(un)-Safe Deposit Box Security Review

By chrislim at 12:05 pm on January 11, 2008 | 7 Comments

My review was on safety deposit boxes based on my experience using them. I was surprised at how stunningly insecure they are (although there may be additional controls I did not know about that banks implement), and am further surprised by the fact that the system is still largely operational. Beyond that, I was surprised at how interesting something as mundane as a safety deposit box could turn out to be.

Summary:
Safe(ty) deposit boxes are a common service provided by banks with an established protocol and two-lock system for ensuring security of the valuables stored inside. A person requesting to rent a box from a bank initially provides some form of acceptable identification (e.g. driver’s license) and signature and then receives an assigned key. According to Wikipedia, some banks are supplementing these mechanisms with a code or biometric access control, however for this review, I assume that only the identifying document, signature, and key are required (and this is my experience with my current bank). When the person wants to access the box, I assume the procedure to be as follows: identification is presented and the bank verifies it against a paper list of safety deposit box assignments on file. Next, an audit trail is maintained by requiring the person who wants to open the box to sign their name and date on a paper list (their identification information and box number information is written by the banker). Then, both the banker and customer enter the safety deposit box chamber and the transparent door is closed behind them. The banker finds the appropriate shelf location and inserts her guard key and the customer then inserts his key and a small door for the particular shelf is unlocked so that the box can be taken out and brought to a table in the room. The guard key is removed from the shelf door while the customer’s key remains in the lock until the box is replaced and locked into place. Then the banker leaves the room closing the transparent door behind her to ensure the customer’s privacy. When the customer is finished, he returns the box to its proper location on the shelf and calls for the banker who returns and using the guard key, locks the box back into place, which release both the guard and assigned keys. The customer retrieves his key, both leave the chamber and the door is closed behind them. If multiple people are listed in the banks’ records for a particular box and provide identification, they can both enter the chamber together. I assume that two customers with different boxes cannot be in the room at the same time.

Assets/Security Goals:

  • Critical legal documents such as wills or deeds may be stored in a safety deposit box in order to protect them from theft or disasters (e.g. fire/flood).
  • Valuable objects such as gems, precious metals, and currency may be stored in a safety deposit box because of the assumed higher security it offers compared to storing these things at home.
  • Sensitive documents may be stored in the boxes, so confidentiality/privacy of the things customers store in their box is a key security goal.
  • Only the customer should be able to put things in and take things out of the box, so the integrity of it’s contents is also important.

Potential Adversaries/Threats:

  • The bank employees (aka banker) is a potential adversary who has considerable power. The bank employee may desire to see the contents of a box or even remove contents (theft) or add contents (framing?)
  • Thieves who have knowledge about the contents of a particular person’s box and desperately want its contents (e.g. spies, etc.).
  • Someone who formerly cosigned for the box who has had a relationship fallout with the customer and wants to hurt the customer by taking valuables out of the box before the customer can take the person off of the access list.

Weaknesses:

  • The keys are easily duplicated. Bank employees may be able to duplicate the guard key and customers’ key (since an unused box has its key stored at the bank), which would remove the dual control protection and enable the banker to open any box. Or someone who previously requested a box could make a duplicate of the customer’s key for future use.
  • The safety deposit box access protocol relies too much on humans and is complicated. A banker could use social engineering to manipulate the ignorance of customers who are not familiar with safety deposit box procedure in order to trick customers into somehow giving access or not meeting all the safeguards (e.g. filling out the audit trail), they may also collude with customers to circumvent controls like the audit trail.
  • The identification system and paper-based controls are easily manipulated. See above; the bankers can choose not to use them or customers could fake them (e.g. using a fake id with a forged signature and copied key).

Potential Defenses:

  • Biometric security could be used as a more accurate identification mechanism, which is more difficult to fake. For example, a photo of the customer could be taken and stored in a computer so that when the customer (or someone posing as him comes), the banker can do a simple facial verification in addition to the identification card. Or in small branches, bank employees may already be familiar with local customers and this kind of personal knowledge is sufficient to verify someone’s identity. Protecting identity largely protects against external attacks.
  • Banks should require some form of access control to the chamber that does not depend on employee compliance as much. Right now the chamber’s door is opened by the banker using a conventional key. Requiring in some way the customer’s key would force the audit trail to record the “true” usage information (see below) and result in a simpler process (show id, use key to access room), which would reduce the ability of bank employees to manipulate or circumvent the system.
  • Use CyberLocks (Author’s Note: my dad’s company sells this, I’ll do a review on it in the future). These are electronic locks that can be used anywhere a conventional lock can be used, but come with the added benefits of being hard to duplicate, easily expirable, and automatically store an audit trail on key and on lock. Using this system a customer can simply present his id and use his key to access the appropriate box (with the audit trail automatically taken care of).


