back to article 'Bogus IT guys' slurp £1.3m from Barclays: Cybercops cuff 8 blokes

UK police have arrested eight men after a gang fitted remote-control hardware to a Barclays bank branch computer and stole £1.3m. Money was slurped from the bank after crooks hooked up a KVM (keyboard, video and mouse) switch and 3G dongle to a terminal in the branch, officers said. The suspects, aged between 24 and 47, were …

COMMENTS

This topic is closed for new posts.
  1. Mad Mike

    Simplicity Works

    It's always the simple methods that work!!

    Whilst we're all protecting the back end systems with firewalls, IPS, encryption etc.etc., the front door is left wide open!!

    1. Dr Who

      Re: Simplicity Works

      You beat me to that comment.

      This is not particularly sophisticated, just a good old fashioned con trick!

    2. Anonymous Coward
      Anonymous Coward

      Re: Simplicity Works

      What is scarier is that Barclays generally take security a bit more seriously than many other major (non-banking) high street corporations.

      What if this was tried against, for example, your local Supermarket. Most don't even take protecting the back end very seriously either, so a front door compromise would give the back end too...

    3. Anonymous Coward
      Anonymous Coward

      Re: Front door

      If they employ half-wits to man the front door what do they expect the outcome will be?

      1. Shagbag

        All this talk...

        of 'backends' and 'frontends' has put me in a quandry - should I go for a slash or a dump?

    4. Wzrd1 Silver badge

      Re: Simplicity Works

      Want another security gaffe laugh?

      I went to a local branch of a bank with my daughter.

      The very first thing that caught my eye was a printer, sitting all alone, unobserved, in the customer waiting area.

      Worse, with the ethernet port inviting one's eyes and even worse, the IP and MAC address proudly displayed for all to see.

      MY first thought was, were I contracted to evaluate their security, get another ethernet cable the same color, jack in my wireless device to blind proxy the device traffic, sniff and probe a few times a day to gradually acquire their network general scheme, then grow gradually from there.

      BOFH, watch out. In a Spy vs Spy scenario, I'd punk your Panther. ;)

      Signed,

      BOFH MKII.

  2. MJA

    Believable

    Puts truth to the saying that your IT security is only as secure as the users themselves.

    You'd think that A. The 'IT Engineer' would have been challenged for ID and perhaps the actual IT department would have been called to verify this and B. with it being a bank and a high risk target to thieves, that some kind of software would be used on client machines to block a device like a KVM until admin access was provided on the machine to accept its use.

    Far too easy. Although as in most cases I'm assuming the IT guys will take the rap rather than the dumbass staff that let said intruder in.

    In an office somewhere is an IT security manager shuddering at the prospect of loosing a job and in another office, a multi billion pound IT project ready to be approved and farmed off an an overseas company :).

    1. Anonymous Coward
      Anonymous Coward

      Re: Believable

      They probably can't block KVM because of a few reasons.

      1: Virtual KVM interfaces used to remotely control the computer by the actual tech support team.

      2: KVM is just a simple USB interface, they aren't intelligent, so blocking the most basic ones would be tantamount to blocking all keyboards and mice. It's effectively an interface between the mouse and the computer, the computer just sees a mouse connected.

      1. Anonymous Coward
        Anonymous Coward

        Re: Believable

        the device used was probably transparent to the PC. so it had no way of knowing it was under attack by a man in the middle device.

        if it wasnt invisible, they SHOULD HAVE HAD restricted drivers setup on the PC's and network to prevent unauthorised devices being attached to branch kit.

        after this they will all be tightening up the whitelist of authorised devices connecting to ALL Corporate PC's.

      2. Robert Helpmann??

        Re: Believable

        KVM is just a simple USB interface, they aren't intelligent, so blocking the most basic ones would be tantamount to blocking all keyboards and mice.

        To the machine being controlled, this is true. However, it has to be controlled from somewhere. Blocking traffic from and (more importantly) to devices from outside the network to an unauthorized device on the network would seem to be a job fit for a firewall or VPN admin. Heck, knowing what is on your network is important because of scams of this nature (IDS/IPS anyone?). Server rooms are meant to be locked. So are server cabinets for critical systems. As noted elsewhere, we can always count on the human element to fail. Reducing that and other risks requires layers of security where it counts and especially in cases involving other people's money.

