Cyber bank robberies a warning for business, say experts

Barclays has joined Santander in being targeted by criminals who took control of bank computers using inexpensive kit

Santander is the latest bank to be targeted by criminals who took control of a Barclays computer using inexpensive kit.

The Santander attempt was foiled, but £1.3m was stolen from Barclays using a keyboard video mouse (KVM) switch to gain remote control of a computer at the bank and transfer funds out of accounts.

The KVM is commercially available and designed to enable users to control multiple computers from one keyboard, video monitor and mouse.

In both cases, the device was attached to a bank computer by someone masquerading as an IT maintenance engineer.

The London Metropolitan Police said eight men have been arrested and most of the money recovered after it was transferred from a Barclays branch in Swiss Cottage in north London in April.

The robbery is being linked to a recent attempt to use the same KVM strategy to steal from Santander, and both cases are under investigation by the same police team, according to the BBC.

Four men were arrested and charged with attempting to take control of computers at the Santander branch in Surrey Quays, south-east London, but police have indicated that the latest arrests in connection with the Barclays heist are at a higher level of the criminal network involved.

Multi-layered security required

Both cases underline the need for organisations to continually ensure that appropriate physical security controls are deployed, as well as technical IT controls.

“Using KVMs is highly attractive to criminals, especially if placing a device is seen as an easy alternative to attacking a bank online or via social manipulation,” said Chris McIntosh, chief executive of ViaSat UK.

These two cases prove that attacks will always be aimed at what they perceive is the weakest link, such as firewalls, employees, laptops, or the fact that nobody usually questions an engineer, he said.

“Organisations should take a somewhat fatalistic approach, and accept that some form of penetration is inevitable, said McIntosh.

IT security strategies can then reflect this, he said, by aiming to spot any unexpected movement or transmission of data by using network visualisation and monitoring tools, for example.

“Much like a superbug, cyber attacks are constantly evolving, whether by finding entirely new routes or new uses for old-fashioned methods. Organisation need to focus on curing, rather than preventing, these new threats,” said McIntosh.

Martin Jordan, director of information security at KPMG, said the risk posed by new cyber attack technology goes beyond banks: “This should be a wake-up call to anyone working in back-office, trading and treasury desks, who will be trading millions of pounds. 

"The equipment used in the retail banking attacks is readily available online, costing no more than a few hundred pounds," he added. “Companies therefore need to increase their vigilance. As an initial response, companies should be performing bug sweeps of front and back-office locations, both at a physical and electronic and radio frequency level,” he said.

Read more on Hackers and cybercrime prevention

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

It is not just those in financial services who should be very afraid. This is a reason for moving across to trusted computing (both hardware AND software) processes. On Thursday I will be chairing a meeting of Digital Policy Alliance group that is drafting guidance for those looking at making the change. We will be looking for reviewers who will wish to use the result for their own organisations. Those interested in joining the exercise should e-mail the DPA administrative secretary with details of thir interest.


Hmm, anyone who believes that trusted computing is going to solve the problems are deluding themselves. For every positive use of technology there are many more negatives that can be exploited. Trusted computing may seal the borders of an organisation but to live in the real world it eventually has to communicate with the great unwashed. In addition when you have entities like the National Security Agency watering down security so they can either break in or insist on back doors under the cover of rule of law, then no system in the real world can be trusted.

Finally, imagine as an organisation e.g. national goverment or mega multinational, you decide that the weakest link in trusted computing is people. Thus you decide to remove all authority from people and embedd it in AI such that permission to do anything is under the indefatigable control of some all seeing authoritarian unchallengable computing system. Then you sell that tech to many other organisations... Hello Proteus... think about it.


This DPA exercise is part of the follow up to a study on "Security by Design", (as opposed to by afterthought). That study was prefaced by a quote from Professor Richard Walton (sometime Director of CESG): "The main benefit of investing in better security technology is to force the enemy to concentrate on corrupting your people instead of trying to break your system."

Trusted computing technologies are a cheaper way of being "reasonably" confident that you know the device that you are talking to and where it is. Whether it is still in the hands of person you thought it was, whether they are trustworthy and even if trustworthy, they are not are under duress, are other matters.

I fear we may be in violent agreement.


In many ways we are in agreement, if you make the cost of attack (as in breaking in and stealing something to make it worthwhile) high enough then the enemy will either think again or move on to a softer target depending on the original intent. The problem is that to make trusted (or treacherous) computing ubiquitous you potentially give technology to the dark side making it harder to police the world. Thus you have to water down capability which becomes self defeating. It is a no win situation.

Logically, it would seem better to focus assets and resources on an operational assumption that the organisation is going to be penetrated. Policies then need to execute damage limitation responses that react quickly to plug the hole. In many senses, focus on building immune systems that continually monitor and investigate changes to operational norms. The human immune system works on the basis of being invaded before mounting a response. If it behaved like present computing technology we would all be dead by now.

Trusted computing reminds me of the Maginot line!