Schneier on Security
A blog covering security and security technology.
« Identifying People by their Bacteria |
| Jeremy Clarkson on Security Guards »
March 29, 2010
The amazing story of Gerald Blanchard.
Thorough as ever, Blanchard had spent many previous nights infiltrating the bank to do recon or to tamper with the locks while James acted as lookout, scanning the vicinity with binoculars and providing updates via a scrambled-band walkie-talkie. He had put a transmitter behind an electrical outlet, a pinhole video camera in a thermostat, and a cheap baby monitor behind the wall. He had even mounted handles on the drywall panels so he could remove them to enter and exit the ATM room. Blanchard had also taken detailed measurements of the room and set up a dummy version in a friend's nearby machine shop. With practice, he had gotten his ATM-cracking routine down to where he needed only 90 seconds after the alarm tripped to finish and escape with his score.
As Blanchard approached, he saw that the door to the ATM room was unlocked and wide open. Sometimes you get lucky. All he had to do was walk inside.
From here he knew the drill by heart. There were seven machines, each with four drawers. He set to work quickly, using just the right technique to spring the machines open without causing any telltale damage. Well rehearsed, Blanchard wheeled out boxes full of cash and several money counters, locked the door behind him, and headed to a van he had parked nearby.
Eight minutes after Blanchard broke into the first ATM, the Winnipeg Police Service arrived in response to the alarm. However, the officers found the doors locked and assumed the alarm had been an error. As the police pronounced the bank secure, Blanchard was zipping away with more than half a million dollars.
Posted on March 29, 2010 at 1:48 PM
• 32 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Many would have done this just to roll in the green with the girlfriend.
Is this Wired hyperbole or accurate?
The takeaway for me is the vulnerability he exploited repeatedly: not securing the site until the valuable stuff was actually there.
The methods were all somewhat typical or not too sophisticated. How he pulled off so much for so long though was quite frankly amazing. And like a true mastermind, he just couldn't keep his own greatness a secret.
The CBC TV show about this that I sent you four months ago had a lot of details, interesting pictures of the sites, and a personal interview that had interesting comments about security issues. Unfortunately it doesn't seem to be available on line any more.
These are always interesting if not romanticized reads... These stories always remind me of the phone phreaking/captin crunch tales, and Mitnick stories. It's a fine line between whitehat and blackhat, thank goodness Bruce chose former.
It's been my experience that there are four primary ways brilliant frauds and crimes get found out: 1) they get too greedy, 2) they talk too much, 3) they get unlucky, and 4) they make a dumb mistake.
1 doesn't really apply here, it's more of an embezzlement mistake, where a periodically small amount goes unnoticed then they person gets greedy and increases to a noticeable amount.
2-4 all apply here. He talked to much on the phone, he got unlucky (walmart vigilante picked his car on that one night), and he did something stupid (rented the car in his name, which is puzzling considering all his fake IDs).
It amazes me how one dimensional large organizations can be. Not securing a bank prior to its opening. Unaware that they were being repeatedly examined for weaknesses.
I wonder how long before someone secures the movie rights to this story?
@James - It is also amazing how perfect hindsight is!
The bank has built hundreds (thousands?) of buildings, over generations, without a similar incident - it doesn't really seem too surprising that they weren't prepared for this. There are lots of ways to spend money on security, but the budget is always limited.
@Peter no, banks are mostly lucky. Most bank robbers are idiots and the FBI investigates robberies.
I have heard of insanely dumb stuff they do. Among my favorites was a temporary bank (relocated during construction). Carefully locked time safe... in an unattended box on wheels. There is no particular reason no one /stole/ the bank one evening.
Of course banks are lucky, and of course crooks are idiots - but that doesn't justify spending money on every movie-plot theft strategy one can imagine (or, more likely, not imagine) - in fact, it is impossible. Very rarely, an idiot will get lucky too - but that will happen no matter how hard you try to defend yourself. At some point, a cost/benefit calculation says you've made the risk as small as is practical.
Encountering a thief who happened to be living in the right place, with all the necessary knowledge and skill and will, and with almost every break going his way, was an extremely low-probability event.
A career to aspire to ... and other people agree; they let him out after two years. What a concept...
@HJohn: spies get caught that way too.
Arrogance and ego show up quite reliably in any situation where there's an abuse of power, eventually to the abuser's downfall. No one is "too big to fail".
There but for the grace of God, Bruce... although you're doing great in your chosen career. O:-)
Shades of the Pink Panther! It isn't the score, it's the challenge! After he gets out of stir, he can sell his story for a gazillion buck$. Either that, or this is a GREAT April Fool joke... :-)
Start up his own security business? If you were a bank would you trust him?
rich @March 29, 2010 3:25 PM
jkane @ March 29, 2010 7:59 PM
How do we know that everything Bruce has done and said publicly isn't just a front for his endeavors as a criminal super-mastermind, conducting movie-plot type heists that he's convinced the security apparatus are too silly to worry about.
This sounds so much like Frank Abagnale Jr (Jr)... who of course dissociates himself from the "larger-that life" tales of his own life - http://www.abagnale.com/comments.htm
Who knows how much dissociation Gerald Blanchard will require to get closer to the truth.
The interesting thing I take away from all of these is that the people really did know most of the investigator's tricks and so they were able to avoid them for a very long time. But there's always one unknown unknown, and that's what gets them in the end and it causes everything else they've done to unravel. Once it starts to unravel, it's just too late.
