fi. Featuring built-in passive infrared (PIR) sensors, two-way audio, and digital I/O, the VX-2M-CPIR-IAW delivers a feature-rich IP camera, alarm annunciator, and audio in a single small unit. With dual-streaming compression, the VX-2M-CPIR-IAW delivers recording at the highest quality while enabling fast live viewing from anywhere regardless of available bandwidth. Maximum performance The camera can be used with optional edge recording for a true all-in-one solution or it can be coupled with the VIGIL Series of network video recorders (NVR) and video management system (VMS) software for superior point-to-point hardware compression and decompression to allow for maximum performance of the live-streamed video. This provides higher-quality video, more concurrent streams, and lower overall demand on CPU performance. 56-degree thermal imager The 56-degree thermal device is ideal for surveillance and detection applications with insufficient lighting The new 56-degree field of view (FoV) thermal imager provides enhanced detection capabilities and is ideal for surveillance applications with insufficient lighting or in areas where smoke, fog, or dust are an issue. The 56-degree thermal device is ideal for surveillance and detection applications with insufficient lighting, or for customers who want visibility where they once had none. Edge-based recording software and an advanced analytics engine eliminate the need for an on-site server. Equipment temperature monitoring In addition to detecting intruders, the thermal fulfills another increasingly important function: equipment temperature monitoring. The ability to monitor generators, electrical panels, and other equipment – and proactively notify the user of an overheating or runaway condition – is a highly effective way to manage and preserve assets and security. Target markets for this thermal device include car dealerships and equipment rental companies; pawnshops; utilities, sub-stations, and maintenance facilities; seaports, railyards, and airports; and K-12 education campuses.

ASSA ABLOY Opening Solutions’ Incedo Business access control solution offers greater versatility for Clockwise’s flexible workspaces

Following a change in employment practices, created by the COVID-19 pandemic, many office-based employees now follow a hybrid schedule, working where they are needed or find convenient. The fast-growing use of flexible offices and co-working spaces is a testament to this emerging trend. With employees coming and going as they please, a change in how security and access control are managed is an urgent, but overlooked aspect that many firms are just waking up to now. Clockwise, renowned office space provider Clockwise is the UK and European provider of flexible office space for entrepreneurs and established businesses. The company’s expanding offering includes contemporary offices, meeting rooms and shared workspaces, across multiple cities. Any business, which relies on flexibility, places high demands on door security and access control. Clockwise needs a broad choice of electronic devices to secure meeting rooms, private offices, communal spaces and main entrances, which may not all require the same lock type. Access management should adapt to changing needs Access management must be able to adapt and change, as fast as Clockwise clients’ needs The office space demands of a start-up, freelance co-worker or growing SMB can change at any time, so Clockwise offer a range of membership levels and packages. Access management must be able to adapt and change, as fast as Clockwise clients’ needs. Because tenants come and go frequently, Clockwise facility managers need tailoring of user access rights, to be as easy as possible. Clockwise’s own spaces and a portfolio may also evolve, so any access system must be able to scale instantly up or down. How flexibly Clockwise can deliver for their clients is essential to growing in such a competitive market. Incedo Business offers versatile access control The range of Incedo-enabled devices and door hardware, managed by simple cloud-based software, convinced Clockwise to choose ASSA ABLOY Opening Solutions’ Incedo Business, for all their premises. This platform-based access solution connects security software and hardware within a single, future-proofed ecosystem. The diversity of Incedo-enabled devices enables Clockwise to select the ideal electronic lock for every opening in their properties. Internal private office doors, ‘Zoom rooms’ and meeting rooms, as well as communal area doors, and entrance/exits, are now secured with wireless access control devices from the Incedo Business range. Flexible system management options Incedo’s flexible system management options help Clockwise to operate access control with maximum efficiency. Administrators quickly create groups with tailored access for specific doors. Access permissions may also be time-limited, which is perfect for meeting room bookings or for facilitating access hours for different membership options. Private desk members get 24/7 admission, whereas hot-desk membership is only allowed entry during office hours. According to Clockwise, the flexibility to create groups and the ability to remotely update cards, both work really well for their business.

