Unanswered questions after the KVM hacks against Santander and Barclays bank

Neira Jones is a well-known name in the world of payment security and risk management, making her the ideal person to ask some difficult questions of banks targeted in the recent KVM (Keyboard video mouse) attacks. If you have an article that you'd like to share on grahamcluley.com, please do get in touch.

The last few weeks have seen headlines in the UK press about cybercriminal gangs targeting the likes of Santander and Barclays bank, using social engineering techniques to install KVMs (keyboard video mouse) to spy on staff computers and steal money.

KVM device

As well as praising the cooperation between law enforcement and the banks for leading to the arrest of the suspected criminals involved, one has to consider the overall implications of such crimes...

In both instances, the organisations affected made it very clear that no customers would have suffered financial losses as a result of the crimes.

This is, of course, no surprise. Under UK law, consumers are protected from such fraudulent activity and if money was ever taken from their accounts, they wouldn’t have had to incur the losses.

In the case of Barclays, it was reported that the bank recovered most of the £1.3 million taken. But how much money was recovered? And what else was potentially siphoned off?

I have long been an advocate of convergence of information security, risk management and fraud protection, but it seems that with some notable exceptions, this is by no means standard practice yet.

The result is that these areas generally operate in silos and the real cost of fraud, or the real cost of cybercrime can never be truly assessed.

As an example, if we look at this year’s Annual Fraud Indicator by the National Fraud Authority June 2013, identity fraud is said to have totalled £3.3 billion in 2012 and affected 27% of the UK adult population.

ID Fraud statistics in National Fraud Indicator report

Because of the overall cost of fraud in any country, we must ask the following questions to be able to determine the real impact of such crimes.

Questions for the banks

Barclays bankIn the Barclays example, customer information was accessed for a period of time, after a bogus IT technician walked into a branch in Swiss Cottage, North London, and attached a hardware KVM device to a bank computer.

This means that fraudsters may have got hold of banking customers' financial details (e.g. debit card details, bank account numbers, etc.). As a consequence, the bank may have had to re-issue debit cards to their customers. So what was the total cost of re-issue (how many cards, cost per card, etc.)?

In addition, how did the banks inform affected customers, and how much did that cost? And - most obviously - how much money wasn’t recovered?

The cost of fraud is not an insignificant matter and more transparency will raise awareness. There is, of course, the additional concern of customer churn, and whilst some - like Ponemon - have made valiant attempts to quantify this, apportionment is very difficult to achieve.

For banks specifically, switching your financial life has never been a pleasant experience. However, with the UK announcement that consumers are now able to switch bank accounts in just seven days this may become a real risk after a data breach.

The impact on individuals

Whilst individuals would have suffered no direct financial losses, it all comes down to what was accessed.

What information did the criminals get hold of? Names, emails, bank account numbers, addresses, balances, etc...?

If the criminals got hold of this valuable information, they could in fact sit on it for a while before committing identity theft (e.g. apply for financial services products, launder money) - something which could have a lasting affect on an individual's credit rating without their knowledge.

It's for this reason that breached organisations in the United States have to provide one year's free ID Theft protection by law.

Going back to the UK breaches, have consumers been reassured that they will not be victims to identity theft as a result of this crime? The matter of liability is very unclear.

Let’s look at the official (and rather short) statement from Barclays:

Barclays statement

Hmm... first of all, we don’t actually know what data was taken. We only know that consumers did not suffer financial losses as a result.

We also do not know that customers will not suffer any losses in the future as a result of their identities potentially being stolen. I think that consumers have been left in the dark in that respect.

And for those who’d like to know how to respond efficiently in the event of such crises, check out my previous advice about how to use social media effectively when responding to an incident.

So let’s ask the following questions:

  • What information was potentially taken?
  • What information have customers been given to help them monitor this?
  • Is there a help line?
  • What happens if a customer subsequently becomes a victim of ID Theft?
  • Who can they talk to?
  • What are the processes in place?
  • Has this potential fraud been quantified?

And finally, the Information Commissioner's Office (ICO) has been at pains to deny any bias against public sector organisations so one assumes that in both cases, the ICO was fully involved with the banks and law enforcement and that they have determined that private individuals and their PII are not at risk of say, future identity Theft.

It would be nice to know this for sure but detailed information is not forthcoming.

So, in the absence of advice to consumers from the banks and law enforcement, if you think you may have been personally affected by the breaches (even if you didn’t lose any money), here are a few pointers you could follow:

  • Change the password on your email account (and don’t reuse it elsewhere).
  • Change the password on your bank account and change your security questions.
  • Monitor your credit rating and credit activity regularly to make sure no one is using your identity fraudulently.

After all, your digital identity is your life, so be good to yourself...

Tags: , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , , ,

4 Responses

  1. Martin Hepworth

    September 27, 2013 at 3:33 pm #

    Seems odd the banks seemed to have dropped to TFA smart cards they used to have in order to sign in to terminals. Would be very interestings to see how these KVMed actually managed to get into the back end systems to move money about.

  2. davidH

    September 30, 2013 at 11:07 am #

    One may one ask one or more questions?
    why were the USB ports open to enable any devices to be attached?
    one assumes that these devices were transmitting data either over the network or wireless so how come the regular scanning for abnormal traffic/IPs did not pick them up or perhaps they did?

  3. peter laycock

    September 30, 2013 at 1:34 pm #

    Indeed Graham but in addition, it beggars belief that there was obviously no "permit-to-work" process. How did the bogus engineer prove his identity to gain entry? It's quite simple – present a dated, timed and referenced PTW with photo ID at the bank counter and then call the sending IT organisation to authenticate the individual and the reason for requiring entry to back-office. This is not brain surgery! And of course the previous comment about USB lock-down is similarly fundamental.

  4. Sant Customer

    November 11, 2013 at 4:32 pm #

    I am very careful to use unique email addresses for each
    bank that I bank with. The email address I gave to Santander (and
    no-one else) received a phishing email with an attached trojan this
    week. Pretty dumb as the phishing mail claimed to be from NatWest,
    not that I would have opened it anyway. How did the phishers get
    hold of the email address that only Santander and my email provider
    even knew existed?

Leave a Reply