back to article 'Bogus IT guys' slurp £1.3m from Barclays: Cybercops cuff 8 blokes

UK police have arrested eight men after a gang fitted remote-control hardware to a Barclays bank branch computer and stole £1.3m. Money was slurped from the bank after crooks hooked up a KVM (keyboard, video and mouse) switch and 3G dongle to a terminal in the branch, officers said. The suspects, aged between 24 and 47, were …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge

Simplicity Works

It's always the simple methods that work!!

Whilst we're all protecting the back end systems with firewalls, IPS, encryption etc.etc., the front door is left wide open!!

15
0

Re: Simplicity Works

You beat me to that comment.

This is not particularly sophisticated, just a good old fashioned con trick!

1
0
Anonymous Coward

Re: Simplicity Works

What is scarier is that Barclays generally take security a bit more seriously than many other major (non-banking) high street corporations.

What if this was tried against, for example, your local Supermarket. Most don't even take protecting the back end very seriously either, so a front door compromise would give the back end too...

2
0
Anonymous Coward

Re: Front door

If they employ half-wits to man the front door what do they expect the outcome will be?

1
0

All this talk...

of 'backends' and 'frontends' has put me in a quandry - should I go for a slash or a dump?

0
0
Bronze badge

Re: Simplicity Works

Want another security gaffe laugh?

I went to a local branch of a bank with my daughter.

The very first thing that caught my eye was a printer, sitting all alone, unobserved, in the customer waiting area.

Worse, with the ethernet port inviting one's eyes and even worse, the IP and MAC address proudly displayed for all to see.

MY first thought was, were I contracted to evaluate their security, get another ethernet cable the same color, jack in my wireless device to blind proxy the device traffic, sniff and probe a few times a day to gradually acquire their network general scheme, then grow gradually from there.

BOFH, watch out. In a Spy vs Spy scenario, I'd punk your Panther. ;)

Signed,

BOFH MKII.

0
0
MJA

Believable

Puts truth to the saying that your IT security is only as secure as the users themselves.

You'd think that A. The 'IT Engineer' would have been challenged for ID and perhaps the actual IT department would have been called to verify this and B. with it being a bank and a high risk target to thieves, that some kind of software would be used on client machines to block a device like a KVM until admin access was provided on the machine to accept its use.

Far too easy. Although as in most cases I'm assuming the IT guys will take the rap rather than the dumbass staff that let said intruder in.

In an office somewhere is an IT security manager shuddering at the prospect of loosing a job and in another office, a multi billion pound IT project ready to be approved and farmed off an an overseas company :).

0
4
Anonymous Coward

Re: Believable

They probably can't block KVM because of a few reasons.

1: Virtual KVM interfaces used to remotely control the computer by the actual tech support team.

2: KVM is just a simple USB interface, they aren't intelligent, so blocking the most basic ones would be tantamount to blocking all keyboards and mice. It's effectively an interface between the mouse and the computer, the computer just sees a mouse connected.

5
0
Silver badge

Re: Believable

You're correct, the major failing here is with the person/policy that let the IT Worker in (I didn't put IT worker in quotes as he was obviously an IT worker and did fix the computers).

There are 7.13 million technology security precautions they could have put in place but as with anything else if the bad guy can get his hands on whatever you're protecting it is all vulnerable. Our data center is guarded by a Human 24/7 and I can't even go in there without going through him, carrying my dongle and keying in my entry code; and it's my data center. You'd think a major bank would know better.

3
0
Bronze badge
Unhappy

Re: Believable

They plug into your keyboard and mouse PS/2 port or a usb port therefore as far as your computer is concerned its receiving acceptable input. I fail to see how software can help here unless the keyboard and mouse has some sort of embedded certificate.

Get a KVM with a web server and not only are they small but can easily be hidden behind a pc, the only grumble you will probably get is the cleaners have moved my desk around again.

0
0
Anonymous Coward

Re: Believable

Nowhere does it say he wasnt a real IT engineer

I done an outsource project for Nat Wst many years ago and gained access using a temporary printed paper ID card.

0
0
Anonymous Coward

Re: Believable

Our data center is guarded by a Human 24/7 and I can't even go in there without going through him, carrying my dongle and keying in my entry code; and it's my data center.

So your offices also have 24 hr security for every room with a person in? With said guard checking everyone in and out?

And who is checking your security guard? We've had guards nicking kit in the past, at some point you have to trust someone.

1
0
Holmes

Re: Believable

I have done a fair amount of 3rd party IT work in banks, in all those times my details / ecrb number had already been submitted to the banks I was visiting, I also had to call the bank to confirm my arrival time, near enough to the minute and then still show ID through the tellers window before I could get entry to behind the counter.

It doesn't make sense - unless it's an inside job too.

1
0
MJI
Silver badge

Re: Poor bloke

Human 24/7

Can't he have SOME time off?

2
0
Silver badge
Pint

Re: Believable

There isn't security in every room, but there is armed 24/7 security at the facility gate, the facility perimeter, the main entrance lobby and the lobby for the elevators, data center hallway/man door to the machine shop. The security guard can't enter the actual data center or machine shop, he's just there to watch the doors and prohibit tampering. He's only there because he's required for insurance compliance purposes, and to make sure no one who has been in the lounge is going back into the shop; exterior security keeps everyone uninvited out.