TopSource provides a comprehensive payroll solution to Retail Hub Solutions

Retail Hub Solutions Ltd. is a subsidiary of Raymond Ltd. Retail Hub is engaged in sales of all Raymond brand like: Raymond Premium Apparel ColorPlus Park Avenue Parx Makers Notting Hill Multi-location existence Retail Hub required full HRIS and employee self-service module. Employee data collection was an issue due to the pan-India multi-location existence of the client. Employees were not getting payslips & Income tax reports on time. This led to incomplete employee data collection and distribution. A large number of employee queries were unanswered each month. Retail Hub approached TopSource Worldwide to provide a comprehensive payroll solution that needed to be delivered on time, accurately, and also be able to respond to their growing needs. Data fields editable TopSource Worldwide helped the client by making data fields editable by employees themselves TopSource Worldwide provided employee self-service through Portico that gave access to employees for their payslips and enabled them to make investment declarations online. The Payslip distribution took place through Portico to multiple locations. 24X7 secure access to payslips was provided by Portico from anywhere via the web. TopSource Worldwide provided the solution for HRIS with Portico, which had the data storage functionality and client contact was able to generate reports at any point in time. TopSource Worldwide helped the client by making data fields editable by employees themselves. Thus, it helped the client to gather the HRIS data on time and accurately. Facilitating internal reporting Special reports such as MIS, CTC, and many more were provided to facilitate internal reporting for finance and HR functions. All queries related to HR and Payroll are now tracked through a web-based system and they have substantially reduced in number. Retail Hub no longer spends time on administrative work and queries related to payroll. When necessary the HRIS data can be generated with a click of a button. They have eliminated the risk of issues caused due to employee dissatisfaction with payroll and are now getting their payroll reports on time. Online availability of information has assured Retail Hub employee satisfaction.

AlertMedia appoints Kara Hamilton, the Chief People and Culture Officer at Smartsheet, to the Board of Directors

AlertMedia, the globally renowned emergency communication and threat intelligence solutions provider, announced that Kara Hamilton, the Chief People and Culture Officer at Smartsheet, has joined the company’s Board of Directors. Strategic growth initiatives In her capacity on the company’s Board of Directors, Karan Hamilton will work closely with AlertMedia’s executive leadership team, to support a variety of strategic growth initiatives and pursue new market opportunities. 2020 was a record year for AlertMedia and reinforced that we’ve only scratched the surface" “2020 was a record year for AlertMedia and reinforced that we’ve only scratched the surface, as we work to deliver the technology businesses need, to keep their people safe and informed, during critical events,” said Brian Cruver, the Founder and Chief Executive Officer (CEO) at AlertMedia. Vast industry experience Brian Cruver adds, “Kara is a unique leader, who brings years of experience serving in a variety of roles, at multiple fast-growth businesses, including at her current company, where she helped take the company public. I’m excited to tap into her immense talents, to accelerate our growth trajectory and momentum in the market.” As the Chief People and Culture Officer at enterprise collaboration software company, Smartsheet, Kara Hamilton is responsible for all aspects of employee experience, including recruiting and retention strategies. Served in leadership roles in global companies Under her leadership, the company has garnered numerous awards, recognising company culture, including consistently being recognised as a best place to work. Prior to focusing on people and culture exclusively, Kara Hamilton served in a variety of leadership roles that spanned finance, legal, and IT sectors. Before joining Smartsheet, she also served as the Director of Finance for GoAhead Software (acquired by Oracle), where she led business operations for the U.S., Poland, and India. “The AlertMedia team has delivered truly market-leading solutions to an impressive and rapidly-growing customer base,” said Kara Hamilton, adding “Given current events and the unprecedented year we’ve just endured, emergency communication and employee safety have never been more important.” Solutions supporting faster and effective communications Kara Hamilton’s board appointment comes at a time of explosive growth for AlertMedia’s business and team She further said, “An organisation’s investment in the safety and well-being of their people should be a central component of the future of work, and every company can benefit from solutions that support faster and more effective communication.” Kara Hamilton’s board appointment comes at a time of explosive growth for AlertMedia’s business and team. During the past 12 months, the company experienced a 96% increase in year-over-year revenue growth, while adding nearly 1,000 new customers. Additionally, the company added more than 100 new employees, since the beginning of 2020. AlertMedia, recognised as top employer AlertMedia has continued to earn accolades, as one of the top places to work in Austin, Texas and the entire country, recently being recognised as a top employer, by multiple technologies and business publications, including the Austin Business Journal, Built-in Austin, and Inc. magazine. Kara Hamilton joins current AlertMedia board members, Mike Smerklo, Co-Founder and Managing Director at Next Coast Ventures, Morgan Flager, Managing Partner at Silverton Partners, Bob Nye, General Partner at JMI Equity, and Brian Cruver, Founder and CEO at AlertMedia.