They're smarter than most people, sure. But if some random person notices the wrong things, it'll all come undone.
Incidentally, I have no idea who it was in that van or SUV who pulled off of I-10 West just north of the Gila river, by the butte at 2:40 AM on Tuesday, March 30, 2010, but in the unlikely event they were doing something illegal, now everybody knows. Why pull over in the middle of nowhere in the middle of the night? Bathroom break? If their tire went flat, I didn't see it.
just to add a reason why these people got found out: inconsequence.
If I set up a criminal buisiness on a regular basis like this bloke, why stop with fake IDs? Fake ID is helpful if you suspect you are going to be watched. Why not assume one is watched all the time? Talking on an unencrypted telephone line? Storing incriminating data on unencrypted drives (truecrypt hidden colume e.g.)?
One can do a long time without such precautions as long as it is all below the threshold of interest to the cops. But like in this example of the two eager cops and the walmart-parking lot it is unpredictable where this threshold is. So assuming constant survaillence would help a lot.
But this ruins the experience of being a master thief with Cary Grant-charme down to being paranoid. Maybe not so cool anymore :-)
@Trichinosis USA: "spies get caught that way too."
Almost anyone who commits any crime, particuarly repetitive criminal activity, ultimately gets caught by opening their mouths, getting too greedy, getting unlucky, or being careless.
Being lucky, careful, quiet, and modest (knowing when enough is enough) is tough to pull of every single time for the long haul. You only have to goof up or get unlucky once.
@HJohn: 'ultimately gets caught by opening their mouths, ...'
I remember a comment I heard some time back (in the context of conspiracy theories) that part of the reason we know about some of these old 'secret societies' such as the actual Bavarian Illuminati is that many members couldn't resist bragging about how important they were that they were a member of this secret cabal...
And, as mentioned above, fundamentally the smart bank robber is a statistical anomaly. Far more bank robbers are like the guy my father used to talk about: he got caught because he went into the bar less than a block away from the bank, bought a round of drinks for everybody, and paid for it in cash with bills taken from the same paper bag he got them in from the bank. Then proceeded to get drunk and talk about how smart he was...
From the linked article:
"The real trick was ensuring that the spring-loaded mechanism the star was sitting on didn’t register that the weight above it had changed. Of course, he had that covered, too: He reached into his pocket and deftly replaced Elisabeth’s bejeweled hairpin with the gift-store fake."
Either some poetic licence was taken, or he was extraordinary lucky that the gift store's replicas were accurate not just in appearance but also in weight.
@Bryan Feir: Far more bank robbers are like the guy my father used to talk about: he got caught because he went into the bar less than a block away from the bank, bought a round of drinks for everybody, and paid for it in cash with bills taken from the same paper bag he got them in from the bank. Then proceeded to get drunk and talk about how smart he was...
Just last week, as I linked to above, some crack team of bank robbers actually called the bank ahead of the robbery and told them to have the money read. Brilliant!
@HJohn at March 30, 2010 12:28 PM
"money ready" (not money read)
@HJohn: "as I linked to above, some crack team "
Actually, I linked to it in the "Acrobat Thieves" post.
My apologies. I'm on meds that have made me loopy, and I need to double proof read before I post.
Please don't put this guy on a pedestal because of his cleverness. He’s a thief just like Alberto Gonzalez or Bernie Madoff. He knew the consequences of his crimes and had multiple chances to stop. If he wants to make amends he should do it from a jail cell until he is old and gray.
If you want to break into a private vault, just wait for a refurbishment and tunnel in and take everything from the strong boxes. On site security guard not much use either...
Tuesday, 30 March 2010
"A gang of robbers have dug their way into the vault of a Paris bank and emptied almost 200 private safes.
They entered the Credit Lyonnais branch using building equipment to burn holes and shatter walls on Saturday night, reports say.
The group tied up a security guard and spent the following nine hours robbing the bank before setting it on fire as they left. "
No, James had a good point. This has nothing to do with hindsight. When building a high security container or system to protect high value assets, one must secure the construction or development process itself. Subverting infrastructure, buildings, or systems during their development isn't neither new nor a movie plot threat.
One of my favorite examples was a US embassy in Moscow where they did a bug sweep and found tons of bugs. They were in the walls and everything else, thanks to the construction crew. ;) The principle is also seen in Common Criteria or FAA processes for high assurance: strong configuration management and reviews are required to prevent subversion. When developing security programs, I always focus on the whole lifecycle rather than just production/maintenance phases.
So, it just goes to show there's standards everywhere for preventing this kind of thing. They chose poor security measures that didn't stop likely attack vectors, like the ducts that he used constantly. Then, they decided to not focus on security or monitoring at all until it had people and cash in it. That sounds to me like they decided to take a huge, calculated (i.e. the odds) risk and it didn't pay off.
I have read comments about how terrorists don't use cameras to scout attacks. Maybe not, but this guy sure did.
I thought that was interesting.
Let be put it this way, most of you wouldn't know a criminal if he or she was standing right in front of you. Stealing is an art, if you lack a creative mind your career as a thief will be short lived. Most thieves are educated and are natural born actors. The steal because they enjoy the challenge living life on their on terms, and not being a slave to the system. Of course the down side is prison, if caught. A thief always keep his or her planning simple to insure no mistakes.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.