Hackers stole £1.3 million from Barclays Bank using KVM device

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Barclays bankPolice have arrested eight men in connection with an audacious scheme which succeeded in stealing £1.3 million from Barclays Bank.

The heist was said to have taken place at a branch of Barclays Bank in Swiss Cottage, North London, back in April, after a hardware device was attached to a branch computer.

In all likelihood, a member of the gang – posing as an IT technician – walked into the branch and connected the device to a computer, hoping that staff would believe he was there for legitimate reasons.

The device, a KVM (“Keyboard video mouse”) switch attached to a 3G router, allowed the hackers to record staff keypresses, and screen activity, helping them to steal password information. The criminal group then allegedly used the information to remotely transfer money to other accounts.

Sign up to our free newsletter.
Security news, advice, and tips.

It takes some nerdiness and a lot of nerve to pull off a bank heist like this.

Barclays

There’s a few things of interest here.

Firstly, it seems hard to believe that the Barclays heist isn’t connected to the very similar attempted robbery at Santander reported last week which also used a KVM switch.

The plot against Santander was foiled, of course, with no money stolen and no customer data being put at risk. At the time Santander said it “was aware of the possibility of the attack”, which makes me think that the police became aware of the gang’s attack against Barclays a while ago, and as part of their investigations warned other banks of the risk.

But secondly, it appears something failed at Barclays Bank.

Even if the hackers had managed to attach a device, and steal passwords and the like, shouldn’t internal systems have alerted about the unusual movements of money and seeked authorisation? Maybe they did, but the money still appears to have been moved by the hackers.

And there’s a human failing too. Most of us are guilty of allowing people we don’t recognise to wander around our offices, fiddling with computers, fixing photocopiers, changing the water cooler. Human nature being what it is, we feel uncomfortable questioning people too closely.

Companies need to be extremely careful about who they grant physical access to their offices, and how closely such people are monitored – especially if they are an unfamiliar face.

Multiple layers of security – going beyond pure computer security – can help with challenges like this.

Update: Barclays has issued a rather brief statement about the incident.

Barclays statement

“Barclays has no higher priority than the protection and security of our customers against the actions of would-be fraudsters.

“We have been working closely with the Metropolitan Police following a security breach at our Swiss Cottage branch in April 2013. We identified the fraud and acted swiftly to recover funds on the same day.

“We can confirm that no customers suffered financial loss as a result of this action.”

Clearly they would much prefer not to be making the headlines at all on topics like this. They are only too aware that it would be very bad news if the public’s trust in a bank was shaken.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “Hackers stole £1.3 million from Barclays Bank using KVM device”

  1. was skeptical about the Santander news last week, as I presumed you'd also need two-factor auth (smart card) to actually login, but it seems this isnt always the case as it used to be back in the day

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.