Abloy UK secures Thames Water Contract

Abloy UK has been awarded a three-year contract with Thames Water, valued at an estimated ∼750k, to upgrade existing locking systems between now and June 2024. Thames Water is the UK’s largest water and wastewater company, serving 15 million customers across London and the Thames Valley. Cylinders and padlocks Products specified for the project include padlocks and a range of cylinders, which will be used to secure a variety of areas and assets. These include treatment plants and pumping stations on applications such as hatches, doors, and gates. They'll be used at over 22 sites in North and East London including Coppermills and Abbey Mills. Abloy cylinders combine flexibility with security, to provide unbeatable performance and meet the BS EN 1303 standard for Cylinder Locks. Abloy padlocks use a unique rotating disc principle and are renowned for their endurance and maximum resistance against physical attack, offering durability in even the severest of climatic conditions. Access control and keyless solution There is also the future potential to implement a PROTEC2 CLIQ access control system and BEAT keyless solution that combines a digital key, mobile application, and a heavy-duty, Bluetooth padlock, all managed with the visual Abloy OS user interface. Simon Jeff, Market Developer for Critical Infrastructure at Abloy UK, said, “We are delighted to have secured a contract of this size with such a prominent and well-respected company such as Thames Water, and look forward to successfully implementing the new locking systems over the next three years.”

Hikvision announces technology partnership with Yeastar for IP-based video intercom integration

Hikvision, an IoT solution provider with video as its core competency, announced a new technology partnership with Yeastar for IP-based video intercom integration. The integration provides a convenient solution for SME (small-medium enterprise) customers to remotely control and manage their intercom systems, as well as communicate with visitors. Remote communication Usually for SME customers, if all employees are out of the office, welcoming visitors is nearly impossible. But the integration of Hikvision’s video intercom and Yeastar IP PBX system will enable customers to easily communicate with visitors remotely. Even the receptionist who is not at a workstation won’t miss visitors, since the integration provides SMEs with visualised call management, video communications, and anywhere-anytime connectivity – yet outperforming across browsers, mobiles, and desktops. Benefits of integration With the integration, SME customers can: Answer and open a door from any time anywhere and see who is at the front door and converse easily via IP video phone. Auto-forward door phone calls to a mobile number when not answered. No more expensive and separate paging servers. The PBX built-in paging system enables easy broadcasting from the devices customers like (IP phone, mobile, or PC). Supported Yeastar products P-Series PBX System: Purpose-built for SMEs to fulfill more sophisticated communication needs, P-Series PBX is a converged system that wraps a suite of services around, including voice, video, applications, collaboration, and more. S-Series VoIP PBX: Easy to manage, configure, and install, the feature-rich S-Series unleashes the power of unified communications and meets the growing needs of SMEs. Yeastar Cloud PBX: A robust, flexible and easy-to-use hosted business phone system. The partnership with Yeastar will expand the scope of Hikvision intercom solution, and create more values for our customers" Expanding intercom solution “We are happy to announce the partnership with Yeastar, which will expand the scope of Hikvision intercom solution, and create more values for our customers. More collaboration across the industry is benefiting the market with a greater variety of functionality.” “Hikvision will persist in openness and work closely with technology partners to build a strong and mutually beneficial ecosystem,” says Adler Wu, Global Technology Partner Alliance Manager at Hikvision. Integrated PBX-Intercom solution “Hikvision has a proven record of providing high-quality IP-based intercom solutions, and we’re pleased to now call them an official Yeastar technology partner.” “With Yeastar & Hikvision, our mutual customers can take advantage of a market-leading, award-winning business phone system and are guaranteed to benefit from an integrated PBX-Intercom solution that improves productivity, streamline operations, and cut overheads,” adds Prince Cai, Vice President of Yeastar.

