Locks have a variety of uses, one of which in connection with media terminals because the terminals accept and dispense currency notes to consumers. A plethora of technology exists in the industry to detect, lock, unlock, and report access to safes associated with media terminals. The safes include cassettes which store the notes.
Media terminals frequently need replenished with notes when denomination of the notes are low or when a denomination in a cassette is at its note capacity. Authorized personnel are dispatch with the proper authorization to access the safes and a variety of additional security precautions are enforced.
However, not all personnel are trustworthy, and some have taken advantage of their authorized access to tamper with the safe lock making it easy for them or someone they know to return to the terminal during an unauthorized visit, open the safe and cassettes, and remove the notes. The manner in which these individual tamper with the lock prevents security detection by existing technology available in the industry.
In various embodiments, a lock apparatus, a safe with the lock apparatus, and a method for detecting lock tampering are presented The lock apparatus includes a lock body, a lock backplate, a lock, and a sensor. The sensor is a contact sensor anchored on a surface of the lock body and extending to and touching a surface of the lock backplate such that when the lock backplate is removed from the lock body to gain access to the lock, the sensor sends a signal indicating the backplate was separated from the lock body. Should a host device that supplies power to a safe associated with the lock apparatus lose power, a security agent of the safe will report an unauthorized access when power is restored.
Unfortunately, technicians and media service personnel/staff who are authorized to access a media terminal's safe are not always trustworthy. A few of these individuals have been known to tamper with the safe's lock in a manner that permits the safe to be unlocked upon a return and unauthorized visit to the terminal. Notably, the tampering requires an individual to remove the lock's backplate in order to access the lock. Typically, the backplate is removed during the visit or removed after cutting power off during the visit. In either case, removal of the backplate goes undetected and there is chance that the safe's lock was tampered with so that someone can return later to the terminal and unlock the safe without proper authorization.
The above-described security hole is remedied by the teachings provided herein. A lock apparatus is provided with a sensor. The sensor does not report any event when the backplate of the lock apparatus remains in contact with the lock body. Whenever the sensor loses contact with a surface of the backplate or a surface of the body, the sensor reports a lock tampering event. Firmware or software on a safe associated with the lock apparatus also reports a lock tampering event anytime the safe loses power as soon as power is restored. This ensures that power cannot be cut to the safe, the backplate removed, the backplate reattached to the lock body, and power restored to the safe without a lock tampering event being reported. The firmware or software of the safe reports the lock tampering events to a security agent of the media terminal and the security agent can activate security actions and procedures in response thereto. Alternatively or additionally, the security agent of the media terminal reports the lock tampering events to a security system of a cloud or a server. The security system can activate security actions and procedures in response thereto.
Furthermore, the various components (that are identified in
System 100A includes one or more media terminals (hereinafter “terminals”) 110 and optionally a cloud 140 or a server 140 (hereinafter just “cloud 140’). Each terminal 110 includes a processor 111, a non-transitory computer-readable storage medium (hereinafter just “medium”) 112, which includes executable instructions for a transaction manager 113 and a security manager 114. The instructions when executed by processor 111 from memory 112 cause the processor 111 to perform the operations discussed herein and below for 113-114. Each terminal 110 also includes a media dispenser/recycler 120.
Media dispenser/recycler 120 includes a safe 121. The safe 121 includes media cassettes 122, a display/keypad 123, a processor, a lock apparatus 125, and a non-transitory computer-readable storage medium 127, which includes executable instruction for a security agent 128. When processor 124 executes the instructions from medium 127, this causes the processor to perform operations discussed herein and below with respect to 128.
Lock apparatus 126 includes a lock/sensor 126.
Sensor 126 is anchored on an inside surface of lock body 125A proximate to lock 125C. Furthermore, sensor 126 includes a first end anchored to lock body extending to a second end that makes surface contact with of lock backplate 125B. Sensor 126 is surface contact sensor that reports when touch contact is broken between either of the two surfaces (e.g., a surface of the lock backplate 125B or a surface of lock body 125A). This ensures that whenever the backplate 125B is removed and separated from lock body 125A and event is raised by sensor 126.
Events raised by sensor 126 are recorded, logged, and reported by agent 128 of safe 121. In an embodiment, agent 128 reports the events to security manager 114 and/or security system 143 when safe 121 has its own independent network connection to cloud 140. When safe 121 lacks an independent network connection to cloud 140, the events reported to security manager 114 are reported over the terminal's network connection to security system 143.
Agent 128, manager 114, and/or system 143 maintain an audit log each time the safe 120 is accessed since notes in cassettes 122 are exposed to potential theft. Agent 128, manager 114, and/or system 143 also process security workflows in response to lock tampering events. The workflows can be similar or different from one another.
Agent 128 also raises a lock tampering event when power is cut to the safe 121 and/or terminal 110 and then subsequently restored. That, agent 128 undergoes a reboot and loading into memory each time power is restored, thus agent 128 knows when it is being loaded and starting up. On start up, agent 128 sends a lock tampering event to security manager 114 and/or security system 143.
It may be that the power loss was known and expected such that the security event can be cleared by the appropriate personnel and security actions are unnecessary. It may also be that a known reboot, a patch, an update, or an upgrade was performed on agent 128 or some other software component of safe 121; in such cases the lock tampering event can also be cleared by the personnel. In an embodiment, agent 128 is configured to be provided a code from manager 114 and/or 143 that overrides reporting of the lock tampering event. The code can be provided before the reboot or power loss, such that agent 128 configures itself to clear the lock tampering event during its reboot and load based on a flag set in storage which is read by agent 128 on startup. The code can also be provided after startup or reboot by manager 114 and/or system 143 after agent 128 starts up and initially reports the lock tampering event.
Thus, backplate 125B cannot be separated from lock body 125A during a loss of power because on reboot when power is restored, agent 128 will raise a lock tampering event to manager 114 and/or system 143 unless a prior authorization code was provided before the loss of power to safe 121. Agent 128 can continue to report the lock tampering event once detected until an authorization code is received from manager 114 and/or system 143. Unexpected and unplanned reboots or power loses that explainable can quickly stop agent 128 from reporting the lock tampering event through an authorization code provided as an override by manager 114 and/or system 143.
When power is not lost, the backplate 125B cannot be separated from lock body 125A without agent 128 reporting a lock tampering event to manager 114 and/or system 143. The lock 125C cannot be accessed internally from lock apparatus 125 without removing the backplate 125B from lock body 125A. Thus, any authorized individual on a service visit to safe 121 cannot tamper with lock 125 without being detected and without security actions and protocols being instituted.
This plugs a security hole present in the industry and prevents authorized personnel with access to safe 121 from tampering with lock 125 without being detected. This is because security logs are maintained by agent 128, manager 114, and/or 143 which record details with dates, times of day, personnel identifiers, and service action identifiers for service activities of each authorized service activity. Thus, the lock tampering event is raised by agent 128 either during the service visit or shortly after the service visit when power was cut during the service visit and restored after the service event. The last personnel to access the safe 121 before the lock tampering event was raised will be known.
In an embodiment, lock 125 is an e-lock, which has an independent network connection to security system 143 from terminal 110. Authorized individuals are authenticated via their mobile devices and provided an authorization code to access the safe 121 by system 143. Additional cryptographic algorithms are executed by processor 121 to independently generate the code and compare the code entered on display 123 or keypad 123 by the authorized individual against the independently generated code.
In an embodiment, terminal 110 is an automated teller machine, a self-service terminal, or a point-of-sale terminal. In an embodiment, agent 128 is subsumed and processed by security manager 114. In an embodiment, lock apparatus 125 is associated with a different device or a different server from 110 and 140. In an embodiment, lock apparatus 125 is any smart lock affixed to any structure or interfaced to a processing device. In this latter embodiment, lock apparatus 125 includes a processor and a medium with instructions 128 that are executed by the lock apparatus processor.
The above-referenced embodiments and other embodiments will now be discussed with reference to
In an embodiment, the device that executes the safe lock tamper manager is safe 121. In an embodiment, the safe lock tamper manager is agent 128.
At 210, the safe lock tamper manager detects that a sensor 126 of a lock apparatus 125 is reporting that a lock backplate 125B was separated from a lock body 125A of the lock apparatus 125. This is an indication that the lock 125C of the lock apparatus 125 has potentially been tampered with during an authorized opening of a safe 121 of a media terminal 110.
At 220, the safe lock tamper manager reports a lock tampering event associated with the lock apparatus 125 based on 210. The safe lock tamper manager reports the lock tampering event to one or more of security manager 114 and security system 143.
In an embodiment, at 230, the safe lock tamper manager detects power being restored to the safe 121 associated with lock apparatus 125 after power had been lost at the safe 121. In response to detecting a restoration of power, the safe lock tamper manager reports the lock tampering event to one or more of security manager 114 and security system 143.
The above description is illustrative, and not restrictive. Many other embodiments will be apparent to those of skill in the art upon reviewing the above description. The scope of embodiments should therefore be determined with reference to the appended claims, along with the full scope of equivalents to which such claims are entitled.
In the foregoing description of the embodiments, various features are grouped together in a single embodiment for the purpose of streamlining the disclosure. This method of disclosure is not to be interpreted as reflecting that the claimed embodiments have more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive subject matter lies in less than all features of a single disclosed embodiment. Thus, the following claims are hereby incorporated into the Description of the Embodiments, with each claim standing on its own as a separate exemplary embodiment.