        1. Soruk

          Re: Believable

          @Robert Helpmann??

          No amount of firewalling would have stopped this attack, short of turning the branch into a Faraday cage - the KVM was uplinking using a 3G mobile broadband dongle.

        2. peterrat

          Re: Believable

          Yes, but the article says a 3G dongle was used, and that wouldn't be on the network.

          Also, as people have said, some high street banks are more lax than others.

          I used to do break/fix in banks sometimes, all I had to do was sign in and show my photo ID and know the name of a/my contact.

    2. Don Jefe

      Re: Believable

      You're correct, the major failing here is with the person/policy that let the IT Worker in (I didn't put IT worker in quotes as he was obviously an IT worker and did fix the computers).

      There are 7.13 million technology security precautions they could have put in place but as with anything else if the bad guy can get his hands on whatever you're protecting it is all vulnerable. Our data center is guarded by a Human 24/7 and I can't even go in there without going through him, carrying my dongle and keying in my entry code; and it's my data center. You'd think a major bank would know better.

      1. Anonymous Coward
        Anonymous Coward

        Re: Believable

        Our data center is guarded by a Human 24/7 and I can't even go in there without going through him, carrying my dongle and keying in my entry code; and it's my data center.

        So your offices also have 24 hr security for every room with a person in? With said guard checking everyone in and out?

        And who is checking your security guard? We've had guards nicking kit in the past, at some point you have to trust someone.

        1. Don Jefe
          Pint

          Re: Believable

          There isn't security in every room, but there is armed 24/7 security at the facility gate, the facility perimeter, the main entrance lobby and the lobby for the elevators, data center hallway/man door to the machine shop. The security guard can't enter the actual data center or machine shop, he's just there to watch the doors and prohibit tampering. He's only there because he's required for insurance compliance purposes, and to make sure no one who has been in the lounge is going back into the shop; exterior security keeps everyone uninvited out.

          I trust the staff and the security company that provides the guards. Any security is 50% physical and 50% trust; and I tend to have more faith in well paid Human specialists more than any technological or physical solution. We make physical things and I'm 100% certain anything made can be broken. People will go to the mat for you if take care of them and don't build fucking them over into your company policies.

      2. MJI Silver badge

        Re: Poor bloke

        Human 24/7

        Can't he have SOME time off?

      3. Anonymous Coward
        Anonymous Coward

        Re: Believable

        It wasn't a data centre, just a standard user terminal. Those are probably under a lot less stringent security than their data centre. I doubt that you have to use a keypad and satisfy a 24 hour guard to access a user's PC in your organization.

    3. Captain Scarlet
      Unhappy

      Re: Believable

      They plug into your keyboard and mouse PS/2 port or a usb port therefore as far as your computer is concerned its receiving acceptable input. I fail to see how software can help here unless the keyboard and mouse has some sort of embedded certificate.

      Get a KVM with a web server and not only are they small but can easily be hidden behind a pc, the only grumble you will probably get is the cleaners have moved my desk around again.

    4. Anonymous Coward
      Anonymous Coward

      Re: Believable

      Nowhere does it say he wasnt a real IT engineer

      I done an outsource project for Nat Wst many years ago and gained access using a temporary printed paper ID card.

    5. Tezfair
      Holmes

      Re: Believable

      I have done a fair amount of 3rd party IT work in banks, in all those times my details / ecrb number had already been submitted to the banks I was visiting, I also had to call the bank to confirm my arrival time, near enough to the minute and then still show ID through the tellers window before I could get entry to behind the counter.

      It doesn't make sense - unless it's an inside job too.

  3. Anonymous Coward
    Anonymous Coward

    Where can I get a £10 IP KVM switch please ?

    "KVM switches, which can cost as little as £10, are used legitimately for remote working; the keyboard, video and mouse signals can be routed over the internet."

    1. Velv

      Re: Where can I get a £10 IP KVM switch please ?

      eBay.

      Nobody said they were brand new.

      1. Anonymous Coward
        Anonymous Coward

        Re: Where can I get a £10 IP KVM switch please ?

        Downvoted because I scoured ebay for months and the best I could do is £35 for Avocent 1020. Mostly they are abouta about £65 to a ton for these and a lot more for the bigger ones, although the 1020 would be best for the job because of its size.

    2. Don Jefe
      Joke

      Re: Where can I get a £10 IP KVM switch please ?

      Have you tried dressing up as an IT staffer, sneaking in somewhere and just taking one?

  4. Andrew Hart

    Why oh why does anything involving moving money not require 2 factor authentication. The employees at my local HSBC put a smart card in when unlocking their computer, surely this would stop this kind of attack?

    1. Anonymous Coward
      Anonymous Coward

      Depends what data is being slurped - 2FA may stop the authentication of an unauthorised person, but if the employee then goes on to service the account details of 100 customers all that data could be keyed and displayed and captured.

      It's one of the reasons good banking application now don't even display all the data on the bank employee's screen - account numbers, card numbers, etc are masked showing only the first and last four digits of a PAN. Just sufficient information to verify the customer, not the full details.

    2. James R Grinter

      Not if they then leave their card in, unattended.

    3. Anonymous Coward
      Anonymous Coward

      Not really, I'm only surprised that they didn't just hook up the monitor part of the KVM and watch what was on the screen. You just simply wait for the details you want to be looked up by someone in branch and copy them down.

      The only thing that can stop this is no external monitor connections (such as iMac and a few Think centre devices), or end-to-end encrypted display connections.

      1. Tom Chiverton 1 Silver badge

        Or glue.

        Glue all the connectors on at each end. Done.

        But this is a bank, so it needs to be an expensive solution.

        1. Don Jefe
          Happy

          If they need an expensive solution then it isn't glue. It is a 'Non-conductive circulated oxygen cured multipart mechanical contact inhibitor".

          Sales man, sales. Polish that turd and people will buy it. Look at government purchasing for proof.

        2. peterrat

          So if you get a faulty keyboard/mouse you replace the whole PC??

      2. Anonymous Coward
        Anonymous Coward

        "end-to-end encrypted display connections"

        You mean like the ones which have been in widespread domestic use since the MPAA etc mandated them to protect the link between HD content player and HD content display? HDMI, HDCP, I forget.

        Yes I know it's been cracked, but...

        Anyway, it's nice to know the police and the banks are actually interested in cybercrime. Sad that it's only when the banks are the target though. When Joe Public are the target, the cops aren't interested - "take it up with your bank", and the bank are usually quite happy to try to blame the victim.

    4. Anonymous Coward
      Anonymous Coward

      Common 2-factor authentications could also have failed.

      Card scanners- especially older ones- show up as a keyboard. My local bank appears to use similar kit. So if the KVM is set to stream typed data back across the 3G link you'd also capture the card data.

      So you need 2-factor authentication with physically separate links, ideally using different types of physical link (say, parallel port and typed password or PS2 keyboard and USB dongle).

  5. Anonymous Coward
    Anonymous Coward

    They shouldn't have skimped on the seventh proxy

  6. Professor Clifton Shallot

    Don't get it

    Obviously we don't want every article on this to be a 'Hacking Banks For Dummies' primer but there's more required for this to work than a remote access KVM - as has been suggested above at the very least the terminal would need to be left unlocked and unattended and this would need to be verified in some way.

    If not that then either the KVM was also a keylogger or there was some other much more fundamental compromise of the security. Whatever, the KVM seems to be the least interesting, but most widely mentioned, part of this scam.

    1. peterrat

      Re: Don't get it

      Yep, that's what I thought, as a hardware engineer, If I had access it would be pretty easy, but I wouldn't have a clue as to the software side

  7. Anonymous Coward
    Anonymous Coward

    8 guys...

    Presumably the first bloke turned up, took a look at the machine, tried turning it off and on again.

    Scratched his head for a while, looked blank. Phoned in for #2 to come and have a look.

    #2 reinstalled outlook, changed the vga cable, unplugged and replugged the network. Turned it on and off again.

    #3 is called...

    No wonder the bank staff fell for it, sounds just like Barclays desktop IT.

  8. Anonymous Coward
    Anonymous Coward

    This is supposed to be a tech site

    "KVM switches, which can cost as little as £10, are used legitimately for remote working; the keyboard, video and mouse signals can be routed over the internet to another keyboard, monitor and mouse."

    If you don't know what a KVM is, you probably shouldn't be on this site.

