According to reports, a computer at a south London branch of Santander was alleged to be compromised by a hardware device capable of not just recording keystrokes and screen activity, but also giving hackers the ability to control the computer remotely.
British police have arrested 12 men in connection with what was claimed to be an “audacious” plot to hack the Surrey Quays shopping centre branch of the Santander bank, and steal millions of pounds.
Metropolitan Police arrested 11 men, aged between 23 and 50 years old, in Hounslow, and a 34-year-old man was arrested in Victoria. In addition, searches were carried out at a number of properties, and property was seized.
A BBC News report quotes a Metropolitan Police spokesperson as saying that the device which the criminals attempted to install was a KVM (Keyboard Video and Mouse) switch, capable of capturing activity on the spied-upon computer in real-time.
“The offence involved deploying a KVM (keyboard video mouse) device, fitted to a computer within the bank branch, allowing the transmission of the complete desktop contents of the bank computer over the network.”
Hardware video and keyboard loggers pose a particular problem for organisations. After all, when the recording of keypresses and screen activity is done by spyware, it can be detected by anti-virus software. Not so with hardware surveillance, as the device capturing the confidential information is sitting between the keyboard and the computer – nothing has been changed on the PC itself.
A visual inspection of a computer might spot that the computer has an unauthorised device attached, but how often do you look around the back of your computer to see what is plugged in? How often do you descend under your desk and delve into the jungle of wires and boxes?
Now imagine trying to do that on hundreds or thousands of computers in an organisation. For that reason, organisations may attempt to monitor what devices are plugged into computers across their networks, weeding out anything which does not have authorisation.
There is one other difference between software and hardware keyboard logging, however. A hardware keyboard logger needs to be put in place by someone with physical access to the computer that they wish to target.
That means that someone attempted to gain access to Santander’s office, with the intention of attaching a monitoring device without raising suspicion.
Who might it be?
Well, it could be a rogue employee – but it’s also very possible that the culprit would be someone posing as an IT contractor fixing the computer, mending the photocopier or replacing the water in the cooler. Or what about a member of the cleaning staff who comes in late at night to hoover the carpet, and isn’t being closely monitored about what else they might be plugging in?
Of course, human nature being what it is – many people feel uncomfortable grilling an unfamiliar face as to what they might be doing in the office, and asking them to prove their legitimacy.
Companies need to be extremely careful about who they grant physical access to their offices, and how closely such people are monitored. They also need to foster an environment where staff don’t feel uncomfortable asking people to show their credentials if they are an unfamiliar face.
Multiple layers of security – going beyond pure computer security – can help with challenges like this.
It’s essential that companies explore how best to do that, while still making their offices a welcoming place to invite customers and a friendly place to work.
One other thought: If hackers *did* manage to use hardware to steal your usernames and passwords, with the intention of stealing money from your company – how else could they be stopped in their tracks?
Well, when I try to transfer money from my account to someone else’s account my bank requires me to confirm my identity by entering a random number displayed on my keyfob.
It doesn’t just ask for my username and password. This kind of two factor authentication could also be put in place for internal staff, requiring them to confirm their identity before they make a potentially unauthorised transaction. Furthermore, banks will have systems in place to monitor unexpected movements of money and unusual behaviours, precisely to weed out attacks like this.
It appears that Santander foiled the attack, without any money being stolen. They were the intended victims here. What’s most important is that other companies wake up to similar threats, and make sure that they’re not the next ones to make the headlines.
Update: Santander has issued a statement, revealing some more background on the case:
Like all high street banks, Santander works very closely with the police and other authorities to help prevent fraud.
Through this co-operation, Santander was aware of the possibility of the attack connected to the arrests. The attempt to fit the device to the computer in the Surrey Quays Branch was undertaken by a bogus maintenance engineer pretending to be from a third party.
It failed and no money was ever at risk. No member of Santander staff was involved in this attempted fraud. We are pleased that we have been able, through the robustness of our systems, to prevent the fraud and help the police gather the evidence they needed to make the arrests.
My reading of this is that Santander and the police were aware of the intended crime *before* it took place, thus underlining that no customer data or money was ever put at risk.
In short, they have handled this incident without fault.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.