Schneier on Security
A blog covering security and security technology.
« More on Port Security |
| DNA Surveillance in the UK »
February 27, 2006
Something like 50 million pounds was stolen from a banknote storage depot in the UK. BBC has a good chronology of the theft.
The Times writes:
Large-scale cash robbery was once a technical challenge: drilling through walls, short-circuiting alarms, gagging guards and stationing the get-away car. Today, the weak points in the banks' defences are not grilles and vaults, but human beings. Stealing money is now partly a matter of psychology. The success of the Tonbridge robbers depended on terrifying Mr Dixon into opening the doors. They had studied their victim. They knew the route he took home, and how he would respond when his wife and child were in mortal danger. It did not take gelignite to blow open the vaults; it took fear, in the hostage technique known as "tiger kidnapping", so called because of the predatory stalking that precedes it. Tiger kidnapping is the point where old-fashioned crime meets modern terrorism.
Posted on February 27, 2006 at 12:26 PM
• 46 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Bruce any real protection against this sort of attack?
Movie Plot Attack:
A pinch of Bandits + a smidge of Firewall + and a little dash of Ransom = Kent Robbery.
Minus, of course, a doofus with squibs, Harrison Ford or Mel Gibson.
No need to hack into the vault... it's easier to convince someone to open it up with their keys!
Sort of reminds me of the adage "Why bother cracking the password, when I can just ask one of the users to give me theirs?"
I would say the only real defense against this is to configure the vault so that one person, acting alone, can't open the door -- sort of like how they handle the keys to the ICBMs/SLBMs.
"Bruce any real protection against this sort of attack?"
Not much, I think. Systems like this need trusted people to operate, and trusted people can be fooled, bribed, or threatened (as happened in this case). The trick is to design security so that one person can't subvert it. Time locks on bank vaults, for example, are a security countermeasure that protects the families of bank managers.
From my recollection of readng an account of the entire robbery, it was not as though the manager and robbers were alone at the depot. It was full of employees. They were using the manager's authority (and perhaps the employees' compassion for the manager and his family) to get the employees to cooperate.
So your solution wouldn't have helped in this situation.
Funny conversation WRT this story:
"Somebody in the UK just stole 2.2 tons of cash!"
"So how much is that in pounds?"
or 50 million. What pounds did you mean?"
I think they actually used guns to get the employees to co-operate. Far more effective in the average workplace than counting on compassion for your boss!
Nah, they couldn't have used guns... after all, possession of guns have been banned in the UK!
Using the ICBM is a good example. However, more to the point, the ICBM uses a multi-layered approach to security. The layered approach is not terribly "brittle" and simply having the "keys" to the "door" is not going to get you very far.
ICBM security was / is / has been a outstanding representation of "Defense-In-Depth."
Speaking of movie plots, I am reminded of a scene in "The Usual Suspects" where a person confronted with enemies having taken his family hostage to ensure his cooperation, promptly kills his own family before proceeding to slaughter the (other) bad guys. The moral is that, as long as there is anything you value more than what you are protecting, you are vulnerable to this type of attack.
A time lock would not help, since the bandits, driving around for 6 hours with the manager's family, did not seem to be in any great hurry. Presumably, they would have been willing to rearrange their attack to coincide with the hours the objective would be available. Increasing the number of persons needed to open the vault only increases the number of innocents the attackers need to round up.
My first observation of this is that it'd be a huge risk for anyone to even attemp a theft like this. What are really the chances of walking away with that kind of cash, even if you'd get the money in your getaway van? Zero?
I think only an idiot would even try it (or someone who's seen too many movies).
Secondly, I think it's a huge embarrassment for that security company. I mean, would anyone trust them to handle their security after this? After all, it's a worldwide security company that claims to be no.1 in security. How'd they let anyone walk away with £50M is pretty much unbelievable.
Good marketing, atleast..
A key difference between an ICBM and a bank vault is that people would be prepared to sacrifice the lives of their families to protect it - or, at least, sacrifice the lives of somebody else's family to do so, which is all that's required. Nobody is going to do that for a pile of cash.
