London Metropolitan Police have arrested 12 men in connection with a foiled attempt to steal millions of pounds by taking remote control of a computer at Santander.
The London-based cyber criminal gang fitted a device known as a keyboard video mouse switch (KVM) to a computer in a Santander branch in Surrey Quays shopping centre in southeast London.
The inexpensive device allows a user to control multiple computers from one keyboard, video monitor and mouse, and would have allowed the cybercriminals to take control of the bank’s computer remotely.
The attack presents several important lessons for banks and other organisations to learn about the need for physical protections, as well as up to date cyber attack prevention technologies.
But the Met Police said a "time-critical, dynamic response" by detectives and bank officials had thwarted a "very significant and audacious cyber-enabled offence" that could have cost Santander millions.
A spokesman for the Met said it was not clear whether any money was taken, but the bank told Sky News "no money was ever at risk."
Police arrested 11 men in Hounslow and another in Victoria, whilst searches were carried out in Westminster, Hounslow, Hillingdon, Brent, Richmond and Slough, where property was seized.
A Santander spokesman said: "Like all high street banks, Santander works very closely with the police and other authorities to help prevent fraud.
"Through this co-operation, Santander was aware of the possibility of the attack connected to the arrests. The attempt to fit the device to the computer in the Surrey Quays Branch was undertaken by a bogus maintenance engineer pretending to be from a third party."
The bank confirmed no Santander staff were involved.
"We are pleased that we have been able, through the robustness of our systems, to prevent the fraud and help the police gather the evidence they needed to make the arrests," added the spokesman.
These arrests prove the ease with which anybody can conduct what is described as a very significant and audacious cyber-enabled offence, said Raj Samani, chief technical officer for McAfee in Europe.
“Simply plugging in a physical device that can be attained from any number of legitimate outlets demonstrates that the bar required to be a ‘cyber-criminal’ is probably at its lowest level,” he said.
For organisations this demonstrates the need to continually ensure that appropriate physical security controls are deployed, said Samani.
Companies need to be much more careful about who they grant physical access to when it comes to their offices, and how closely such people are monitored, said independent computer security expert Graham Cluley.
“They also need to foster an environment where staff don’t feel uncomfortable asking people to show their credentials if they are an unfamiliar face,” he wrote in a blog post.
Greg Day vice president and chief technology officer at FireEye for Europe said with USB being a standard for so many hardware devices, and with monitors often including USB hubs, the scope of what data could be collected has certainly increased to include keyboard and mouse inputs.
“Equally with the ever increasing capabilities of mobile bandwidth you could now stream the data off the device via, for example, 4G or Wi-Fi to the attacker,” he said.
Attackers need physical access to install the device, but these are typically small and once installed can easily go unnoticed, said Day.
“Organisations don't typically physically check the connections on their systems for additional devices,” he said.
Chris McIntosh, CEO of ViaSat UK, believes this is a sign of the times and that attacks will become increasingly bespoke.
He said organisations needed to consider almost every eventuality and the best way to be secure is to assume that attacks will succeed and aim to spot and deal with them.
“As we have seen, such attacks will become increasingly targeted: essentially bespoke strategies designed to identify and exploit the weakest link in a particular target’s security – whether that is its employees, its laptops or the fact that there is no need to breach a firewall if you can instead physically infiltrate a less-protected area of the business,” said McIntosh.
The sheer volume of attacks means some form of penetration is inevitable, he said, and organisations’ strategies should reflect this
He added using network visualisation and monitoring tools, for example, could ensure that any unexpected movement or transmission of data is swiftly spotted and investigated.
“We cannot immunise against cyber-attacks, but we can certainly spot the symptoms and treat them swiftly,” he said.
The past 18 months has seen a spate of attacks against banks across the world, including the highly complex global financial services fraud ring that hit the US banking system.
Uncovered by McAfee and Guardian Analytics in June 2012, this attack delivered Zeus and SpyEye variants using automated techniques.
McAfee said it showed fraudsters were moving toward cloud-based servers with multifaceted automation.
More on cyber attacks on banks