The Metropolitan Police Central e-Crime Unit (PCeU) arrested eight men, aged between 24 and 27, on Thursday, in connection to a robbery from the Swiss Cottage branch of Barclays Bank in April. According to police statements, the theft resulted in the loss of 1.3 million pounds ($2 million), but the bank managed to recover most of the stolen funds.
In an unusual twist, one rarely mentioned or seen when it comes to financially motivated cybercrime, the men allegedly mixed physical penetration and social engineering with system compromise in order to carry out their crimes. When Barclays reported the robbery in April, police investigated the incident, and conducted a search of the Swiss Cottage Barclays branch in North London. During this search, investigators discovered a KVM switch attached to a 3G router hooked up to one of the branch computers.
"It was later established that the previous day a male purporting to be an IT engineer had gained access to the branch, falsely stating he was there to fix computers. He had then deployed the KVM device. This enabled the criminal group to remotely transfer monies to predetermined back accounts under the control of the criminal group," a PCeU statement explained.
Police say the men operated from a control center in central London, but residences in Westminster, Newham, Camden, Brent, and Essex, are also being searched. So far, the searches have yielded cash, jewelry, drugs, thousands of credit cards and personal data. The idea that the criminals used physical penetration as well as system compromise "demonstrates the rapidly evolving nature of low risk, high financial yield cyber enabled crime," the law enforcement agency said.
"Those responsible for this offence are significant players within a sophisticated and determined Organized Criminal Network, who used considerable technical abilities and traditional criminal know-how to infiltrate and exploit secure banking systems," the PCeU's Detective Inspector Mark Raymond said in a statement.
Last week, police arrested 12 men over what was called an "audacious" plot to use the exact same methods to rob the Surrey Quays branch of Santander, south-east London. According to police, someone posing as an engineer attempted to fit a KVM and modem to a computer in the Surrey branch. However, due to the Barclays investigation, the attempt failed.
In a statement, Santander said they had been working with the police for months before the false engineer arrived and made his attempt, as the bank was made aware that the criminal network was targeting them. Four of the men arrested as part of the Barclays heist are also being charged in the attempted robbery Santander.
"This was a highly-organized criminal network with each individual filling a specific role. All criminal networks have a head and we very much believe we have now apprehended our 'Mr. Big' as part of this operation," Wilson told the BBC in a statement.
Social engineering and physical pentesting are topics that large organizations, especially in the financial sector, consider when evaluating risk. Yet, despite knowing the risks, criminals were still able to execute a precision hybrid attack against Barclays. CSO spoke to Rook Consulting (a security firm based in Indianapolis that deals with physical security assessments) to get their thoughts on this case.
"When put into perspective of the three elements of the enterprise that I always hear people reference (people, process, and technology), this is one of those circumstances that is not (in most cases) going be caught by any kind of technology on the network. This is going to fall into the other two categories," explained Mat Gangwer, a Security Consultant for Rook.
On the people side of things, security training and user awareness programs are key, Gangwer said. Employees need to know that incidents like the one at Barclays happen, how they should react if they suspect something nefarious is going on, and to know its okay to question an unidentified person walking around the office, as well as whom they should tell.
"For process, it goes back to the 'trust, but verify' model. Sure you can tell me you are an IT person coming to work on the computers, but I'm going to need to verify that is actually the case," Gangwer explained.
"Crimes like this are always going to be a possibility for companies. As we do our job and make it harder for these things to happen, the criminals or bad actors will work just as hard to find new ways to exploit the existing systems."
With that said, Gangwer offered some steps for organizations to consider when it comes to the process aspect of physical security. First, visitors should have proof of a time or meeting being scheduled, and that should be verified by the receptionist. Next, verify the person's ID, and make them sign in; and have their sponsor come and get them from the lobby and escort them around the office.
Another issue, which can lead to incidents such as the one experienced by Barclays, isn't the lack of physical security assessments, but the severe limits placed on those performing them.
"Financial services institutions handcuff their security consultants by not letting them act as a true rogue agent when conducting assessments," Gangwer explained.
To get the most out of an assessment, organizations should let the consultants take their gloves off and actually act like the criminals. Other than installing fear, intimidating, or harming anyone, everything else is fair game. Likewise, don't limit the consultant to just a week onsite, because sometimes the length of the assessment may need to be much longer in order to do the job right.
"Find a trusted advisor to help you screen consulting firms to find out of they are the real deal for hybrid IT / physical assessments. Military? That's good. What did they do there? Does that experience tie in? Recon experience is good, recon with tactical entry is better," Gangwer said.
In the end the Barclays heist was a textbook example of a hybrid attack, and one that could have been prevented.
"This is how criminals do it. No holds barred. That's why the security consulting world needs to get serious," Rook's CEO, J.J. Thompson told CSO.
"The days of half-baked intrusion plans and utilizing people with no real-world experience to rattle doorknobs is over. Real security is dirty. Hire consultants who get it, then get out of their way and let them get dirty."