You can't compare the security of an ICBM site with that of a bank. Nothing the bank manager has power over (millions of pounds of someone else's money) compares to anything the generals holding the ICBM keys have power over (life or death of millions of innocent human beings).
Hostages may be a useful leverage for getting someone to relocate large sums of money, but they're not so useful for getting someone to commit mass murder.
The robbers took cash. Can you imagine £53M of cash? Try spending that or opening an account without raising suspicion. No-one uses cash these days for large, well quite small actually, amounts.
53 million quid will let the Provos buy enough AK-47s and Semtex to replace the weapons they "decommissioned" last year or so. The global arms market just loves cash.
"A time lock would not help, since the bandits, driving around for 6 hours with the manager's family, did not seem to be in any great hurry. Presumably, they would have been willing to rearrange their attack to coincide with the hours the objective would be available."
Also the hours when there would be the most witnesses and a higher number of active and vigilant law enforcement agents present. The time lock increases the operational risk to the criminals by preventing them from performing their crime at the time of their choosing.
"Increasing the number of persons needed to open the vault only increases the number of innocents the attackers need to round up."
And makes the crime that much more difficult to perform. Seriously, it's one thing to threaten and intimidate a single person, and quite another to be able to do the same thing to two people *at the same time* without being detected. You'll need more people to do it, which means more people to split up the loot with, which decreases the potential return of the crime, and more people that the crime's masterminds need to be able to trust, which makes operational security on the criminals' end more fragile. I imagine that this could easily make the crime infeasible in that the risk can be calculated to exceed the payoff.
"Tiger kidnapping is the point where old-fashioned crime meets modern terrorism."
Huh? Is there anything at all that backs up this statement, or is "terrorism" just the new word to throw around whenever something really bad happens? I do respect the Times a lot, but this is both stupid and (ultimately) dangerous.
I think white collar crime takes money on this scale regularly.
I guess banks look at it as a profit/loss issue, more than a law/order issue, and I doubt they worry about the long-term problem of what the thieves might do with the money.
When you have that kind of $$$ do you think you really are in any danger from the police?
And the same goes for when you have that type of morals ... if you want something material in a relatively open society like ours, it's there for the taking. How you get it is a matter of style.
The world is a big place, and customers exist for every commodity, even stolen paper.
The real question is, since that is true, why do people want to hurt others?
It seems to me that a little bit of remote sensing and operations could have gone a long way here. Consider if the manager couldn't let them in - to get in, you have to stand in an 'airlock' while a remote guard views you by video and controls the locks. Inside, the money could be in sub-vaults, again openable only by a remote guard with video cameras. The sub-vaults could be on time locks as well. You can try to influence the guard by threatening innocents, but you can't make them open the vaults faster than the time lock allows, or know whether they've called the police.
An alternative, simple and brutal countermeasure is after a roberty to always execute all staff who were present. This policy greatly reduces the thieves barganing power.
Definitely layered protection is needed. I would like to add a keypad that is also needed with a key and another persons key to open. The keypad has three codes. One opens the vault, another opens the vault and sets off a silent alarm (plus cameras, start logging imbedded RFID serial numbers, etc), and the last one locks everything up and sets off an alarm.
"...or is 'terrorism' just the new word to throw around whenever something really bad happens?"
Yep, that's it. "Terrorism" is the scare-word of the early 21st Century.
Suggestions to improve security, remember that if you make the building too secure, it becomes an asset of its own worth 'stealing', and offers crooks another method of extortion: DoS users of the building once you get an agent inside, and extort money for return of the facility.
An awful lot of money is extorted rather than stolen outright.
There is a point where people have to accept that in a shared world, resources can only be withheld to a point. Dogmatically sticking to your ideal of possession and control of some particular property may take away your very enjoyment of that resource.
People who work on these problems daily probably have a better judgement than ourselves. But this offers a good opertunity to observe and try to learn how these secretive worlds operate (both the crooks and the bankers/police).
"I think white collar crime takes money on this scale regularly."
Depends what you mean by "take".
Enron, for example, made approximately US$60 billion disappear. Those guys had to hide a different kind of paper, though.
I think the more interesting side of this caper is whether the culprits will be able to "smurf" their way clean through bribes or other deals to avoid detection when they launder bills on a large, distributed basis.
"Tiger kidnapping is the point where old-fashioned crime meets modern terrorism."
Ah yes, I remember when the kidnappers used to be so civilized and kind. They would arrive in a lovely carriage and bring baskets filled with shiny porcelain pots of tea and plates of sandwiches. They would ask politely if someone would bother opening the vault(s). Alas, those were kidnappers and bank robbers a modern country could be proud of...what a shame that things have deteriorated so far that people resort to such depraved animal-like behavior. Tigers, indeed.
"Something like 50 million pounds"
And they say blogs aren't an accurate source of reliable information.
j/k, couldn't resist that one.
With Biometric authentication devices getting a bit closer to reliable, the thought that crossed my mind is having biometric devices that not only authenticated the physical features of a person but also takes note of a persons emotional state. In theory, a fearful person would have adrenaline pumping, increased heart rate, maybe sweat more...etc. I could have sworn i've read a Digg/slashdot article describing a way to detect possible fear. It would be interesting to see a biometric system that would only allow access if the biometric scan and the emotional state were in check. Adding yet another hurdle for a criminal. I could only imagine trying to threaten someone without upsetting them to the point where the described system would find them too emotionally unstable to comply.
Isn't this what they invented time locks for? I thought that stopped the tiger kidnaps of the late '70s/early '80s?
There's a very interesting insider's insight into the kind of people responsible for this sort of
"During the years I spent in prison as a high-security category-A prisoner, I encountered a number of men who operated in what amounted to this premier league of crime. They were rarely unintelligent. Some behaved like captured soldiers, prisoners of a war waged against the civilised world. They would only speak to prison staff when absolutely necessary and would barely acknowledge any of the lower ranks of those they considered "prison fodder"."
"An alternative, simple and brutal countermeasure is after a robbery to always execute all staff who were present. This policy greatly reduces the thieves bargaining power."
That would work if you were in Stalinist Russia or N. Korea, but in the UK? I don't think so...
This also assumes that anyone would work for such a company. Kind of hard to find employees willing to die for someone elses mistake/greed. :rolleyes:
How would remote monitoring prevent the manager from going in alone, knowing that the robbers have his family hostage? Unless he loves the company more then his family, he's not going to tell the guards once he's out of the robbers sight.
Now, if it was known (as in advertised) that no one person could access the cash, and that someone somewhere else (unknown to the robbers) had to OK the access, and only during certain hours of operation (time locks), and then only with armed guards present...that'd tend to prevent the vast majority of attempts.
Also, no reason why (planning for failure) there couldn't be trackers hidden amoungst the cash that would alert authorities to a robbery, as only central office would know where and what type of trackers are there (not advertised) and that branch staff wouldn't know about, thus not being able to alert the robbers to, even if they were under extreme duress to co-operate. :p
Layered local defense and remote authorization, with countermeasures against collusion and subversion, just like with an ICBM.
Were they expecting someone to come and make a large withdrawl? I'm surprised that such large amounts of cash are not just incinerated and converted to an integer in the Bank of England's records.
Its just paper.
Yes, they were expecting someone to make a large withdrawal - this was a security depot, the place where all the vans go to collect and deliver large amounts of cash to and from banks and so on. So it probably contained the cash float for a significant proportion of the South of England.
Has a Las Vegas casino ever been robbed at this level? Have the Vegas casinos more to lose than this "security" company had? Not just in money but in public confidence.
I play mid-level poker and let me tell you, I feel safer with $5,500 in my pocket at a casino than I do with $500 for a home game in a nice neighborhood here in town.
The difference is that, having been founded by criminals, the Vegas casinos were designed from the sand up to be secure, with an appropriate -- not skimpy -- investment in it, and an understanding that they are protecting not only the cash in the cage but also the public's confidence that it's OK to go in there and wave a wad of money around.
1. I understand the kidnappers impersonated police officers. The more powers police are given, and especially the more civilians are encouraged to obey police unthinkingly, the better this strategy will work.
