'Bogus IT guys' slurp £1.3m from Barclays: Cybercops cuff 8 blokes UK police have arrested eight men after a gang fitted remote-control hardware to a Barclays bank branch computer and stole £1.3m. Money was slurped from the bank after crooks hooked up a KVM (keyboard, video and mouse) switch and 3G dongle to a terminal in the branch, officers said. The suspects, aged between 24 and 47, were …
What is scarier is that Barclays generally take security a bit more seriously than many other major (non-banking) high street corporations.
What if this was tried against, for example, your local Supermarket. Most don't even take protecting the back end very seriously either, so a front door compromise would give the back end too...
Want another security gaffe laugh?
I went to a local branch of a bank with my daughter.
The very first thing that caught my eye was a printer, sitting all alone, unobserved, in the customer waiting area.
Worse, with the ethernet port inviting one's eyes and even worse, the IP and MAC address proudly displayed for all to see.
MY first thought was, were I contracted to evaluate their security, get another ethernet cable the same color, jack in my wireless device to blind proxy the device traffic, sniff and probe a few times a day to gradually acquire their network general scheme, then grow gradually from there.
BOFH, watch out. In a Spy vs Spy scenario, I'd punk your Panther. ;)
Signed,
BOFH MKII.
Puts truth to the saying that your IT security is only as secure as the users themselves.
You'd think that A. The 'IT Engineer' would have been challenged for ID and perhaps the actual IT department would have been called to verify this and B. with it being a bank and a high risk target to thieves, that some kind of software would be used on client machines to block a device like a KVM until admin access was provided on the machine to accept its use.
Far too easy. Although as in most cases I'm assuming the IT guys will take the rap rather than the dumbass staff that let said intruder in.
In an office somewhere is an IT security manager shuddering at the prospect of loosing a job and in another office, a multi billion pound IT project ready to be approved and farmed off an an overseas company :).
They probably can't block KVM because of a few reasons.
1: Virtual KVM interfaces used to remotely control the computer by the actual tech support team.
2: KVM is just a simple USB interface, they aren't intelligent, so blocking the most basic ones would be tantamount to blocking all keyboards and mice. It's effectively an interface between the mouse and the computer, the computer just sees a mouse connected.
the device used was probably transparent to the PC. so it had no way of knowing it was under attack by a man in the middle device.
if it wasnt invisible, they SHOULD HAVE HAD restricted drivers setup on the PC's and network to prevent unauthorised devices being attached to branch kit.
after this they will all be tightening up the whitelist of authorised devices connecting to ALL Corporate PC's.
KVM is just a simple USB interface, they aren't intelligent, so blocking the most basic ones would be tantamount to blocking all keyboards and mice.
To the machine being controlled, this is true. However, it has to be controlled from somewhere. Blocking traffic from and (more importantly) to devices from outside the network to an unauthorized device on the network would seem to be a job fit for a firewall or VPN admin. Heck, knowing what is on your network is important because of scams of this nature (IDS/IPS anyone?). Server rooms are meant to be locked. So are server cabinets for critical systems. As noted elsewhere, we can always count on the human element to fail. Reducing that and other risks requires layers of security where it counts and especially in cases involving other people's money.
Yes, but the article says a 3G dongle was used, and that wouldn't be on the network.
Also, as people have said, some high street banks are more lax than others.
I used to do break/fix in banks sometimes, all I had to do was sign in and show my photo ID and know the name of a/my contact.
You're correct, the major failing here is with the person/policy that let the IT Worker in (I didn't put IT worker in quotes as he was obviously an IT worker and did fix the computers).
There are 7.13 million technology security precautions they could have put in place but as with anything else if the bad guy can get his hands on whatever you're protecting it is all vulnerable. Our data center is guarded by a Human 24/7 and I can't even go in there without going through him, carrying my dongle and keying in my entry code; and it's my data center. You'd think a major bank would know better.
Our data center is guarded by a Human 24/7 and I can't even go in there without going through him, carrying my dongle and keying in my entry code; and it's my data center.
So your offices also have 24 hr security for every room with a person in? With said guard checking everyone in and out?
And who is checking your security guard? We've had guards nicking kit in the past, at some point you have to trust someone.
There isn't security in every room, but there is armed 24/7 security at the facility gate, the facility perimeter, the main entrance lobby and the lobby for the elevators, data center hallway/man door to the machine shop. The security guard can't enter the actual data center or machine shop, he's just there to watch the doors and prohibit tampering. He's only there because he's required for insurance compliance purposes, and to make sure no one who has been in the lounge is going back into the shop; exterior security keeps everyone uninvited out.
