Physical security is one of the three mainstays of Cygenta. We often work with clients that want us to test some aspect of their physical security. And the more that 'smart' technology is integrated into buildings, the more we are delivering pen testing that crosses physical and technical security.
But the general public do not get the privilege of asking an expert to test the security of the systems they consume. They must rely on what they are told by the service provider, sometimes all they have is hearsay.
From Ocean's Eleven to The Da Vinci Code, heists involving safe deposit boxes are often in popular media. And many people will remember the Hatton Garden heist, which happened in April 2015, and the plundering of safe deposit boxes as part of that. With this in mind, I thought it would be interesting to take a deep dive into safe deposit boxes (although not literally: they're pretty shallow and I would bump my head).
More on the Hatton Garden heist later.
Whilst not a huge thing here in the UK, safe deposit boxes are common in the US and some other countries. And, Hatton Garden is a prime example that safe deposit boxes are used here in the UK. But just how safe are safe deposit boxes? We delve into them a little bit on your behalf so you can make better informed decisions on where to store your valuable items. And, quite simply, because we find this kind of thing pretty interesting.
It's a good case study for the lesson that the context of security is just as important as the control itself.
Firstly, what is a safe deposit box? Well, it's a small metal box kept in a room with many others. Often held by a bank or similar institution and they vary in sizes from 2 x 5 x 12 inches (generally used for jewelry and paperwork) to 15 x 22 x 12 inches or larger (small artwork etc). They are relatively inexpensive too ranging from 50 to 500 dollars or pounds.
Besides being held in a bank vault that is strictly controlled, the deposit box room is often well air conditioned and kept at a regulated temperature. Perfect for documents.
The system uses a two key method. There are actually two ways they implement this. The first is two keys in the main door, and the box itself is not locked. The second is one key for the door and one for the box. The bank holds one key and you hold the other. No one holds both, not even copies. The bank obviously holds the key/code for the vault room too.
For the second type when you wish to access your box you first get the bank to use their key to open the first door, inside is your locked deposit box, you are then often shown to a curtained off cubicle so you can use your key to access the contents in private. Once you have finished you lock the box, return it to the bank assistant who replaces it in the locker and locks the door again. All very strictly controlled. Safe as a safe, right?
Well, not so fast. Firstly, most deposit boxes are not insured, especially against water damage. Most companies providing this service suggest that you keep an inventory and store that somewhere else safe! Not exactly filling us with confidence.
Next up we have the fact that most 'vaults' are not often vaults they are dressed up rooms with no external hardening.
Several robberies have taken advantage of this. TD bank in NYC got robbed in 2012 by criminals getting in via the roof. TD were also hit again in 2019 where $7 million in diamonds was stolen. I don't mean to focus on TD, I am sure they have many reputable vaults, these are just two examples.
There are some services that require a day or more notice that you intend to access your safe deposit box. This is often due to the fact they are stored off site, hopefully in a more secure building, then shipped to the local branch for you to access.
Wells Fargo bank have been caught out doing this when some high stake robberies on armoured vehicles have resulted in stolen boxes.
There are more than 25 million safe deposits in North America, and they are unregulated. The banks have no requirement to compensate losses, as mentioned before they are not insured at any level, it's down to the customer to add that.
Each year several hundred people report missing items from safe deposit boxes. Whilst some of these can be down to mistakes by the consumer, the bank can often be at fault. In 2014 a gentleman from Colorado opened his deposit box to find the roughly $10 million watch collection missing. In this case, his box (number 105) was next to a customer who had failed to pay their fees, the bank had drilled the lock and removed the box and contents of 105 by mistake. Thankfully most of the watches were recovered but not all of them.
I break into a lot of banks (legally) as part of my job, so I understand the security or lack thereof in banks and whilst you may assume robberies like this occur often, they are fairly rare. With the FBI reporting roughly 20,000 bank robberies a year, only about 50 of those involve deposit boxes.
You are more likely to fall foul of the bank itself messing up and losing your items.
We, however, focus on the physical security of systems and if a criminal does perform a robbery against your deposit box, the hardest part for them will be gaining access to the building.
Once in the vault room, the deposit boxes themselves are often poorly designed and not at all capable of preventing aggressive access attempts. Below is a photo of a deposit vault in the UK that had been raided, The Hatton Garden case I mention earlier. The photo shows the 50+ discarded safe deposit boxes, with stolen contents worth more than $200 million. As you can see the boxes and doors were no match for the criminals.
More and more victims of deposit box crime are discovering that entire boxes are missing. Something is clearly wrong with the process and policies in place if the bank, who is responsible for replacing the box, has not done so correctly. Most of the victims are not receiving any compensation.
Like with any security system, you should not be scared by knowing the flaws and faults with them, but you can use such knowledge to make a better informed decision about where and how you store your valuables.
You must balance the risk vs likelihood with security. It is less likely that criminals will break into your deposit box than your home. Even with the issues we mentioned above, you have a higher risk of loosing your valuables if held in your home than a bank.
Here are a few questions to ask your safe deposit solution provider:
Are customers allowed to remain in the vault alone?
Are locks/tumblers changed when a box is vacated?
Are employees prevented from helping, touching or otherwise interacting with the contents of the box?
Are all entries to the vault documented (customers, locksmiths etc)?
Is the vault protected on all sides including the roof by concrete?
Is the vault closed and locked between customer access requests?
For those interested in statistics, the FBI provide details on bank robberies via their site.
Remember that as with any security system, it is only ever as good as those that run it, install it and understand how it is meant to be used. And those who test it.
If you want to chat to us about the pen testing services we deliver (whether physical or digital), please don't hesitate to get in touch.