SALTO unveils the new XS4 Original+ smart locking solution with redefined design and a powerhouse chip

SALTO Systems (SALTO) has introduced the XS4 Original+, the next generation of the world’s most flexible and reliable smart locking solution that features a beautiful design, with a sleek flat reader in two new colours. SALTO XS4 Original+ The new SALTO XS4 Original+ takes the trusted and proven flagship XS4 Original electronic lock product family and incorporates the latest technology, to accommodate access control needs of both today and tomorrow. Our customers, partners and users rely on the XS4 every day, which is why we’ve made XS4 Original+ more powerful" “Our customers, partners and users rely on the XS4 every day, which is why we’ve made XS4 Original+ more powerful, capable, and redefined to elevate any door’s security, and management,” said Marc Handels, SALTO Systems’ Chief Technology Officer (CTO). Marc Handels adds, “When you have an excellent product like the SALTO XS4 Original electronic lock that has withstood both the test of time and technology, it makes sense to improve upon what is already working very well.” Embedded with BLUEnet functionality The SALTO XS4 Original+ design is based on the same proven housing and mechanical mechanisms of the XS4 Original. The XS4 Original+, however, is embedded with SALTO’s BLUEnet real-time functionality and SVN-Flex capability, which enables SALTO stand-alone smart XS4 Original+ locks to update user credentials directly at the door. The SALTO XS4 Original+ is compatible with the array of SALTO platform solutions, including SALTO Space data-on-card, SALTO KS Keys as a Service cloud-based access solution and SALTO’s JustIn Mobile technology for digital keys. The XS4 Original+ also includes RFID Mifare DESFire, Bluetooth LE, and NFC technology functionality. “By incorporating the latest in technology into the XS4 Original+ locking range, SALTO has delivered a product that extends up-to-date and comprehensive electronic access control to any door,” said Handels. Engine of XS4 Original+ XS4 Original+ is much faster than the XS4 Original, delivering more performance, new security architecture" The XS4 Original+ is much faster than the XS4 Original, delivering more performance, new security architecture and the same electronic functionalities, which is based on BLUEnet connectivity, and better power efficiency. The feature rich new security architecture, which is protected against internal and external attacks, makes everything more fluid, transforming the way users’ access, operators manage, and installers’ set-up the electronic lock. Catering to a range of access and customer needs There is an XS4 Original+ model for every type of access and customer need. The existing XS4 Original models are fully available in the XS4 Original+ product range, from the key override option to mechanical or electronic privacy models. Just as with the original version, the SALTO XS4 Original+ is suitable for a wide range of customer applications, including interior doors in educational or commercial buildings or tailored solutions for other specific building requirements. Easy to install and retrofit Easy to install and retrofit, the SALTO XS4 Original+ works with ANSI, Euro, DIN and Scandinavian door industry standards. Universally compatible, it can replace the existing door hardware and fits any door with unlimited model options. XS4 Original+ wide reader models are slightly wider and the reader is now flatter. “SALTO has long sought feedback from our end-users and partners on what they desire in an upgrade and, taking their input into account, we have developed the XS4 Original+ which delivers everything needed for current and future smart lock solutions,” said Aznar Sethna, SALTO Systems’ Chief Sales & Marketing Officer (CSMO). Aznar Sethna adds, “With restyle designs, industry-leading performance and advanced access control features, with impressive communication capabilities, all with incredible durability, the XS4 Original+ ensures customers get secure and safe access when they need it.” Redefined and stylish design The XS4 Original+ works with existing XS4 Original door hardware. A broad range of different models and functions make smart access to any door possible, in order to cover all needs of any type of building. Visually, the XS4 Original+ differs from the conventional XS4 Original only in a few details, with improved reader aesthetics. Thanks to a sleek design update, the XS4 Original+ looks better than ever Thanks to a sleek design update, the XS4 Original+ looks better than ever. The reader is now flatter and available in black and white colour options, for a simplified, modernised front. The ANSI, Euro Wide, and Scandinavian Wide standard reader models are a little wider, thereby creating a more harmonious version. The XS4 Original+ can be tailored to varying building and door needs, with a wide variety of colours and finishes, including the new Dark Bronze finish, and black or white reader options. These can be visualised on a wide range of door styles, by using the SALTO MyLock Configuration tool. Environment-friendly access control solution The XS4 Original+ is designed to minimise its impact on the environment. Today, SALTO Systems is carbon neutral for corporate factory operations and is committed to having net-zero climate impact, across the entire business, which includes manufacturing supply chains and all product life cycles. The XS4 Original+ is the latest model from SALTO to be delivered to customers as a net CO2-neutral access control solution. This concept involves offsetting the CO2 emissions generated during the manufacturing process and the logistics until it is delivered to the customer.