Risk Evaluation:

The Risk Impact (from the customer’s perspective) of a breach on a safety deposit box varies according to its usage: if one stores replaceable documents (e.g. a passport or encrypted disk backups), the impact maybe relatively low (unless the loss results in identity theft), but if one stores millions of dollars worth of jewelry in the box, it will be of very high impact. Other critical documents will vary based on the value of their contents. To the bank the Risk Impact (in terms of financial liability) is probably relatively low since the box’s contents are confidential and customers typically access a box infrequently, meaning that stolen or destroyed contents may not be noticed (especially not noticed quickly) and the customer may have no recourse in proving his loss. However, for this analysis, let us focus on the customer’s perspective and assume a medium level risk impact.
The risk probability of key duplication can be assumed to be relatively high because it is currently not difficult to do. Faking a customer’s identity to gain access to his box is a lower probability threat because of the difficulties in obtaining the customer’s key in addition to forging an identity and signature. Ultimately, the security of the system rests primarily on the integrity of bank employees. Being insiders, they have nearly full access and can manipulate or ignore protocol according to their needs. Because of the large number of bank employees, even if we assume a small percentage of them to be crooks, those crooks have considerable access and potential to do harm. In this scenario, the risk probability may be low (due to the small percentage of bad employees), but we must assume the risk impact to be quite high because of the wide access insiders enjoy. Thus the overall risk exposure will be in the mid-range because the assets stored in safety deposit boxes are mostly at least medium impact and the probability of some attack is mild.

Conclusion:

With the advent of newer access control technologies, it seems like only a matter of time before banks will begin to implement better control mechanisms. However, it is rare to hear stories of safety deposit boxes being broken into perhaps because the current system is sufficient or because the contents of boxes have been so private that their loss has not come to public attention. Perhaps bank employees who certainly have method and opportunity thus far have had little incentive or motive to attack the safety deposit box system (e.g. they are largely people of integrity) or maybe my analysis is too simplistic and left out other controls like surveillance systems that banks have put into place. However, because of the vulnerabilities of the system and the apparently relative ease with which an insider can exploit them, I would recommend using a safety deposit box only to protect assets from disasters such as fires, floods, etc. Under the current system, a determined thief can probably infiltrate the system without too much difficulty and an insider would face even fewer barriers. In order to improve safety deposit box security, banks should implement a biometric identification system (like simply taking a customer photo and verifying it) to protect against external attacks, and a more robust auditing and access control system to protect against insider attacks.

Filed under: Physical Security,Security Reviews7 Comments »

7 Comments

  • 1
    Get your own gravatar for comments by visiting gravatar.com

    Comment by Ellen

    February 19, 2008 @ 7:54 am

    A relative died a couple of years ago. She had a safe deposit box. She banked at a couple of different banks. When she died her husband and another relative went to get the contents of a safe deposit box. They were told by the bank that the box had been check out of the bank some years ago. Said the box was never returned. Can this really happen? Do they really allow the BOX itself to be taken out of the bank? Thanks Ellen youreout@strato.net

  • 2
    Get your own gravatar for comments by visiting gravatar.com

    Comment by chrislim

    March 20, 2008 @ 11:09 am

    Hi Ellen,

    I apologize for taking so long to reply. I found this article detailing some specifics about safe deposit box usage: http://www.foreignborn.com/self-help/banking/10-sd_boxes.htm
    I do not believe you can personally take the actual box out of the bank, but I may be wrong.
    From reading the article, there appear to be 4 possibilities as to why the box would be taken out of the bank:
    1) Law enforcement authorities could have accessed it
    2) The box may have been declared “abandoned” and the contents turned over to the government
    3) The bank may have failed and been acquired by a different bank
    4) There may have been a misunderstanding or mistake at the bank

    Hope this is helpful.
    -Chris

  • 3
    Get your own gravatar for comments by visiting gravatar.com

    Comment by Rob Bowman

    March 21, 2008 @ 4:25 am

    I think one problem with this article might be how a safety deposit box is setup.

    implement a biometric identification system

    Safety deposit boxes are made for anonymous access. They by nature are supposed to be open to anyone who meets the security criteria. They are also very protected by law. Obtaining search warrants for them are not a routine matter. Often times they are granted AFTER you are arrested and rarely before.

