Skip to content

First Santander, now Barclays infiltrated

Featured Replies

I recall an article the other week with very similar circumstances where a gang had tried to infiltrate a Santander computer, now it seems that Barclays have been hit. It looks like they used very similar if not the same type of equipment.

 

http://www.bbc.co.uk/news/uk-england-24172305

 

 

I'm surprised it took 'em so long to get round to this. I suppose it requires a lot more  nerve and  high-end con man and technical skills  than the average bank job.

 

Clearly it highlights the deficiencies (Or complete lack) of any network monitoring or device control software employed by the banks,

 

As we all know, if you stick a KVM switch on the average desktop via USB,  under Windows, it will automatically attempt to register itself with the system as a device. If  that's allowed and successful  the system will then attempt to  call down and install the appropriate drivers. Lets face it,  that process can be problematic even  when its legitimate and you've got the manual, the equipment is known to be compatible and the correct drivers are to hand.

 

That suggests it was an inside job, probably by an ex or current contract engineer with that system.

 

At worst, it would appear that these banks have demonstrated multiple deficiencies.

 

The local branches probably are not advised n advance of the details of genuine engineer visits (Date, time and job number)

 

They appear to have inadequate visitor identity and job  validation systems, if any.

 

The device monitoring software and permissions structure are either not there/ defective or are easily by-passed.

 

I suspect that the gang procured the services of  a current genuine engineer for the bank in question. That would tick all the boxes to get them past the glass screen and logged onto the system

 

Even in the public service, which usually runs 5-7 years (Or more) behind developments in leading-edge computing, they dealt with the threat of unauthorised peeps attaching USB sticks to distributed terminal units and downloading loads of stuff - the terminal  software automatically rejects any attempt to do this and the newly-plugged-in device isn't permitted to load the drivers needed.

 

 

Nick

 

 

.

Edited by Clunkclick

Nice hit.

 

Quite simple too and hard to detect.

Easy to scan for rogue 802 wifi APs but 3G is much much harder.

No network connection so no chance of picking up unauthorised hardware or weird traffic on an IDS.

 

I await the next raft of knee jerk standards I'll have to comply with (but not the bank that allowed it to happen).

What next hey......

Nice hit.

Quite simple too and hard to detect.

Easy to scan for rogue 802 wifi APs but 3G is much much harder.

No network connection so no chance of picking up unauthorised hardware or weird traffic on an IDS.

I await the next raft of knee jerk standards I'll have to comply with (but not the bank that allowed it to happen).

So how does it work if not connected to the network?

So how does it work if not connected to the network?

 

He's thinking aloud, it has a connection to somewhere/one but no detectable presence on the infiltrated network. Using mobile data rather than wifi there's a far bigger user base (everyone with a mobile). Any dodgy traffic would just blend into the background hubbub.

being a hardware engineer and having to visit santander banks frequently this type of attack was never going to work on there systems, santander have recently upgraded all the systems, and these are hired from a third party. getting into a santander branch is a night mare even worse when you dont have ID. we are given job reference numbers and we constantly keep the sites updated as to when we are likly to arrive on site and who will be arriving. engineer privaliges are severly limited on the systems, so much so we dont even get a desktop just a web page with limited functions to test hardware when we have replaced/fixed it

So how does it work if not connected to the network?

 

KVM plugs directly into the controlled PC probably just using a USB port.

The KVM was controlled over the mobile phone network not using wifi. Wifi is trivial to pickup but mobile phone 3G scanners aren't in the kit of your average IT guy.

 

They carried out the attack by directly controlling the PC, so no data going in or out over the network except from identified company machines so it all looked legit.

 

Quite an elegant little side channel attack.

 

What they should have done is had their tickets to a country without a UK extradition treaty already booked then transferred the money to an offshore  account somewhere like Aruba or other financial centre not signed up to UK investigation treaties.

Shift the cash then leave the country within a few hours. They could have done the trade in the departure lounge with the kit they had.

Im thinking of setting up my own bank.....1 customer and always safe until robbed.... I call it the Bank of Under the Floorboard!!!!!! Perfect solution...

What next hey......

Simples - not bank related. It's a parcel delivery scam . You get an e mail from Fedex/UPS/ DHL to say that your parcel can't be delivered as the postcode is wrong. Please use the attachment to give us details. IT'S A SCAM .

Next - an e mail from Amazon, about your order. Avast picked up the three i got as virus.

Someone said Santander have security - I've had e mails from Santander ( and given the problems with RBS ,I might have believed them ,but I went back to RBS to find it was another SCAM .

It's little foreigner phishing of a foreign pier. Come phish, swim phis ,swim along here .

I get bank, courier and order phishing emails fairly regularly

Now starred seeing your gmail/yahoo/Microsoft account has been restricted due to failed log in attempt emails.

There are also some "important information about new lotto, please confirm your account" ones about too.

I'm surprised it took 'em so long to get round to this. I suppose it requires a lot more nerve and high-end con man and technical skills than the average bank job.

Clearly it highlights the deficiencies (Or complete lack) of any network monitoring or device control software employed by the banks,

As we all know, if you stick a KVM switch on the average desktop via USB, under Windows, it will automatically attempt to register itself with the system as a device. If that's allowed and successful the system will then attempt to call down and install the appropriate drivers. Lets face it, that process can be problematic even when its legitimate and you've got the manual, the equipment is known to be compatible and the correct drivers are to hand.

That suggests it was an inside job, probably by an ex or current contract engineer with that system.

At worst, it would appear that these banks have demonstrated multiple deficiencies.

The local branches probably are not advised n advance of the details of genuine engineer visits (Date, time and job number)

They appear to have inadequate visitor identity and job validation systems, if any.

The device monitoring software and permissions structure are either not there/ defective or are easily by-passed.

I suspect that the gang procured the services of a current genuine engineer for the bank in question. That would tick all the boxes to get them past the glass screen and logged onto the system

Even in the public service, which usually runs 5-7 years (Or more) behind developments in leading-edge computing, they dealt with the threat of unauthorised peeps attaching USB sticks to distributed terminal units and downloading loads of stuff - the terminal software automatically rejects any attempt to do this and the newly-plugged-in device isn't permitted to load the drivers needed.

Nick

.

a kvm is a lot different to a usb memory stick

It's clear you don't know much about computers and how hardware operates. Whilst mass storage is easy to stop either through group policy or forced encryption, how do you expect IT to prevent the installation of usb keyboards and mice? I've never known a kvm require drivers, let alone software.

It's essentially a keyboard, mouse, vga pass through and when connected to a 3g dongle isn't going to flag up and security issues whatsoever.

Create an account or sign in to comment

Recently Browsing 0

  • No registered users viewing this page.

Important Information

Welcome to BRISKODA. Please note the following important links Terms of Use. We have a comprehensive Privacy Policy. We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

Account

Navigation

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.