Five ways to rob a bank using the internet, Fresh Scientist
Five ways to rob a bank using the internet
This year a bank robber stole £1.Three million without touching a penny. Today’s master criminals are exchanging shotguns for software – here’s how they do it
(Pic: Rex Features)
Earlier this year, a man walked into a branch of Barclays in north London and stole £1.Three million without touching a single bank note. Instead, he posed as an IT technician and installed a device to siphon off the cash electronically.
News of the robbery emerged last month when eight dudes were arrested, a week after police foiled a similar plot against Santander. It seems that bank robbers are providing up shotguns for software. Here’s how they do it.
Bogus tech support
Advertisement
The Barclays and Santander plots involved installing a device called a keyboard movie mouse switch. These are commonly used in data centres to control numerous computers from a single terminal, and by connecting it to a 3G router the crooks were able to remotely access Barclays’ machines over the cellphone network. They used this to transfer money to their own accounts, but Barclays noticed and reported the theft a day later.
“The hard part is not getting in the bank to do the transfer, but getting the money out of the bank into some form you can spend without getting caught in the process,” says Steven Murdoch, a security researcher at the University of Cambridge.
If you can’t rob a bank directly, go after its customers. These days most of us know not to open suspicious emails claiming to be from their bank, but people do still fall for such phishing attempts, inadvertently handing over their passwords to crooks by logging in to fake websites. Many banks now issue physical tokens that provide secondary authentication designed to foil these attacks, but not all do.
Convert your way to wealth
One unlikely way to take a bank’s cash involves currency conversion. Exchange $Ten for pounds through your online account and you will receive £6.22 at current rates – your bank rounds to the nearest penny. But if you exchange one cent, the rounding means you will get one pence, a significant profit. Set software to do this over and over, and soon you will be sitting on a clean sum.
Banks prevent this by setting a minimum conversion amount or limiting the number of exchanges per day, but some have only realised they were under attack once it was too late. “Two of our banking customers have lost money through currency-rounding attacks,” says Mitja Kolsek of Acros Security in Maribor, Slovenia. “One of them lost around €30,000 before it noticed and blocked it.”
Credit and debit cards are often targeted by criminals, either by stealing individual cards or modifying ATMs to record card details and PINs. The account details are copied on to blank cards and then used to withdraw money or buy goods to sell on.
Many countries use a chip and PIN system to prevent this, so criminals have got into the habit of taking cloned cards to the US, where the system is not yet in widespread use.
Some take this even further. Earlier this year, eight people were arrested in Fresh York for cloning cards and hacking bank systems to raise each card’s account limit, before withdrawing almost $45 million from ATMs around the world.
Divert with a DDoS
Bank robbers can knock out CCTV and disable alarms before they break into the bank. The electronic equivalent is a distributed denial-of-service attack (DDoS), in which large volumes of network traffic hammer a bank’s systems, providing criminals the cover they need. “While the bank’s IT staff is scrambling to keep its servers online and running, criminals are transferring money from users’ accounts,” says Kolsek. Last year the FBI warned that criminals could get their mitts on millions using software costing just $200.