I trust the staff and the security company that provides the guards. Any security is 50% physical and 50% trust; and I tend to have more faith in well paid Human specialists more than any technological or physical solution. We make physical things and I'm 100% certain anything made can be broken. People will go to the mat for you if take care of them and don't build fucking them over into your company policies.
They plug into your keyboard and mouse PS/2 port or a usb port therefore as far as your computer is concerned its receiving acceptable input. I fail to see how software can help here unless the keyboard and mouse has some sort of embedded certificate.
Get a KVM with a web server and not only are they small but can easily be hidden behind a pc, the only grumble you will probably get is the cleaners have moved my desk around again.
I have done a fair amount of 3rd party IT work in banks, in all those times my details / ecrb number had already been submitted to the banks I was visiting, I also had to call the bank to confirm my arrival time, near enough to the minute and then still show ID through the tellers window before I could get entry to behind the counter.
It doesn't make sense - unless it's an inside job too.
Depends what data is being slurped - 2FA may stop the authentication of an unauthorised person, but if the employee then goes on to service the account details of 100 customers all that data could be keyed and displayed and captured.
It's one of the reasons good banking application now don't even display all the data on the bank employee's screen - account numbers, card numbers, etc are masked showing only the first and last four digits of a PAN. Just sufficient information to verify the customer, not the full details.
Not really, I'm only surprised that they didn't just hook up the monitor part of the KVM and watch what was on the screen. You just simply wait for the details you want to be looked up by someone in branch and copy them down.
The only thing that can stop this is no external monitor connections (such as iMac and a few Think centre devices), or end-to-end encrypted display connections.
You mean like the ones which have been in widespread domestic use since the MPAA etc mandated them to protect the link between HD content player and HD content display? HDMI, HDCP, I forget.
Yes I know it's been cracked, but...
Anyway, it's nice to know the police and the banks are actually interested in cybercrime. Sad that it's only when the banks are the target though. When Joe Public are the target, the cops aren't interested - "take it up with your bank", and the bank are usually quite happy to try to blame the victim.
Card scanners- especially older ones- show up as a keyboard. My local bank appears to use similar kit. So if the KVM is set to stream typed data back across the 3G link you'd also capture the card data.
So you need 2-factor authentication with physically separate links, ideally using different types of physical link (say, parallel port and typed password or PS2 keyboard and USB dongle).
Obviously we don't want every article on this to be a 'Hacking Banks For Dummies' primer but there's more required for this to work than a remote access KVM - as has been suggested above at the very least the terminal would need to be left unlocked and unattended and this would need to be verified in some way.
If not that then either the KVM was also a keylogger or there was some other much more fundamental compromise of the security. Whatever, the KVM seems to be the least interesting, but most widely mentioned, part of this scam.
Presumably the first bloke turned up, took a look at the machine, tried turning it off and on again.
Scratched his head for a while, looked blank. Phoned in for #2 to come and have a look.
#2 reinstalled outlook, changed the vga cable, unplugged and replugged the network. Turned it on and off again.
#3 is called...
No wonder the bank staff fell for it, sounds just like Barclays desktop IT.
"KVM switches, which can cost as little as £10, are used legitimately for remote working; the keyboard, video and mouse signals can be routed over the internet to another keyboard, monitor and mouse."
If you don't know what a KVM is, you probably shouldn't be on this site.
If you're going to the effort of describing it's functionality you should probably also point out that it was a KVMoIP aka IPKVM; and these generally cost much more than £10.
>> http://www.ebay.co.uk/itm/HP-396632-001-IP-KVM-CAT5-PS-2-Interface-Adaptor-/200710430091?pt=UK_Computing_KVM_Switches_KVM_Cables&hash=item2ebb461d8b
That's not a KVM, it is a cable for an HP multiport KVMoIP. If there is a KVMoIP on ebay for £10, it'll be second hand, faulty and stolen.
BTW El Reg (I know it been said), KVM Switch, seriously? We expect that nonsense the iPhone loving technophobes at the BBC, you guys really should know the difference between a KVM-switch (http://www.misco.co.uk/product/174751/LINDY-2-Port-KVM-Switch-Micro-USB-VGA) and a KVM-over-IP (http://www.onevideo.co.uk/adderlink-al-ipeps.html). Also you should be able to find a "security expert" who knows that a KVM switch would be no use for remote access, unlike a KVMoIP that is designed for that purpose.
To be fair to El Reg, they've grown out of a completely specialty audience. Their stories regularly make the front pages of several news aggregators (which I'm sure don't know who I am).
