Gang exploits both physical and system security during bank robbery

The Metropolitan Police Central e-Crime Unit (PCeU) arrested eight men, aged between 24 and 27, on Thursday, in connection to a robbery from the Swiss Cottage branch of Barclays Bank in April. According to police statements, the theft resulted in the loss of 1.3 million pounds ($2 million), but the bank managed to recover most of the stolen funds.

In an unusual twist, one rarely mentioned or seen when it comes to financially motivated cybercrime, the men allegedly mixed physical penetration and social engineering with system compromise in order to carry out their crimes. When Barclays reported the robbery in April, police investigated the incident, and conducted a search of the Swiss Cottage Barclays branch in North London. During this search, investigators discovered a KVM switch attached to a 3G router hooked up to one of the branch computers.

"It was later established that the previous day a male purporting to be an IT engineer had gained access to the branch, falsely stating he was there to fix computers. He had then deployed the KVM device. This enabled the criminal group to remotely transfer monies to predetermined back accounts under the control of the criminal group," a PCeU statement explained.

Police say the men operated from a control center in central London, but residences in Westminster, Newham, Camden, Brent, and Essex, are also being searched. So far, the searches have yielded cash, jewelry, drugs, thousands of credit cards and personal data. The idea that the criminals used physical penetration as well as system compromise "demonstrates the rapidly evolving nature of low risk, high financial yield cyber enabled crime," the law enforcement agency said.

"Those responsible for this offence are significant players within a sophisticated and determined Organized Criminal Network, who used considerable technical abilities and traditional criminal know-how to infiltrate and exploit secure banking systems," the PCeU's Detective Inspector Mark Raymond said in a statement.

Last week, police arrested 12 men over what was called an "audacious" plot to use the exact same methods to rob the Surrey Quays branch of Santander, south-east London. According to police, someone posing as an engineer attempted to fit a KVM and modem to a computer in the Surrey branch. However, due to the Barclays investigation, the attempt failed.

In a statement, Santander said they had been working with the police for months before the false engineer arrived and made his attempt, as the bank was made aware that the criminal network was targeting them. Four of the men arrested as part of the Barclays heist are also being charged in the attempted robbery Santander.

"This was a highly-organized criminal network with each individual filling a specific role. All criminal networks have a head and we very much believe we have now apprehended our 'Mr. Big' as part of this operation," Wilson told the BBC in a statement.

Social engineering and physical pentesting are topics that large organizations, especially in the financial sector, consider when evaluating risk. Yet, despite knowing the risks, criminals were still able to execute a precision hybrid attack against Barclays. CSO spoke to Rook Consulting (a security firm based in Indianapolis that deals with physical security assessments) to get their thoughts on this case.

"When put into perspective of the three elements of the enterprise that I always hear people reference (people, process, and technology), this is one of those circumstances that is not (in most cases) going be caught by any kind of technology on the network. This is going to fall into the other two categories," explained Mat Gangwer, a Security Consultant for Rook.

On the people side of things, security training and user awareness programs are key, Gangwer said. Employees need to know that incidents like the one at Barclays happen, how they should react if they suspect something nefarious is going on, and to know its okay to question an unidentified person walking around the office, as well as whom they should tell.

"For process, it goes back to the 'trust, but verify' model. Sure you can tell me you are an IT person coming to work on the computers, but I'm going to need to verify that is actually the case," Gangwer explained.

"Crimes like this are always going to be a possibility for companies. As we do our job and make it harder for these things to happen, the criminals or bad actors will work just as hard to find new ways to exploit the existing systems."

With that said, Gangwer offered some steps for organizations to consider when it comes to the process aspect of physical security. First, visitors should have proof of a time or meeting being scheduled, and that should be verified by the receptionist. Next, verify the person's ID, and make them sign in; and have their sponsor come and get them from the lobby and escort them around the office.

Another issue, which can lead to incidents such as the one experienced by Barclays, isn't the lack of physical security assessments, but the severe limits placed on those performing them.

"Financial services institutions handcuff their security consultants by not letting them act as a true rogue agent when conducting assessments," Gangwer explained.

To get the most out of an assessment, organizations should let the consultants take their gloves off and actually act like the criminals. Other than installing fear, intimidating, or harming anyone, everything else is fair game. Likewise, don't limit the consultant to just a week onsite, because sometimes the length of the assessment may need to be much longer in order to do the job right.

"Find a trusted advisor to help you screen consulting firms to find out of they are the real deal for hybrid IT / physical assessments. Military? That's good. What did they do there? Does that experience tie in? Recon experience is good, recon with tactical entry is better," Gangwer said.

In the end the Barclays heist was a textbook example of a hybrid attack, and one that could have been prevented.

"This is how criminals do it. No holds barred. That's why the security consulting world needs to get serious," Rook's CEO, J.J. Thompson told CSO.

"The days of half-baked intrusion plans and utilizing people with no real-world experience to rattle doorknobs is over. Real security is dirty. Hire consultants who get it, then get out of their way and let them get dirty."

Read more about data protection in CSOonline's Data Protection section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Barclays BankapplicationsPCeUsecurityphysical securityrobberysoftwarephysical security breachdata protectionbank robbery

More about Barclays Global Investors AustraliaBBC Worldwide AustralasiaCSOKVM

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts