Police Foil Bank Electronic Theft

From the BBC:

Police in London say they have foiled one of the biggest attempted bank thefts in Britain.

The plan was to steal £220m ($423m) from the London offices of the Japanese bank Sumitomo Mitsui.

Computer experts are believed to have tried to transfer the money electronically after hacking into the bank's systems.

Not a lot of detail here, but it seems that the thieves got in using a keyboard recorder. It's the simple attacks that you have to worry about....

Posted on April 4, 2005 at 12:51 PM • 19 Comments

Comments

Israel TorresApril 4, 2005 1:12 PM

still no multi-factor authentication that most likely could have prevented such keylogging trickery... shucks.

Israel Torres

traderApril 4, 2005 1:47 PM

Are there no commercial anti-keylogger products available,within the IT budget constraints of this bank? Or, is it just that their "auditing system" is run by incompetents?

Von KlinkerhoffenApril 4, 2005 1:50 PM

Unless of course, it was logging the admin access to the ACE(SecureID) server. Add your own token, bobs your uncle, or not as the case maybe. :p~

Israel TorresApril 4, 2005 2:03 PM

@trader
In the case of there being a hardware keylogger it is next to unlikely that there may be a piece of software to detect it. At best a program would measure the voltages at perhaps a time when the keyboard appeared to go offline for a second or so (during the time an attacker inserted an inline keylogger).

There are plenty of software keylogger detectors, but with so much spyware-antispyware trust violations it is questionable as to whom is working for whom.

The best policy is to physically check your keyboard linkage before typing. Wondering why you have have a ps2-ps2 converter? Or does your keyboard look a little bit cleaner than usual?.. these kinds of questions are the ones one should ask during such physical inspection... also hiding a sticky with your password under your keyboard doesn't help much around the time the cleaning crew comes buy and really cleans you out ;)

BTW, It is difficult to defend when:
a. you don't know what you are defending against.

b. your superiors have a deaf ear against anything that requires security.

c. those in charge of security, haven't the slightest clue of what security is.

Israel Torres

Chris WalshApril 4, 2005 2:08 PM

Sounds like an insider (or two) could well have been involved. Makes technical prevention a bit more difficult if the people doing the illegal transfers are the same ones who are allowed to do other, legal, transfers. If this is the case, it would seem that detective controls, at least, worked. Maybe in this case the glass really is half-full.

Tim GreenApril 4, 2005 3:02 PM

I remember an authentication scheme suggested a while back for ATMs where the user is presented with a series of portrates in batches of 9. The position of the photos in the grid of 9 is random and the user must select the correct face from each batch. eg. the faces are family, or movie stars, cartoons, etc, and only the sequence mother, Seinfield, Micky Mouse, mother again, mother yet again looking different, will allow access. The shuffling of the pics prevents the same keys being used twice in a row.

For desktop authentication, how about mouse clicks? Can a mouse logger really know where the pointer is on the screen, and what is under the point at each click?

Israel TorresApril 4, 2005 3:13 PM

@Tim Green
"For desktop authentication, how about mouse clicks? Can a mouse logger really know where the pointer is on the screen, and what is under the point at each click?"

If one owns the box, they pretty much own it all. Mouse events are not difficult to track since it simply relies on an xy axis. Some of the logging software out there even saves screen shots at a given interval for auditing. You could pretty much replay an entire user's session.

Israel Torres

ChirayuApril 4, 2005 4:33 PM

How about using images for authentication?
There is the issue of transition, but I guess it foils such keyboard logging attacks and even dictionary attacks.

Steve WildstromApril 4, 2005 5:04 PM

The problem with images is that they tend to run afoul of various accessibility requirements, at least in the U.S. (ADA, Sec. 509, etc.)This has been an issue in the use of such images in mail challenge-response systems.

Curt SampsonApril 4, 2005 8:35 PM

If you own the box, you have mouse clicks, yes, but are you recording them? And are you also recording information about what's being written to the display?

Here's something encouraging: my bank, Shinsei (www.shinseibank.com), requires an account number, card PIN and password for authentication to their on-line banking. They offer the option (in fact, it used to be the only option) of using the "secure input keypad" when entering your PIN. This pops up a new window with buttons from zero to nine that you click with the mouse. Even better, the buttons are placed randomly every time.

I was pretty surprised to see this coming from a bank, though they are well known for having very good IT guys.

Dave HoweApril 5, 2005 6:26 AM

TBH Mouse-click software is vulnerable to software attacks (such as "screen capture a square around the mouse pointer each click") but not really hardware ones - It is trivial to turn on "jump to ok button" in the settings of windows, which will randomly relocate the mouse to a different screen area each time a dialog box is presented.
Software is a lesser danger - not only are keyloggers/mouse-snapshotters obvious to anti-spyware packages, but it is more efficient (and easier) to simply modify the software to keep a record of the passphrases used; few if any people check their banking software against a "known good" copy or hashset, and an IE BHO could trivially access online banking information and send it (via http) to a server of the attacker's choice - no matter how clever the interface looks.

Israel TorresApril 5, 2005 8:22 AM

One of the more difficult to (aka higher hanging fruit)capture devices have a "protected PIN path". This is where the PIN is typed directly on the same device (multi-factor auth) to login. It completely bypasses the keyboard, so any keyboard sniffing will be futile when it comes to capturing the PIN.

Israel Torres

traderApril 5, 2005 11:10 AM

@Israel Torres
"Auditing system run by incompetents" is not approximately equal to "those in charge of security haven't the slightest clue what security is" ???

Israel TorresApril 5, 2005 12:20 PM

@trader
""Auditing system run by incompetents" is not approximately equal to "those in charge of security haven't the slightest clue what security is" ???"

One difference is that those in charge of security that are beyond clueless may never get to the auditing part until it is too late.

Israel Torres

KevApril 5, 2005 1:58 PM

It's important that the 'onscreen keyboard' is coded with security in mind. Obviously it somewhat defeats the object if the onscreen keyboard returns the letter 'pressed' by simply generating a keyboard interrupt, which is what the keyloggers look for anyway...

Davi OttenheimerApril 6, 2005 1:21 AM

Um, actually, it was the simplicity of the exploit that led to the arrest. The criminals performed typical "seed money" transfers, which set off alarms and led police to also capture various accomplices in other countries. Had they used a more sophisticated attack method....

AnonymousApril 7, 2005 11:34 AM

Ha ha ha, oh, dear and what about that guy with access to the CCTV camera!?, but pointless then or the CRT scanner. Come on! read up on security!...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..