Another British Bank Hit By KVM Crooks 75
judgecorp writes "Another British bank — Barclays — has been hit by a fraud attempt using a stealthily-planted KVM (keyboard, video, mouse) device. Unlike the previous attempt on Santander, the crooks got away with £1.3 million, but were subsequently apprehended by the Metropolitan Police's Central e-Crimes Unit."
The Question is (Score:2)
Makes you wonder how many other times has this been done where the crooks got away scott free and the bank just didn't want to go public about it?
Re: (Score:2)
As for the numbers, the KVM teams only have to be lucky once – the bank will have to be lucky always.
Re: (Score:3)
Re: (Score:2)
Well, for the most part, the thefts have only involved tiny fractions of pennies normally lost due to rounding errors, so usually they don't get caught...
https://en.wikipedia.org/wiki/Superman_III [wikipedia.org]
Ya, Richard Pryor ftw.
Re: (Score:2)
The real life incident occurred in the 1970's. A technician realized that the rounding errors were money that could be stolen so he rewrote the rounding code so that everything from the sixth digit to the right of the decimal point were transferred to his account before the rounding operation that now essentially did nothing. This method left no trace and everything balanced out perfectly, except for one thing. Regular bank accounts were represented using a limited number of bits and the balance on his acco
Re:The Question is (Score:5, Interesting)
Re: (Score:2)
Re: (Score:2)
Makes you wonder how many other times has this been done where the crooks got away scott free and the bank just didn't want to go public about it?
Makes me wonder how many times it happened and the operator who's login was used got the blame.
Whatever happened... (Score:2)
... to good old security? You know, checking who gets into the staff premises of a bank?
I bet they thought it was a low risk area, because it was only handling "data". But "data" is money...
When the IT staff gets Subcontracted / contracted (Score:3)
Some times the works don't get staff ID's or it can be easy to say I got a call just now to come out or just show some paper work that looks like an work order. And they can say the system placed the call on it's own.
Re: (Score:2)
... to good old security? You know, checking who gets into the staff premises of a bank?
I've worked on government high security sites and corporate high security sites.
Only the former is really secure. The latter will eschew security for money.
At the government site (not a military site) a sub contractor who didn't have ID or was listed on the work order was denied access by the security guards. He and his boss yelled and screamed until some AFP officers (Australian Federal Police) appeared out of a hidden door and escorted them out. Conversely, I've seen people into "highly secure" data
Weird KVM. (Score:2)
Looks like a KVM-over-IP box, possibly. But those don't have video passthrough, so it'd be detected in no time at all. I can see how such a scam could work (KVM-over-IP + access point + VGA splitter), but not with the hardware described. You'd have to depend on employees leaving their station unlocked, but that is going to happen sooner or later.
I'm not sure if this is a deliberate Met policy of withholding the details of crimes to prevent imitation, or just non-technical reporting trying to express complic
Re: (Score:2)
Re: (Score:2)
Plenty of them do have video passthrough, e.g. Raritan Dominion, although those are pretty pricey.
Re: (Score:3)
You've got to spend money to make money.
Re: (Score:2)
Crooks never heard of Kickstarter?
Re: (Score:2)
You dont need pass through, just a vga splitter...
Re: (Score:1)
This would do the trick and is pretty small :) http://www.lantronix.com/it-management/kvm-over-ip/spiderduo.html
Re: (Score:2)
You don't need video passthrough if you have a VGA splitter cable. One end to the monitor, one to the KVM over IP unit. http://www.minipc.de/catalog/il/858 [minipc.de]
That's if you haven't gone for the unit linked in one of the responses below that has passthrough.
Re: (Score:3)
You'd be better off with a regular wireless access point that includes a built in switch...
Drop it in between an existing workstation (or other networked device like a printer) and the wall, legit device keeps working but the lan is now extended outside and you can sit outside or in a nearby coffee shop.
Once your on the internal network, the rest is absolutely trivial... A port scanning tool and a copy of metasploit, you'll have domain admin within a few minutes and chances are even if the important stuff i
Re: (Score:2)
Except this is a bank - they probably have a little more security than that. Like 802.1x, which makes that process a little bit trickier, and the appearance of an unauthorised MAC is likely to trigger an IDS alert so you may need to hack the AP to make sure it stays quiet and lets you spoof a workstation.
Re:Weird KVM. (Score:5, Informative)
You can't sniff for a valid MAC until you've already got your illicit one in the network. By then, you've already triggered the IDS.
Any bank with IT worth keeping has MAC filtering on their switches. That alone will prevent your "access point/switch in the network line from a workstation" from working. At best, the legit device will stop working, resulting in a call to IT. At worst, the IDS will be triggered immediately, Either way, IT will investigate, find your additions to the network, probably call the police, get your AP fingerprinted, etc.etc.