I trust the staff and the security company that provides the guards. Any security is 50% physical and 50% trust; and I tend to have more faith in well paid Human specialists more than any technological or physical solution. We make physical things and I'm 100% certain anything made can be broken. People will go to the mat for you if take care of them and don't build fucking them over into your company policies.

3
0
Anonymous Coward

Re: Believable

the device used was probably transparent to the PC. so it had no way of knowing it was under attack by a man in the middle device.

if it wasnt invisible, they SHOULD HAVE HAD restricted drivers setup on the PC's and network to prevent unauthorised devices being attached to branch kit.

after this they will all be tightening up the whitelist of authorised devices connecting to ALL Corporate PC's.

1
1
Bronze badge

Re: Believable

KVM is just a simple USB interface, they aren't intelligent, so blocking the most basic ones would be tantamount to blocking all keyboards and mice.

To the machine being controlled, this is true. However, it has to be controlled from somewhere. Blocking traffic from and (more importantly) to devices from outside the network to an unauthorized device on the network would seem to be a job fit for a firewall or VPN admin. Heck, knowing what is on your network is important because of scams of this nature (IDS/IPS anyone?). Server rooms are meant to be locked. So are server cabinets for critical systems. As noted elsewhere, we can always count on the human element to fail. Reducing that and other risks requires layers of security where it counts and especially in cases involving other people's money.

0
1

Re: Believable

@Robert Helpmann??

No amount of firewalling would have stopped this attack, short of turning the branch into a Faraday cage - the KVM was uplinking using a 3G mobile broadband dongle.

3
0

Re: Believable

Yes, but the article says a 3G dongle was used, and that wouldn't be on the network.

Also, as people have said, some high street banks are more lax than others.

I used to do break/fix in banks sometimes, all I had to do was sign in and show my photo ID and know the name of a/my contact.

0
0
Anonymous Coward

Re: Believable

It wasn't a data centre, just a standard user terminal. Those are probably under a lot less stringent security than their data centre. I doubt that you have to use a keypad and satisfy a 24 hour guard to access a user's PC in your organization.

0
0
Anonymous Coward

Where can I get a £10 IP KVM switch please ?

"KVM switches, which can cost as little as £10, are used legitimately for remote working; the keyboard, video and mouse signals can be routed over the internet."

8
0
Silver badge

Re: Where can I get a £10 IP KVM switch please ?

eBay.

Nobody said they were brand new.

2
1
Silver badge
Joke

Re: Where can I get a £10 IP KVM switch please ?

Have you tried dressing up as an IT staffer, sneaking in somewhere and just taking one?

2
0
Anonymous Coward

Re: Where can I get a £10 IP KVM switch please ?

Downvoted because I scoured ebay for months and the best I could do is £35 for Avocent 1020. Mostly they are abouta about £65 to a ton for these and a lot more for the bigger ones, although the 1020 would be best for the job because of its size.

0
0

Why oh why does anything involving moving money not require 2 factor authentication. The employees at my local HSBC put a smart card in when unlocking their computer, surely this would stop this kind of attack?

0
1
Anonymous Coward

Depends what data is being slurped - 2FA may stop the authentication of an unauthorised person, but if the employee then goes on to service the account details of 100 customers all that data could be keyed and displayed and captured.

It's one of the reasons good banking application now don't even display all the data on the bank employee's screen - account numbers, card numbers, etc are masked showing only the first and last four digits of a PAN. Just sufficient information to verify the customer, not the full details.

0
0

Not if they then leave their card in, unattended.

0
0
Anonymous Coward

Not really, I'm only surprised that they didn't just hook up the monitor part of the KVM and watch what was on the screen. You just simply wait for the details you want to be looked up by someone in branch and copy them down.

The only thing that can stop this is no external monitor connections (such as iMac and a few Think centre devices), or end-to-end encrypted display connections.

0
0

Or glue.

Glue all the connectors on at each end. Done.

But this is a bank, so it needs to be an expensive solution.

1
0
Silver badge
Happy

If they need an expensive solution then it isn't glue. It is a 'Non-conductive circulated oxygen cured multipart mechanical contact inhibitor".

Sales man, sales. Polish that turd and people will buy it. Look at government purchasing for proof.

1
0
Anonymous Coward

"end-to-end encrypted display connections"

You mean like the ones which have been in widespread domestic use since the MPAA etc mandated them to protect the link between HD content player and HD content display? HDMI, HDCP, I forget.

Yes I know it's been cracked, but...

Anyway, it's nice to know the police and the banks are actually interested in cybercrime. Sad that it's only when the banks are the target though. When Joe Public are the target, the cops aren't interested - "take it up with your bank", and the bank are usually quite happy to try to blame the victim.

0
0
Anonymous Coward

Common 2-factor authentications could also have failed.

Card scanners- especially older ones- show up as a keyboard. My local bank appears to use similar kit. So if the KVM is set to stream typed data back across the 3G link you'd also capture the card data.