Yeastar and Dahua Technology jointly announce ECO partnership on PBX-Intercom integration

Yeastar, the provider of SME PBX systems, and Dahua Technology, a world-pioneering video-centric smart IoT solution, and service provider jointly announced a new ECO partnership on PBX-Intercom integration. The two top-notched companies are striving to provide a more cohesive and comprehensive UC&C solution for SMEs, helping their mutual and potential customers keep tabs on their places in real-time and manage the intercom system in no time. Anywhere-anytime remote intercom communications The excellent interoperability of Yeastar P-Series PBX System and Dahua’s intercom devices has been proven after a series of tests and certifications to capacitate anywhere-anytime remote intercom communications and public access control perfectly, allowing SMEs to quickly intercom, make zone paging, and even control door access to the premises – from anywhere without requiring any separate intercom/paging server. In simple terms, with the PBX-Intercom integration, SME customers can: Control intercom system remotely anytime from any Yeastar PBX extension See who is at the front door and converse easily via IP Video Phone or Yeastar Linkus Web Client Screen visitors at entrances, car parks & security barriers Automatically forward door phone calls to a mobile number or Linkus Mobile Client when not answered Creating smarter ecosystem “We are now glad to join hands with Dahua Technology to help our mutual customers streamline operations and improve working efficiency with easy deployment and all-inclusive features. ECO partnership is also in line with our common value pursuit – create more and better smart technology products & solutions – and keeping with our national innovation-led technology aspiration,” said Prince Cai, Vice President of Yeastar. “It’s great to have Yeastar in our Eco Partner Program. Dahua has been committed to building a smart ecosystem together with global technology partners and looking forward to creating joint value for customers through integrated solutions,” Peter Pan added, Dahua Global Technology Partner Alliance Director.

Advance Security Group unveils New Zealand’s first security robot, Harriet

Advance Security Group believes Harriet, New Zealand’s first security robot, will change the security industry as the first employee, who never needs a holiday, doesn’t need sick days and can work 24 hours a day. Security robot - Harriet The security robot, Harriet is capable of seeing obstacles, recognising licence plates, uniforms and faces. Mike Marr of Advance Security Group, said “It won’t mean people lose their jobs but rather, offer up new opportunities. What it does do is open up new opportunities and makes our industry more attractive for people with wider variance in the skills and opportunities that sit there.” Interest has proven to be strong already, with offers from ports, hospitals and airports.