    Cyberlocks

    Kudos on the Cyberlocks. You can find many instances of bank employees stealing from the safety deposit boxes. Although in an older bank that does not have up to date technology means these are actually MORE effective in my opinion. My father used a bank where if you lost your key, the only way to get it open was to locksmith it or drill it.

    One thing that I think was left out of the article was the Patriot Act. They can now inspect the contents of your box. It reminds me of the old crooked police quote “We find the suspect, then we find the evidence”. I do not personally know of an instance when something was seized. Although one would have to think of the items you might put in a safety deposit box.

    . Family Heirlooms (not always legal)
    . Personal Information (secrets)
    . Very expensive Jewelry
    . Photos of teenage girlfriends (illegal)
    . Etc……

    Do you want someone to know any of this? I guess the best place to keep something is to bury it, just like in the old days.

    Very nice article and well written. It was a privilege to read.

  • 4
    Get your own gravatar for comments by visiting gravatar.com

    Comment by paul

    March 25, 2008 @ 12:07 pm

    On the other hand, one might be leery of attempts to “update” safe-deposit security precisely because of the defense in depth that current procedures offer. Most banks, as far as I know, have procedures about who holds the bank keys, how signin is done and so forth, that would require collusion among at least two employees and possibly more.

    Whenever I hear about computerized locks, I wonder whether a lock has back doors, whether it fails open or closed, how easy it is to make duplicate passcards, whether the audit trail is vulnerable to simple countermeasures and so forth. That’s of course no worse than the problems of the noncomputerized counterparts, but in so many institutions there’s a tendency to trust computerized systems and eliminate some of the defense-in-depth.

  • 5
    Get your own gravatar for comments by visiting gravatar.com

    Comment by gwern

    August 3, 2008 @ 4:56 pm

    It’s worth noting that law enforcement seizing your box is a very real risk here, particularly seizures for inactivity: http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2007/07/02/LOSTPROPERTY.TMP

    So, if you don’t regularly access the box, you’re at risk for such things; but accessing the box means increasing the risk of attracting attention, losing the key, etc…

  • 6
    Get your own gravatar for comments by visiting gravatar.com

    Comment by jojo

    October 7, 2008 @ 12:42 pm

    Thanks Gwern, you just swayed my decision.

  • 7
    Get your own gravatar for comments by visiting gravatar.com

    Comment by SHAR

    December 29, 2008 @ 6:29 pm

    What steps do the banks take to protect themselves and their customers from someone, while seizing the box to lie and claim the box was empty when in fact the box was packed full of jewelry and family heirlooms?

    This just happened to me. All of a sudden the bank no longer has a record of my ever having a safety deposit. Fortunately one of the employees had escorted me several times to my box. It was only then did the branch mgr produce a contact name and phone number of an atty and a law firm he represented with instructions I call THAT number and ask THAT person all my questions.

    I asked the branch mgr if there was an inventory taken of the contents. He said yes, but when I asked for a copy he told me it wasn’t there but at another branch!!
    then he told me the box was EMPTY. Nothing was farther from the truth.

    Making matters worst, the law firm denies anyone by that name ever worked there. The atty who had the bank drill the box open had temporary POA based on fraud and the court papers were signed by that same law firm.

    The bank asked me to not call the police until after they talked with the branch mgr. But he only told them the same thing he told me “Call the name on the piece of paper and he will answer all your questions”

    The bank said “there was nothing more they could do”
    THIS IS GRAND THEFT!!! and there is “nothing they can do”?? They can’t even tell me what steps were taken
    to protect my belongings.

    Now its my word against the atty and branch mgr.

    Where are the surveillance cameras whenever a box is drilled open?

    WHAT STEPS ARE BANKS REQUIRED TO TAKE TO protect themselves and their customers from this kind of internal bank theft.
    btw, The Bank is CHEVY CHASE BANK in MD.

RSS feed for comments on this post