With the expanded audience they've got to explain some jargon. Even Jane's publications have simplified explanations of a lot of things and their articles are comprised almost exclusively of acronyms and jargon.
"Lumension Device Control ensures that no device, unless authorized, can ever be used, no matter how it gets plugged in. Device Control is a really strong, easy to use product which is why Barclays chose this solution."
- Paul Douglas, ADIR Desktop Build Team Manager , Barclays
https://www.lumension.com/Testimonials.aspx?page=4
It's all well and good but it needs to be configured properly, from using Lumension if they were USB KVMs these are easily detected if configured correctly. PS/2 passive interfaces so will not be detected but this is where non-technical controls are used.
This post has been deleted by its author
The IT kit on the sites IS blocked from allowing anything OTHER! than USB keyboard and mouse from attaching to it. (at least all the new kit installed in the last 2 years is.)
All visitors to any Branch ARE challenged and asked to be ID verified (WHITE LIST) of approved contractors allowed on site. (they Must also be pre-booked to attend). they are obliged to sign in the visitors book as well as electronically be signed in by a contractor search. ALL Contractors have their Photo-ID Passport/Drivers Licence recorded on file (so if you do fancy trying your luck its a no win situation, you have no hope in hell of getting away with maliciously tampering with any IT kit on any site.)
They also are covered by dozens of 24/7 cameras with remote view by head office.
Personally i blame the penny pinching ZERO-Hours contracts they put on all the IT Deployment Contractors that were involved in the IT Rollouts with both Santander and Barclays Banks in the Last year with DELL/MICROTEAM.
Trying your luck to Rob a modern British high street bank is a complete no brainer, you'd be better off trying the local off license or betting shop. or maybe borrow a JCB (though dont be surprised if the paper comes out covered in indelible florescent dye)
The Electronic Cash Tills and Computers shut down and they will always throw the master keys in the cash tills and slam them shut as soon ANY! alarm goes off.
(regardless that the spare keys are located in the head offices in London(in an even bigger safe!))
(so the muppets that had a go using a fire axe on the back door of a Barclays in December last year were a joke. (though it wasnt for the staff,once the broke through the doors and found the tills locked down.)
The alarms are remote linked the regional and local Police Stations, if you try to cut any of the communication lines the IT kit shuts down and you are in a lock down situation with the bank being cleared of customers within 5 minutes and the doors barred shut, with ALL the armed plod on the way in their T6 rapid response cars.
The only people that got away with a internal job of fleecing the banks were with RBS in the 80'sand 90's when some of their IT guys decided to print/swipe off thier own Credit/Debit cards with other peoples card numbers on them and nick £500 a time off thousands of customers.
(never really sure if they got caught in the end, though it was a big embarrassment for the Bank when they finally admitted it happened over ten years later.(see reg archives))
My Dad got fleeced by them, he closed all his corporate business accounts shortly after and refused to have any further dealings with them.
The simple fact is its pretty much a waste of time to even consider robbing a bank. Unless your a Bankster in the City!
The rules of which you speak may be the rules in theory, but is reality the same as theory?
Where I work is involved in some sensitive UK and US military stuff (List X, amongst other things) although the vast majority of the work isn't so sensitive.
The security people send out mails from time to time about the precautions you must take before allowing a visitor onsite, all of which seem to require at least 4 weeks notice and full details of the visitor involved.
Every now and again someone will reply asking what about photocopier fixit visitors. In the two years I've known the question be asked, there hasn't been an answer. The procedure is there so that a box can be ticked. It does not have to be practical or effective.
Photocopying is outsourced, IT aren't involved and nor are Facilities. You just phone the number on the label on the machine, and someone comes to fix it.
It doesn't (cannot) involve a four week wait for clearance of the visiting individual.
The photocopier user making the call to the number on the label has no idea who they are calling in (or whether the label is authentic).
The security man at the front gate has no way of knowing whether the photocopier man has actually been called in because there is no link between security and the person logging the call.
And so on.
Good job nothing sensitive ever gets printed or photocopied these days eh.
Good story. It is good to be reminded, and remind the users, on the M.O. of a thief. There are so many ways to intercept bank information and once in hand it is shockingly simple to get cash money.
I would guess that if this gang had crossed the international border the recovery would have been small. So good job to law enforcement and the IT team.
Fact remains that they got caught. So the security cannot be that bad. I think we have already established that you cannot make things 100% secure. Thats impossible. So spotting the rouge transactions and doing something about them is the best you can do. Something at Barclays clearly works. The crims are caught!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