A network device WILL be detected on anything but the simplest "plug it in and it works as recommended by Best Buy" kind of network. I've got two older Cisco Catalyst switches on my home/home business network; a 2950 and a 2960. Even these support locking a specific MAC to a port, so an unauthorized device won't work if plugged in. I`m going to set the 2960 this way soon, but haven`t yet as it`s a new addition to the network, as an emergency replacement for a different switch that died. The 2950, though, is on my workbench, which has customer machines connected and disconnected on a regular basis, so this kind of setting would be counterproductive.
So when I get the setup finalized, your "AP in a network cable" wouldn't even work on the trusted subnet of my home network, forget about a bank. My workbench subnet has no access to anything important, so unless you're wanting to hack a customer machine that's already infected with a dozen viruses, you're not going to get anywhere.
Re: (Score:2)
is the MAC in the encrypted part of the packets? I was under the impression it was in the plaintext portion....
Re: (Score:2)
For a wireless network, you're right. The MAC is in the plaintext packet header.
But if your bank is using wireless intentionally, then you're already screwed. I don't know of any bank in my area that has a wireless network, other than the occasional "HP_Setup" ad-hoc from a wireless-capable printer that hasn't had the wireless disabled. You'd need to be on the wire already to pick up a MAC anywhere around me, and there's no way to do that without triggering the IDS.
Plus, the MAC you'd pick up in the unen
Re: (Score:2)
No need for the "For a wireless network" qualifier. The MAC address is in ISO layer 2, to wit, the data link. Encryption happens in layer 4, the transport layer (HTTPS == HyperText Transport Protocol / Secure). If Layer 2 was encrypted every switch on the network would have to have the key for every session (a severe security flaw in itself), but how would it know which key to use since it couldn't know where the data was c
Re: (Score:2)
There are plenty of practices that "if that's the case, you're already screwed." If you're relying on someone running a business not to choose them, and they appear to be cheaper than doing things the right way, then I think I can state quite confidently, "you're already screwed."
Your security needs are not the same as the bank's business needs. They need you to believe that your money is secure, and they need the regulators to believe that they are in compliance with any regulations or making good-faith
Re: (Score:2)
Whoever did this had physical access for some time to a PC that had an authorized MAC address. Their access was good enough to insert a KVM un-noticed.
So, get PCs MAC, and us it on PCs port to access the LAN in order to find more MAC addresses. As far as the switch knows, everything is kosher. You could even splice in a device that looks like the switch to the PC and looks like the PC to the switch. Program it to transparently bridge the normal traffic and inject/intercept whatever you need.
Re: (Score:2)
On what [stackexchange.com] planet and in what universe?
Re: (Score:1)
You can't sniff for a valid MAC until you've already got your illicit one in the network. By then, you've already triggered the IDS.
Passive Network Tap [hackaday.com]
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
It's probably more like a glorified "keylogger"
A simple KVM box with one of those low powered credit card PC's fitted inside, stick in a rechargeable battery and wire it to draw power from the usb input, It sits there day after day recording key strokes and mouse movements with the odd screen grab. the on board PC then compresses it in to manageable chunks of zips, rars or tar's and waits for one of the gang to walk into the Bank at a busy time of the day. Then it sends it to a receiver via wifi in the croo
Re: (Score:2, Informative)
They will just ask Central Bank to print some extra money. Problem solved. For the rest of you, go to work to earn some pennies.
I'm assuming you are from the US, because that is were this "printing money is bad" meme seems to have been resurrected lately. Central banks are managing the money supply to balance and the economy, and in most modern western economies this is working as intended - keeping a stable currency value, steady low inflation and fueling economic growth or counteracting recession. Outside that the slogan "printing money" sounds like something bad is going on, I don't really understand what it is about the real wor
Re: (Score:3)
They will just ask Central Bank to print some extra money. Problem solved.
For the rest of you, go to work to earn some pennies.
I'm assuming you are from the US, because that is were this "printing money is bad" meme seems to have been resurrected lately. Central banks are managing the money supply to balance and the economy, and in most modern western economies this is working as intended - keeping a stable currency value, steady low inflation and fueling economic growth or counteracting recession.
So I see the brainwashing regarding "minor inflation is good" did work on you. Back in my day, we had a word for FALLING prices on essential goods, it was called "progress".
Re: (Score:2, Interesting)
So I see the brainwashing regarding "minor inflation is good" did work on you. Back in my day, we had a word for FALLING prices on essential goods, it was called "progress".
Yeah, I would love to see the price on my house keep falling in value while the debt keep growing.. On the business side this effect will limit investments.
Re: (Score:2)
So I see the brainwashing regarding "minor inflation is good" did work on you. Back in my day, we had a word for FALLING prices on essential goods, it was called "progress".
