The recent high-profile robbery of a Barclays branch in the U.K. featured the unusual pairing of physical deception and advanced surveillance via a keyboard video mouse device. As if to drive home the consequences of identity theft in real time, one of the thieves posed as an IT technician and walked into the bank, drawing little suspicion. He then installed a 3G-enabled KVM device designed to secretly record keystroke patterns and on-screen activity. Having obtained authentication credentials in the process, the hacker group ultimately succeeded in transferring roughly $2.1 million between Barclays accounts.
Roots and consequences of the London heist
According to SC Magazine’s Danielle Walker, Barclays reported the loss in April 2013, but the details of the plot did not emerge until the eight thieves were taken into custody the following September. Given the sophisticated security in place at many financial institutions, the group’s successful heist is a notable achievement, as well as wake-up call for companies that continue to concentrate cybersecurity efforts in a single area – like network security – while ignoring other vulnerabilities.
To make matters worse, the Barclays attack was not an isolated incident, but the successful execution of a previously failed plan. Security expert Graham Cluley reported on a similar incident in mid September 2013 at a Santander branch in London, in which case a similar KVM setup was installed to monitor user activity. Santander foiled this attempt, resulting in the swift arrest of 12 alleged perpetrators.
While victimized, Barclays still was able to recover many of the stolen funds. However, the attack’s ramifications are alarming in at least two ways. First, using a hardware-based surveillance tool like a networked KVM means that malicious activity is invisible to software tools, like antivirus programs, which typically scan for keystroke monitoring processes. Second, banks in particular must be prepared to deal with a new class of criminal that mixes the technical savvy of cybercriminals with the physical prowess of old-fashioned crime.
“Those responsible for this offense are significant players within a sophisticated and determined organized criminal network, who used considerable technical abilities and traditional criminal know-how to infiltrate and exploit secure banking systems,” stated PCeU detective inspector Mark Raymond, according to Data Center Dynamics’ Ambrose McNevin.
Physical security returns to the fore
For all of the focus on sophisticated hacking, elusive Trojans and Web-based campaigns, enterprises across the board may be neglecting the most basic tenant of security – locking down physical assets. Regulated industries like finance and healthcare have complex compliance obligations, but they sometimes fail to meet them for relatively simple reasons, such as the loss or theft of an unencrypted hard drive or an on-site security oversight like the one that affected Barclays.
Certainly, software-based security is important. In the case of unencrypted assets, encryption software likely would have mitigated the impact of the theft, and on-device solutions are essential in the fight against email spam, viruses and malware. However, these tools must work in concert with physical security and be part of a comprehensive set of solutions. IT departments must adopt this mindset because, as shown by the Barclays and Santander perpetrators, cybercriminals have already done so.
“I have talked at length with banks and companies around the world about how they should not view cybercrime as purely a software issue in isolation,” Salamanca Group managing director Heyrick Gunning told IBTimes UK. “There is a huge focus on firewalls and software security but if you are effectively leaving your front door open, and if someone is able to enter your premises and attach a switch to a router, it undoes a lot of safeguards and can lead to costly problems.”
Monitoring employee behavior and possible insider threats
Companies must be vigilant, not only against external attacks initiated by experts like the London group, but against ones by their own employees. Gunning stated that 10 percent of cyberattacks originate inside the workforce. A research report from Norton Antivirus observed a 42 percent rise in targeted attacks, which may underscore the shift from opportunistic, one-size-fits-all attacks to carefully orchestrated campaigns that may take advantage of insider knowledge.
Paying more attention to employee behavior has the added benefit of making companies more adept at identifying suspicious outsiders who may pose as IT technicians or maintenance staff.
“Most of us are guilty of allowing people we do not recognize to wander around our offices, fiddling with computers, fixing photocopiers, changing the water cooler,” wrote Cluley. “Companies need to be extremely careful about who they grant physical access to their offices, and how closely such people are monitored – especially if they are an unfamiliar face.”
Addressing the costs and causes of new cybercrime strategies
The stakes for keeping tabs on employees have always been high, but the recent wave of bank attacks has revealed how the simple air of being an insider can be more dangerous than a sophisticated piece of malware.
While the London perpetrators were experts, the barriers to entry to such an attack are actually minimal. KVM switches can cost as little as $16 online, and employee impersonation is a real danger as long as organizations focus exclusively on software-based security at the expense of physical precautions.
Across the board, cybercrime cost the U.K approximately $42 billion dollars in 2012, more than triple government estimates. While the Barclays and Santander incidents demonstrate that low-risk, high-reward attacks can be executed successfully, a more pressing issue may be the perfect storm of lax physical security and a lack of seriousness about cybercrime’s potential for harm. Research cited by IBTimes UK’s Lianna Brinded found that one-fifth of U.K. businesses have no countermeasures in place against cybercrime.
So far, the tactics of Barclays and Santander perpetrators have not caused permanent widespread damage. However, they should serve less as a fascinating case study in tactical sophistication than as an indictment of how businesses may be struggling to deal with personnel management and on-site security. While businesses should take the opportunity to check network security and make sure that antivirus software and other tools are up to date, they should go further and ensure they know who has access to what and that the organization as a whole is on the lookout for possible imposters.