Schneier on Security
A blog covering security and security technology.
« Cultural Cognition of Risk |
| NSA Publications »
September 28, 2010
Stealing Money from a Safe with a Vacuum
The burglars broke into their latest store near Paris and drilled a hole in the "pneumatic tube" that siphons money from the checkout to the strong-room.
They then sucked rolls of cash totalling £60,000 from the safe without even having to break its lock.
I like attacks that bypass the defender's threat model.
Posted on September 28, 2010 at 2:42 PM
• 42 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I assume by "like" you mean "appreciate the cleverness of"?
While I dont see any details of the security system and am not familiar with this type of device this seems like a simple fix. Make the tube one way with some sort of one way block that allows money to go through the tub into the safe but not out of the tube.
I am hoping there is more to this system than appears because from the limited details given this is gross neglegence not to mention just plain dumb.
I can't view the article, because my corporation blocks thesun.co.uk, but don't people usually design vacuum systems such that a plenum prevents things from being sucked up like this?
Its really easy to make one too, we have 3 outside a building to just remove sawdust from the air
The article says these thefts have been going on at the same supermarket chain for four years. You'd think they'd have engineered a simple fix to make the tubes one-way.
So, Monoprix's security program sucks, but the bad guy's plan sucks even more?
Hit the same way 15 times in four years!!
The management of that supermarket chain must be slow learners.
Interesting - I want more details on how this was done though. I've never been in a supermarket in France, but nearly all of the large Tesco stores in the UK have pneumatic tubes from each of the checkouts to a strong room (no windows, double "airlock" doors, alarmed). The pods simply drop into a receiver, and then they are removed, counted, wrapped, and moved into a strong room (which is more like a safe).
Even smaller supermarkets normally keep the cash in a deposit safe, and although there are weaknesses and bypasses on these, you can't use a vacuum cleaner to get anything out.
I wonder if these French stores are 24 hour but don't employ cash handlers all the time - so the pods stack up in some kind of receiver, which can then be vacuumed out?
Anyway, anyone with any ideas?
I swear I've seen this in a cartoon.
Nah, it was a BBC Robin Hood episode. ;-7
Huh. I always assumed those things had a simple check valve.
[grabbing shop vac]
Having a look at this, there do seem to be direct feed safes, with the tube feeding directly into it. I can't see the need for these - if the volume of cash is so low that it doesn't need dealing with straight away, why not just use a normal deposit safe?
It also seems that "parachute bags" instead of the hard pods are in use now, and again I can see these being easier to suck up.
Stealing cash from supermarkets is generally quite a good place to do it - totally unsorted, unrecorded notes. It's also surprising the sheer amount of cash that can be held in a supermarket late on a weekend (though I think the cash handling systems in the UK have caught up with 24 hour and weekend opening now).
Stealing cash is a mug's game though.
Even if there was the equivalent of a one-way valve on the safe, if you had a vacuum and could run it for long enough you'd still be able to steal bundles of cash as they came past.
Unless cleverly designed, a long bendy piece of wire could be fed down into the safe, to hold a one way valve open.
Honestly I find it incredibly surprising that this works at all, so maybe I am incorrectly visualizing how the system works.
"Hit the same way 15 times in four years!!
The management of that supermarket chain must be slow learners."
Alternatively it's an inside job and the 'vacuum thieves' are being blamed as decoys.
This has been done on film: Swedish movie "Jönssonligan dyker upp igen" (targeting IKEA).
Didn't the late Senator Stevens from Alaska warn about the Series of tubes attack?
Monoprix stores are not 24 hours and it seems that the design of the tubes was poor-designed. From what I understand, it seems that all the tubes join near the safe.
15 atacks in four years - I can only assume they no longer have insurance cover for the theft of cash!
Off-topic. I spotted this going by:
It's funny to see my local supermarket quoted in Bruce's blog.
Too bad it's for such a lack of reactivity after 15 successful attacks...
Fool me 14 times, shame on you...
"Fool me 14 times, shame on you.."
Ahh a quote from Futurama's Amy Wong when Zoidburg gets a little frisky.
candice bergen was still a young hottie when she did that at 11harrowhouse, or was it 17charterhouse?
"Nothing sucks like a VAX."
Which Dyson model did they used?
This is a gem for when you're trying to explain the sideways thinking of hackers (hat color notwithstanding), or how thinking defense without thinking about attack is inadequate.
My best friend worked at a pizza place with a safe 25 years ago. When he came to work one morning, the floor was wet. He couldn't find the source of the leak until he opened the safe to find it soggy and devoid of cash.
This was done in the old "Mission Impossible" TV series in the late 60s. They cut a hole into a vault and sucked stacks of money off shelves.
This was the main theme of the 1963 danish movie "Støvsugerbanden" (The Vacuum Cleaner Gang)
This is the first time I've heard of such a system being used in retail and it sounds ridiculous. I could be misreading the article, but it appears that this is an automated "cash drop." The traditional methods are already satisfactory, so I don't see why they add complexity to the process. Here's an example of how a major retailer in the US does it.