So you need 2-factor authentication with physically separate links, ideally using different types of physical link (say, parallel port and typed password or PS2 keyboard and USB dongle).

0
0

So if you get a faulty keyboard/mouse you replace the whole PC??

0
0
Anonymous Coward

They shouldn't have skimped on the seventh proxy

1
0

Don't get it

Obviously we don't want every article on this to be a 'Hacking Banks For Dummies' primer but there's more required for this to work than a remote access KVM - as has been suggested above at the very least the terminal would need to be left unlocked and unattended and this would need to be verified in some way.

If not that then either the KVM was also a keylogger or there was some other much more fundamental compromise of the security. Whatever, the KVM seems to be the least interesting, but most widely mentioned, part of this scam.

0
0

Re: Don't get it

Yep, that's what I thought, as a hardware engineer, If I had access it would be pretty easy, but I wouldn't have a clue as to the software side

0
0
Anonymous Coward

8 guys...

Presumably the first bloke turned up, took a look at the machine, tried turning it off and on again.

Scratched his head for a while, looked blank. Phoned in for #2 to come and have a look.

#2 reinstalled outlook, changed the vga cable, unplugged and replugged the network. Turned it on and off again.

#3 is called...

No wonder the bank staff fell for it, sounds just like Barclays desktop IT.

0
0
Anonymous Coward

This is supposed to be a tech site

"KVM switches, which can cost as little as £10, are used legitimately for remote working; the keyboard, video and mouse signals can be routed over the internet to another keyboard, monitor and mouse."

If you don't know what a KVM is, you probably shouldn't be on this site.

If you're going to the effort of describing it's functionality you should probably also point out that it was a KVMoIP aka IPKVM; and these generally cost much more than £10.

2
1
Anonymous Coward

Re: This is supposed to be a tech site

er no ... <£10 on eBay (I checked)

0
0
Silver badge
Happy

Re: This is supposed to be a tech site

To be fair to El Reg, they've grown out of a completely specialty audience. Their stories regularly make the front pages of several news aggregators (which I'm sure don't know who I am).

With the expanded audience they've got to explain some jargon. Even Jane's publications have simplified explanations of a lot of things and their articles are comprised almost exclusively of acronyms and jargon.

0
0

Re: This is supposed to be a tech site

"er no ... <£10 on eBay (I checked)"

Link please. I checked also and failed miserably to find one.

0
0

Re: This is supposed to be a tech site

http://www.ebay.co.uk/itm/HP-396632-001-IP-KVM-CAT5-PS-2-Interface-Adaptor-/200710430091?pt=UK_Computing_KVM_Switches_KVM_Cables&hash=item2ebb461d8b

0
0

Re: This is supposed to be a tech site

>> http://www.ebay.co.uk/itm/HP-396632-001-IP-KVM-CAT5-PS-2-Interface-Adaptor-/200710430091?pt=UK_Computing_KVM_Switches_KVM_Cables&hash=item2ebb461d8b

That's not a KVM, it is a cable for an HP multiport KVMoIP. If there is a KVMoIP on ebay for £10, it'll be second hand, faulty and stolen.

BTW El Reg (I know it been said), KVM Switch, seriously? We expect that nonsense the iPhone loving technophobes at the BBC, you guys really should know the difference between a KVM-switch (http://www.misco.co.uk/product/174751/LINDY-2-Port-KVM-Switch-Micro-USB-VGA) and a KVM-over-IP (http://www.onevideo.co.uk/adderlink-al-ipeps.html). Also you should be able to find a "security expert" who knows that a KVM switch would be no use for remote access, unlike a KVMoIP that is designed for that purpose.

4
0

I'm surprised there was no challenge for ID or verfication with their IT department. Did they have fake ID?

I'm shocked that they don't have or have lax device control security. I'd have expected a bank to take security seriously.

0
0
Bronze badge

@ adam payne

If you still think that banks are run by people who know anything about risk management, you obviously haven't been following the news for the last five years.

6
0
Silver badge

How long before..

You can buy a keyboard that has an ip kvm in, and 3g dongle?

A simple cable splitter/with vga passthrough at the pc end later..

0
0
Anonymous Coward

Really??

"Lumension Device Control ensures that no device, unless authorized, can ever be used, no matter how it gets plugged in. Device Control is a really strong, easy to use product which is why Barclays chose this solution."

- Paul Douglas, ADIR Desktop Build Team Manager , Barclays

https://www.lumension.com/Testimonials.aspx?page=4

It's all well and good but it needs to be configured properly, from using Lumension if they were USB KVMs these are easily detected if configured correctly. PS/2 passive interfaces so will not be detected but this is where non-technical controls are used.

1
0
Silver badge

What I find hard to believe is that the USB ports were open. At the insurance firm that I provide IT support for this scam to harvest data wouldn't work. It's more locked down that a prison.

0
0

This post has been deleted by its author

Silver badge
FAIL

Firewalls

How on earth did the KVM traffic get through the properly configured firewall the bank must have ?

0
5

Page:

This topic is closed for new posts.

Forums