    If you're going to the effort of describing it's functionality you should probably also point out that it was a KVMoIP aka IPKVM; and these generally cost much more than £10.

    1. Anonymous Coward
      Anonymous Coward

      Re: This is supposed to be a tech site

      er no ... <£10 on eBay (I checked)

      1. djack

        Re: This is supposed to be a tech site

        "er no ... <£10 on eBay (I checked)"

        Link please. I checked also and failed miserably to find one.

        1. Mr_Pitiful

          Re: This is supposed to be a tech site

          http://www.ebay.co.uk/itm/HP-396632-001-IP-KVM-CAT5-PS-2-Interface-Adaptor-/200710430091?pt=UK_Computing_KVM_Switches_KVM_Cables&hash=item2ebb461d8b

          1. steogede

            Re: This is supposed to be a tech site

            >> http://www.ebay.co.uk/itm/HP-396632-001-IP-KVM-CAT5-PS-2-Interface-Adaptor-/200710430091?pt=UK_Computing_KVM_Switches_KVM_Cables&hash=item2ebb461d8b

            That's not a KVM, it is a cable for an HP multiport KVMoIP. If there is a KVMoIP on ebay for £10, it'll be second hand, faulty and stolen.

            BTW El Reg (I know it been said), KVM Switch, seriously? We expect that nonsense the iPhone loving technophobes at the BBC, you guys really should know the difference between a KVM-switch (http://www.misco.co.uk/product/174751/LINDY-2-Port-KVM-Switch-Micro-USB-VGA) and a KVM-over-IP (http://www.onevideo.co.uk/adderlink-al-ipeps.html). Also you should be able to find a "security expert" who knows that a KVM switch would be no use for remote access, unlike a KVMoIP that is designed for that purpose.

    2. Don Jefe
      Happy

      Re: This is supposed to be a tech site

      To be fair to El Reg, they've grown out of a completely specialty audience. Their stories regularly make the front pages of several news aggregators (which I'm sure don't know who I am).

      With the expanded audience they've got to explain some jargon. Even Jane's publications have simplified explanations of a lot of things and their articles are comprised almost exclusively of acronyms and jargon.

  9. adam payne

    I'm surprised there was no challenge for ID or verfication with their IT department. Did they have fake ID?

    I'm shocked that they don't have or have lax device control security. I'd have expected a bank to take security seriously.

    1. plrndl

      @ adam payne

      If you still think that banks are run by people who know anything about risk management, you obviously haven't been following the news for the last five years.

  10. Piro

    How long before..

    You can buy a keyboard that has an ip kvm in, and 3g dongle?

    A simple cable splitter/with vga passthrough at the pc end later..

  11. Anonymous Coward
    Anonymous Coward

    Really??

    "Lumension Device Control ensures that no device, unless authorized, can ever be used, no matter how it gets plugged in. Device Control is a really strong, easy to use product which is why Barclays chose this solution."

    - Paul Douglas, ADIR Desktop Build Team Manager , Barclays

    https://www.lumension.com/Testimonials.aspx?page=4

    It's all well and good but it needs to be configured properly, from using Lumension if they were USB KVMs these are easily detected if configured correctly. PS/2 passive interfaces so will not be detected but this is where non-technical controls are used.

  12. ukgnome

    What I find hard to believe is that the USB ports were open. At the insurance firm that I provide IT support for this scam to harvest data wouldn't work. It's more locked down that a prison.

  13. This post has been deleted by its author

  14. JimmyPage
    FAIL

    Firewalls

    How on earth did the KVM traffic get through the properly configured firewall the bank must have ?

    1. Anonymous Coward
      Anonymous Coward

      Re: Firewalls

      Simple, the IPKVM unit had its own 3G uplink, bypassing the bank's systems entirely.

      1. Tezfair
        Coat

        Re: Firewalls

        They needed to rob the bank to pay for the 3G dongle charges

  15. Anonymous Coward
    Anonymous Coward

    Don't beleive it

    Thief in a Bank who isn't a Banker, someone's telling porkies.

  16. Shagbag

    "after four men appeared in court earlier this month"

    And to think there are still people out there who don't believe in ghosts. If you're still not convinced, head down to your nearest courthouse and see for yourself - all those who "appear" before the magistrate.