Yeah, I would love to see the price on my house keep falling in value while the debt keep growing.. On the business side this effect will limit investments.
Solution: don't get in debt. On the grand scale of things, mortgages are a very new "invention".
Re: (Score:2)
The problem is when you print money and use it to bail out a private entity that is considered too big to fail. Particularly when you also keep socking it to individuals who are apparently too small to succeed.
Ugh... (Score:2)
Re:Ugh... (Score:5, Insightful)
KVM switches have had that name since at least the early '90s. How about Linux developers check to see that the aren't causing naming conflicts when they christen their projects?
Re: (Score:2)
To be fair, this cloudy out-of-your-control virtual nonsense has been around since the '60s. But then we called it a virtual machine monitor (VMM).
Has anyone stopped to think how poorly systems are now architected that each person has gone back to feeling they need a whole piece of virtual hardware to themselves? Regression - it's not just economic.
Re: (Score:2)
No it isn't (Score:2)
All that duplication of OS, and you get the perceived benefit of increased separation, but you've still go a thing running that launches other things, all on the same machine, only now with the overhead of running the first thing inside another thing inside itself....
The only security benefit is in the thing that contains the thing that runs the stuff. If this piece of software sufficiently segregates the running applications, then it is secure, if it does not, then you're in the same boat as before except
Re: (Score:2)
It's pretty amazing how little overhead virtualization adds these days. In exchange, you avoid the pain of having to seperate out services one by one if you ever have to migrate. This is particularly helpful if you have a server go down and you need to divide the services it was performing amongst several other machines as you restore from backups. It's much easier to just stick the mail server on A and the web server for de0partment X on B, etc.
Re: (Score:2)
Re: (Score:2)
But in some cases, the environments overlap and then you can have a hard time sorting them out.
Re:Hmm. (Score:5, Informative)
Also known as some people with a bit of technical knowledge and a grasp of basic social engineering. Gotta love it when they make something sound like rocket science so folks won't realize what little is really involved.
The access might have been fairly straight forward, but we don't know what they did with it. What do you do once you are in? Just because you're on the banks network doesn't mean it's easy to steal money. I'm thinking back to the last time I was in a machine room on my own at a bank and wondering what I could have done if I'd wanted to, not really sure. Maybe you can find a convenient gui with buttons like "add money to an account (untraceable)" but failing that you're going to need a reasonable amount of IT/banking knowledge. If you're wanting to mod a CICS transaction written in COBOL to siphon off money without leaving any trace then you'll need more skills than the average crook. On the other hand they got caught, so maybe it was all over their heads...
Re: (Score:2)
Don't you know? The process involves plugging the lan cable into your ear and then playing a video game involving glowing buildings by waving your hands in the air.
This replaced the old interface where the computer would ask you in a 60 point font if you wanted all of da money.
Re: (Score:2)
Install it on one of the computers processing transfers.
Let it run for a week while monitoring patterns and learning gui.
Prepare some dodgy accounts, usually you take a hobo off the street, clean him up, make him open proper bank account, give him drugs/vodka/whatever he wants and drop him off where you found him. You use those accounts regularly to make them look legit.
Once you have your window of opportunity (lunch break, loo visit, whatever) start transferring money to a bunch of accounts you prepared ea
Users (Score:5, Interesting)
No matter WHAT I told them about security, it didn't matter - a working photocopier was more important than security.
This is obviously a similar situation - some 'official looking' technical guy turns up, tells a few porkies, and the staff just let him get on with it without any checks.
* I later coded a short perl script to send me a mail when an unknown MAC connected to the LAN.
Re: (Score:3)
It bugs me why IT people don't handle printer, copy, and fax machine issues (e.g., changing cartridges) at my huge workplace. They use maintenance guys.
e-Crimes? da fuq? (Score:2)
Because they used an electronic gadget in the commission of a crime? This was a social engineering ploy, the tech played a minor role. Even TFA (yes, I read it) explained that the technology involved was "crude."
The "tech expert" they interviewed is just adding fuel to the idiot fire by explaining that antivirus won't help, giving undeserved credence to the notion that this was a technological attack.
Stop prefixing e- and cyber- and other bullshit to make yourself sound modern because you actually sound l
Criminal Masterminds (Score:1)
Re: (Score:2)
It is funny how the media reports it as a sophisticated attack with criminal masterminds as they don't want you to know that it is something that pretty much anybody with a little tech understanding could do. They are only reporting this one because they were such clever criminal masterminds that they got caught doh!
I'm sure it's also that they want it to seem that the police are complete tech geniuses that can thwart any crime, no matter how much of a "criminal mastermind" the perpetrator is. In reality, of course, they're just as incompetent as the criminals for the most part.