Two recent incidents have shown that you no longer need to risk life and limb to rob a bank. In September, an attempted cyber-robbery at a London branch of Santander was stopped in its tracks and shortly afterwards, details emerged of a similar earlier, and more successful attack that had taken place at a Barclays branch in North London. The culprits escaped with £1.3 million.
Now several people have been arrested in connection with both crimes. Although a link between the two has not been stated publicly, both offer an insight into the new threats faced by financial institutions now that cyber-criminals have developed their tool kits and techniques.
The Keyboard Video Mouse
The Keyboard Video Mouse is crucial in bank robbery 2.0. This is a device that connects to the communication channels of the mouse, the keyboard and the monitor of a computer or even several computers. In the case of Santander, one of the culprits posed as a computer engineer, gained access to the branch machines and attached a KVM.
It is likely only a single computer was attacked, as this type of KVM would have to be conspicuously wired to all the computers it was intended to control. Crucially, it would also need to be directed from inside the building. This would all mean that a larger and on-going inside job would be needed.
KVMs sell for about £10 but from the picture released by the police from the Barclays incident, it appears that a more sophisticated type was used. This is the KVM over IP, or “iKVM”, which can be bought for about £25 and can be used to fully control a computer via the internet.
From the image released, it is clear that the criminals involved in this plot did not exploit a second advantage of iKVMs: that they exist as “cards” which can be attached on the inside of the computer, safely out of sight once installed. They probably didn’t do this because it would have meant controlling the iKVM via the bank’s internet connection, which would be difficult. When bank computers are linked to the internet at all, they would be expected to have very strong firewalls which monitor and selectively block incoming and outgoing internet traffic.
So a different type of connection needed to be created on the spot. Wireless access might have been an option but would have required someone nearby to control the iKVM - risky for a bank robber - and wireless signals can also be distorted as a safety measure. Instead, it looks like a basic 3G router was attached to the iKVM so that it could be accessed through the mobile network. The fake engineer would only have had to glance at his phone during his visit to confirm the signal strength.
Making it an inside job
Once the KVM is in place, the final element of the attack is to make sensible use of the controlled computer, which is, in essence, just like an “inside job” by bank staff.
To prevent traditional inside jobs, banks limit the amount of damage individual staff members can do using their own computer, and monitor them for unusual behaviour. The possible involvement of 11 other people in the Santander case shows the plan was never to install the iKVM and then hope for the best. The roles of the other people alleged to have been involved in the conspiracy may have been to circumvent the bank’s various protection mechanisms.
Another option is to identify a single, specific, profitable target action for the compromised computer to complete. This would possibly be something more sophisticated than transferring money to a bank account in the Cayman Islands. For example, if the computer is used for processes involving customer bank cards, it might gather enough information for cloning cards, which could be used or sold on. Indeed, it has been reported that searches following the arrests turned up details of thousands of credit cards.
Fending them off
What is very interesting about these stories is that they involve security protection measures at many different levels. In the age of cyber-crime, a bank needs to have physical security, network security, application and communication security.
To protect its physical security, a bank needs stringent access controls for computer rooms. Even bank staff should not be allowed to connect hardware to their computers, let alone open them up to install cards. Now this particular attack has been exposed, many more banks are probably having their computers checked out for rogue cards and devices.
Network firewalls should prevent malicious incoming and outgoing communications and, within local networks, intrusion detection software can flag up unusual data. But if the mobile network was indeed used to access the iKVM in the Santander case, banks may need to do more to monitor and disrupt mobile communications in critical parts of their buildings.
Application security should defend against insider attacks. It should spot unusual behaviour, and limit the damage that can be done by a corrupt user.
Finally, communication security cannot be overlooked. It is unlikely that the fake engineer, once arrested, immediately named all his co-conspirators or that he had a handy mailing list called “Santander” in his email client. Indeed, police undertook a long-standing surveillance operation, based on some initial suspicion. Maybe this was something observed in or around the bank. Or was it intelligence from other criminal investigations that sparked it all off?
Some of these security measures, such as firewalls, are well understood and widely employed. But others are still in the early stages of development. Researchers in cyber security at Kent are looking at how security systems can self-adapt and respond automatically to anomalous behaviour such as that characterised by the “insider attack” scenario described above. Cyber crime is still on the rise, and banks will need to adopt a range of established and novel security measures in different areas to stay ahead of this new breed of robber.