Each cash register has a maximum amount of money it can contain, in general and for large bills. After the register exceeds that maximum, with real-time notification, the cashier performs a cash drop. The cash is put in an envelope and dropped into a small drop box for which only a few trusted people have keys. At random intervals, an accountant picks up drops and puts them in the accounting room (isolated behind a strong steel door). Periodically, excess cash, tills, and vital documents are stored in a high quality safe with 10 minute opening delay. Any robbery requires surveillance, quick reaction and must be done in person. This results in at least one felony charge. The stores have never had a costly robbery, as the low cash and high risk act as a deterrent.
The system could definitely be improved. For instance, only a designated individual would have access to the drop boxes (and this may not be the accountant with access to the accounting room). The designated individual, perhaps a supervisor, would periodically take the drops and put them in the drop hole by the accounting door. This reduces the risk and requires two targets to consider: accountant for majority of cash and supervisor for whats in drop box (maybe nothing). Or the supervisor just immediately takes the money to accounting as its dropped (or ASAP). Each method involves costs and productivity tradeoffs, but the original lesser method already works.
Altough I agree with most of the comments , this actually reflects a lack of security that you can also see in Information Systems, where the whole security budget is used to protect data at rest and the transportation is neglected. No encryption, no VPNs,etc.
Let's learn from other's mistakes. :)
@ Alvaro Cuadros
I'll second that. In information systems, I'll add to it a failure to protect information during processing. Easily avoided design and implementation flaws cause more breaches than any other factor. Avoiding the majority comes at little cost. I say the extra cost should be considered part of the security budget, at least partially, because that's what it provides.
I see these kinds of automated cash handling systems at supermarkets and department stores around here all the time.
Money goes into a sort of capsule thing which is put into a tube. The capsule is then fed into some kind of central output location and from there the cash is presumably loaded into a safe/armored car/whaetver (or possibly the central location IS the safe)
Finding the perpetrator could be simple. ...
If Inspector Clouseau would look for the one US elected representative whose name appears on flight arrivals for each of the dates of the thefts.
The wide-stance Republican perpetrator will be instantly identified from among his colleagues, who based on recent history all match him in this unusual billionaire servicing skill and wide-stance proclivity.
Bruce, like terrorists finding ways aroubd TSA's predictable checkpoint countermeasures, this is why we call them intelligent adaptive adversaries.
"why we call them intelligent adaptive adversaries"
Sounds like way to many words to waste on some thugs.. I stick with crooks, criminals, pukes, and other one-word labels. ;)
I used to be a checkout manager in a large supermarket in the UK. To explain how the pneumatic airtube system works is simple.
Each checkout has a send station which has a tube feeding the money which is sent in pods to a central cash office or strong room.
The pods are sent by the cashier at regular intervals throughout the day for security reasons to remove the risk of robbery through having excess cash at the tills.
The system is great as it saves management and security from having to go round with a trolley and complete manual cash collections.
The pods are received into a safe in the cash office and dealt with when time allows.
The only problem has been pods becoming stuck in the system when the suction fails. This usually means that the receiving safe door is open or there is a break in the tube network.
This is relatively rare, although can be stressful when trying to locate 40 pods full of thousands of pounds before you can go home.
I have used systems from Airtube group which are automated and Tesco used to use them. Tesco and Sainsburys now use Airlink (a newer company) to supply their tube systems and pods.
Whatever happened to Airtube Group, ten years ago they were leading the market and supplying every Tesco store. They were good systems, I suppose Tesco wanted the cheapest options.
I would say as a retail manager these systems are great in large stores where a high volume of cash is received.
I can image that eventually as technology progresses and companies aspire to cut costs that the airtube systems will lead the way for other methods. Airlink watch this space!
Ever heard of the cash tube thief who opened the pneumatic tubes in Tesco and Sainsburys whilst he entered the roof space via disabled toilets and took up to £90,000 over a period of time.
He took the pods out containing cash and then sent them back down the tube empty.
Who knows how he did it as the suction stops when the system has a break in vacuum. He is serving time in prison for burglary and if you google key words from this you can read the news articles.
The pod system rocks and more companies should use them. Back in the day all department stores used them. Check out cash railways website to see the old systems used in Allders Croydon etc.
Now Tesco, Asda, Sainsburys, Morrisons, Ikea, Wilkinsons, etc use them.
Check out Airtube Group or Airlink systems if you want to get a system.
maybe next they can apply as janitors on big-time banks?
Drilling a hole in the tube is not how these robberies occurred. Why drill a hole when you can just disconnect the tube? The drill was a long core drill used to drill away the anti-fish baffle. Easy to do because the 63mm metal tube opening in the safe acts as a stabiliser. Once the anti-fish baffle is out of the way you have a 63mm hole right over there the money is. Suck it, hook it, and grab it, whatever you’re into. Amazing anyone would give insurance cover to the receiving unit.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.