Vectra reports high sales and strongest quarter in company history in 2020

Vectra (Vectra AI), a globally renowned company in network detection and response (NDR), has reported that in calendar 2020, sales continued to grow at a compound annual rate exceeding 100 percent and sales of Cognito Detect for Microsoft Office 365 accelerated, growing at a rate of 340 percent. These trends were driven in part by the rapid adoption of Microsoft Office 365 productivity applications, such as Microsoft Teams and heightened cyber security concerns, in the wake of numerous high-profile attacks in 2020. Vectra helps enterprises fight COVID-19 The positive results topped an impressive year for Vectra, which took a major role in securing many organisations fighting the COVID-19 pandemic and continued to accelerate global expansion initiatives. Vectra solutions helped customers cut their risk of suffering a major security event by 63 percent in 2020" Vectra’s Chief Executive Officer (CEO) Hitesh Sheth said “Vectra solutions helped customers cut their risk of suffering a major security event by 63 percent in 2020. In response to multiple high-profile supply chain breaches and infiltration of widely used business application, such as Office 365, it’s gratifying to see more companies broadening adoption of NDR solutions, to secure assets in the Cloud, data centres, end users and IoT resources.” He adds, “These successful cyber-attacks underline the value of threat detection solutions that secure an entire network infrastructure, including hybrid, the Cloud, data centres and corporate networks. Innovative Vectra NDR solutions do just that. Vectra customers have greater insight into threat landscapes and faster detection times. With Vectra, their ability to identify actual threats is 85 percent improved.” Vectra’s Cognito Detect software solution As cybercriminals targeted healthcare providers, manufacturers and pharmaceutical companies responding to the COVID-19 pandemic in 2020, Vectra’s Cognito product helped detect and arrest an in-process attack on Sanofi, the France-based multi-national pharma firm, contributing to vaccine development for Europe. (Sanofi joined Vectra in January 2020 to recap the attack and response, and share best practices moving forward) Vectra also added channel partners and product distributors worldwide, across both existing and new markets. Additions included Arrow Electronics as a distributor for the United Kingdom and Iberia, Westcon for Benelux countries, DACH and Sub-Sahara Africa regions, and Exclusive Networks for North Africa and the Middle East regions. The company also secured product distributors for Russia and CIS territories and, in the third quarter, unveiled a modernised global channel partner programme that provides enhanced training and support. Vectra’s new product integrations and features Building on this momentum, Vectra recently launched several new product integrations, features, and capabilities, including: Deep product integration with CrowdStrike Falcon Insight that delivers expanded response capabilities for Cognito Detect, enabling well-coordinated, instantaneous responses to thwart cyber-attacks directly at the device level. An integration programme with Microsoft Defender for Endpoint (formerly Advanced Threat Protection) for Cognito and its lockdown feature. This further extends Vectra’s automated enforcement capabilities, to enable SOCs to stop ongoing attacks in real time. Improved ability to operationalise via the SIEM, especially in large enterprises, with a variety of logging enhancements. Extended product reach in the virtual data centre with Hyper-V sensor support. Launched Vectra Threat Intel that significantly increases the day-to-day (non-threat) value. Augmented Vectra AI with Vectra Threat Intelligence, to provide improved context and coverage, making it easier to find, identify, and remediate potential threats. Vectra wins multiple awards in 2020 Vectra was repeatedly recognised in 2020 for its state-of-the-art customer service model, winning the ‘best customer service’ category in the 2020 SC Europe Awards, with an industry-renowned 95 percent customer renewal rate. The company’s signature Cognito platform won industry recognition, as the ‘best security innovation in a SaaS product’ in the 2020 SaaS Awards. Cognito is also a six-time gold winner at the Cybersecurity Excellence Awards and a two-time winner of the Cyber Defense InfoSec Awards for NextGen cloud security and NextGen AI, and machine learning.