  17. Anonymous Coward
    Anonymous Coward

    Why bother when they know who you are?

    The IT kit on the sites IS blocked from allowing anything OTHER! than USB keyboard and mouse from attaching to it. (at least all the new kit installed in the last 2 years is.)

    All visitors to any Branch ARE challenged and asked to be ID verified (WHITE LIST) of approved contractors allowed on site. (they Must also be pre-booked to attend). they are obliged to sign in the visitors book as well as electronically be signed in by a contractor search. ALL Contractors have their Photo-ID Passport/Drivers Licence recorded on file (so if you do fancy trying your luck its a no win situation, you have no hope in hell of getting away with maliciously tampering with any IT kit on any site.)

    They also are covered by dozens of 24/7 cameras with remote view by head office.

    Personally i blame the penny pinching ZERO-Hours contracts they put on all the IT Deployment Contractors that were involved in the IT Rollouts with both Santander and Barclays Banks in the Last year with DELL/MICROTEAM.

    Trying your luck to Rob a modern British high street bank is a complete no brainer, you'd be better off trying the local off license or betting shop. or maybe borrow a JCB (though dont be surprised if the paper comes out covered in indelible florescent dye)

    The Electronic Cash Tills and Computers shut down and they will always throw the master keys in the cash tills and slam them shut as soon ANY! alarm goes off.

    (regardless that the spare keys are located in the head offices in London(in an even bigger safe!))

    (so the muppets that had a go using a fire axe on the back door of a Barclays in December last year were a joke. (though it wasnt for the staff,once the broke through the doors and found the tills locked down.)

    The alarms are remote linked the regional and local Police Stations, if you try to cut any of the communication lines the IT kit shuts down and you are in a lock down situation with the bank being cleared of customers within 5 minutes and the doors barred shut, with ALL the armed plod on the way in their T6 rapid response cars.

    The only people that got away with a internal job of fleecing the banks were with RBS in the 80'sand 90's when some of their IT guys decided to print/swipe off thier own Credit/Debit cards with other peoples card numbers on them and nick £500 a time off thousands of customers.

    (never really sure if they got caught in the end, though it was a big embarrassment for the Bank when they finally admitted it happened over ten years later.(see reg archives))

    My Dad got fleeced by them, he closed all his corporate business accounts shortly after and refused to have any further dealings with them.

    The simple fact is its pretty much a waste of time to even consider robbing a bank. Unless your a Bankster in the City!

    1. Anonymous Coward
      Anonymous Coward

      Re: Why bother when they know who you are?

      The rules of which you speak may be the rules in theory, but is reality the same as theory?

      Where I work is involved in some sensitive UK and US military stuff (List X, amongst other things) although the vast majority of the work isn't so sensitive.

      The security people send out mails from time to time about the precautions you must take before allowing a visitor onsite, all of which seem to require at least 4 weeks notice and full details of the visitor involved.

      Every now and again someone will reply asking what about photocopier fixit visitors. In the two years I've known the question be asked, there hasn't been an answer. The procedure is there so that a box can be ticked. It does not have to be practical or effective.

      Photocopying is outsourced, IT aren't involved and nor are Facilities. You just phone the number on the label on the machine, and someone comes to fix it.

      It doesn't (cannot) involve a four week wait for clearance of the visiting individual.

      The photocopier user making the call to the number on the label has no idea who they are calling in (or whether the label is authentic).

      The security man at the front gate has no way of knowing whether the photocopier man has actually been called in because there is no link between security and the person logging the call.

      And so on.

      Good job nothing sensitive ever gets printed or photocopied these days eh.

  18. TXITMAN

    Human Engineering

    Good story. It is good to be reminded, and remind the users, on the M.O. of a thief. There are so many ways to intercept bank information and once in hand it is shockingly simple to get cash money.

    I would guess that if this gang had crossed the international border the recovery would have been small. So good job to law enforcement and the IT team.

  19. Anonymous Coward
    Anonymous Coward

    but they got caught....

    Fact remains that they got caught. So the security cannot be that bad. I think we have already established that you cannot make things 100% secure. Thats impossible. So spotting the rouge transactions and doing something about them is the best you can do. Something at Barclays clearly works. The crims are caught!

This topic is closed for new posts.

Other stories you might like