2. We were told that police accorded this investigation the same priority as a murder case. Why? No individual or organization was harmed by the loss of the cash, and the only effect was to inflate the currency by a tiny amount. If inflating the currency is a crime, thousands of politicans worldwide should be serving long jail terms.
In that case, I'm surprised to see how much the economy still depends on cash.
I'm easily surprised. (Oooh look, a tree!)
"I'm surprised that such large amounts of cash are not just incinerated and converted to an integer in the Bank of England's records."
The notes in Tonbridge were a mixture of new notes being held in bond for the Bank of England (BoE) to be delivered into circulation (£25M worth, which has been repaid to the BoE by Securitas) and used ones, either being recirculated from retailers or being returned to the BoE, ultimately to be destroyed. Notes are only destroyed once they reach the end of their useful life - they cost money to print and are kept in circulation until they become too shabby to use.
The new notes will have consecutive & recorded serial numbers, and will be more-or-less worthless.
The BoE has an excellent web site (with some comment about the Securitas robbery) at http://www.bankofengland.co.uk/
Slightly OT, but the Bank also has an excellent museum (http://www.bankofengland.co.uk/education/museum/index.htm) which is well worth a visit if you happen to find yourself in the City of London. (Note that it is closed until May 2006 for refurbishment.)
"And they say blogs aren't an accurate source of reliable information."
Did you perhaps mean to say "a reliable source of accurate information"?
" \"Terrorism\" is the scare-word of the early 21st Century."
Re Tom Welsh comment
Reports are that the manager was pulled over on the road by an "unmarked" Police car (in the UK they have blue lights hidden behind the grill etc) and then "arrested". His family were taken by another set of fake Policemen who claimed he'd been involved in an accident (I presume they said they'd take them to the hospital).
Neither of those scenarios requires "police state" powers in order to succeed. It's just good old fashioned social engineering (indeed in a police state people tend to be far less trusting of the Police so there's a good chance such attacks would be less successful).
As for "No individual or organization was harmed by the loss of the cash", I think the victims who were kidnapped and held at gunpoint might dispute that assumption...
What I can't work out is why this robbery happened at all. The robbers are clearly clever and resourceful, so why didn't they realise that the amount of money they stole could never be successfully laundered?
If they had just taken a few million they would have stood a much greater chance of ultimately enjoying their loot.
Perhaps they just got greedy.
In a way, this reminds me of Japan's attack on Pearl Harbor: tactically a huge success, but strategically stupid.
"ICBM security was / is / has been a outstanding representation of Defense-In-Depth."
Unless the key is absurdly simple. Please read:
to find out why. So long for the Wargames-like movies!
Because of his position Mr. Dixon should have realized that he and his family were at risk and taken steps to mitigate that risk. There had to be alot of planning that went into this crime. They should have noticed strange activity and persons watching them at their home, on the way to work, and at work. Once the plan gets to the stage where they are pulling him over it is too late and the situation is almost completely out of his hands.
This type of thing has happened before. I have made a quick write-up about it in my blog.
No one seems to mention anywhere that this problem has already been solved. It's pretty much basics and the same goes for the "people"-problem. I'm pretty sure, for instance, that although I only got the crypto ones, all of Bruce's security books have this scenario explained and what to do about it.
Letting someone get away with £50M or thereabouts is simply incompetence and nothing else.
Despite leaving no fingerprints, destroying DNA traces with corrosive chemicals, using prepaid anonymous cellphones which were completely destroyed as soon as they had been used, and demolishing the vehicles used at a breaker's yard, it seems that some of them have already been caught.
The method used? Backtracking from the kidnapping sites, using the ubiquitious UK CCTV system which has been recently discussed on this blog. Not yet clear if the license plate recognition system was the method used to process it all so quickly, or if they just threw a large number of eyeballs at the problem.
Why take all that cash if they cant leave there house???
This robbery is a very good reason for being nice to everyone you meet - you never know who is who or how generous they may be feeling that day!
All the police reports are quick to mention the number of people they have arrested, and the amount of cash recovered thus far. however they do not remind us at all of how much is NOT recovered. The trial will be interesting ?
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.