PSIA approves the Secure Credential Interoperability (SCI) 1.0 specification

The Physical Security Interoperability Alliance (PSIA) announces it has approved the Secure Credential Interoperability (SCI) 1.0 specification. The PSIA has been working with a broad group of industry pioneers in the access control industry to come up with this specification, which is likely to have a significant influence on the future of secure mobile credentials. Mohammad Soleimani, the Chief Technology Officer of Kastle Systems and the Chairman of the SCI Work Group, introduced this concept to the organisation in 2020 and has had a strong influence in engaging other companies in its development. Compatible secure credential “A standard for secure mobile credentials has been long overdue in the industry. SCI relies on established standards and the Public Key Infrastructure, to provide a simple, but elegant solution,” said Soleimani. SCI addresses the need for a universally compatible secure credential for the physical access control industry in the form of cards, fobs, mobile devices, and wearables. Progress has been dramatic, with the technology being demonstrated at a PSIA technical meeting in August featuring apps from IDEMIA and Johnson Controls and a Kastle reader developed by WaveLynx. “It has been our mission from day one, to drive secure credentials and interoperability into the market” said Laurie Aaron, Executive Vice President at WaveLynx Technologies Corp. “Joining PSIA to collaborate and execute on a standard that is made available to all, has been a fast track to mission success.” Different mobile platforms The SCI specification helps the industry to take steps towards the last mile of credential evolution" One of the important characteristics of SCI is its interoperability across different mobile platforms including iOS and Android or devices with the ability to generate ephemeral key pair, which can be communicated over various protocols such as BLE (Bluetooth Low Energy), NFC (Near Field Communication), and UWB (Ultra-wide band). “The SCI specification helps the industry to take steps towards the last mile of credential evolution where interoperability of credentials can exist. The simplicity of the use of a public key leveraging standards and best practices ensure a secure and open way to manage credentials that takes proprietary out of the picture.” says Jason Ouellette, the Head of Technology and Business Innovation for Johnson Controls Access Control and Video Solutions business. Security industries’ efforts Participants in the spec development include, ASSA ABLOY, Deister Electronics, Farpointe Data (a dormakaba company), HID, IDEMIA, Kastle Systems, LenelS2, rf IDEAS, SentryCard, Siemens, and Johnson Controls. “This is an important milestone in the security industries’ efforts to enable flexible, interoperable and scalable solutions,” states Peter Boriskin, Chief Technology Officer for ASSA ABLOY Opening Solutions Americas. “It will be essential to consider how this and other standards apply across various industries, and how current and emerging standards impact each other.”

RaySecur appoints former Boston Police Commissioner, Ed Davis to the company’s Advisory Board

RaySecur, a security imaging technology company with the world’s first DHS Safety Act-designated millimetre wave (mmWave) desktop scanner, for mail and package threat detection, announced that former Boston Police Commissioner, Ed Davis has joined the company’s Advisory Board. Ed Davis will leverage his decades of law enforcement experience, in order to help RaySecur accelerate adoption of its flagship MailSecur mail and package threat detection solutions. MailSecur scanners MailSecur scanners use safe mmWaves to see inside of objects. They can detect more and smaller threats than X-ray scanners, including explosives, weapons, radiation, and other suspicious contents, as well as liquids and powders at 300x the sensitivity of X-rays. Unlike X-ray scanners, there are no safety concerns or need for specialised training. Mail threat incidents have been increasing, with the United States Postal Inspection Service (USPIS) and the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF), responding to an average of more than 10 dangerous mail or package incidents each day, for the last three years. In the last 16 months, AstraZeneca’s COVID-19 vaccine plant, Subway Sandwiches’ corporate headquarters, and Dr. Anthony Fauci have all been victims of dangerous mail threats. Mail and package threat detection Mail and package threat detection is an underestimated and vitally important component of public safety" Ed Davis stated, “Mail and package threat detection is an underestimated and vitally important component of public safety, and I’m excited to join the Advisory Board of a company that offers the only safe and scalable solution for organisations and individuals, to combat this problem.” He adds, “It’s crucial that law enforcement, enterprises, correctional facilities and government institutions have access to this technology, and ensure they can seamlessly scan every package, in a quick and efficient manner. I look forward to working with RaySecur, to help meet this important security need.” RaySecur's Advisory Board Ed Davis is the latest addition to a world-class team comprising technology, military, security and law enforcement professionals. He has a 35-year proven track record and is the President and Chief Executive Officer (CEO) of business strategy and security services firm, Edward Davis Company. Ed Davis served as the Boston Police Commissioner from December 2006 to October 2013, where he led the highly successful response to the Boston Marathon bombing. Prior to that, he was the Superintendent of the Lowell, Massachusetts Police Department for 12 years. Davis also serves on AT&T’s Advisory Board and was a former Safety Advisory Board Member at Uber. Enhancing mail security “We are honoured to have an esteemed law enforcement figure, such as Ed Davis join our Advisory Board and help us continue closing the mail security gap,” said Alex Sappok, Ph.D., the Chief Executive Officer (CEO) of RaySecur. Alex adds, “Ed’s strong interest in RaySecur not only highlights the importance of improving mail security across industry and government, but also our solutions, which can easily address the problem at scale.”