20 Sep 2013

KVM kit that exposed Barclays vulnerability

The raid on Barclays is shocking on two levels – the physical breach of security, and the technology flaws that led to the theft of £1.3m.

Barclays now faces some serious questions on both fronts.

Firstly, how can someone simply turn up to a branch claiming to be an engineer, and get access to computers which should be secure?

Is there no central booking and approval system for maintenance visits?

For many customers, it’s this real-world intrusion that will be most surprising.

KVM device

But on a technical level, the incident is perhaps even more concerning.

The thieves managed to fit a piece of kit called a KVM to one of the bank’s computers.

This would give them the ability to take full control of that computer from somewhere else – seeing what’s on the screen, and potentially even being able to control the mouse and keyboard.

It seems Barclays’ computers are set up in such a way that an unauthorised devices can be connected and start working.

It’s difficult to understand why a bank had not spotted that flaw and changed the machines’ settings to stop it.

Vulnerability

There was an almost identical attack on Santander last week – although in that case it was spotted before any money was taken.

But it seems thieves have spotted a vulnerability and are exploiting it.

I’d hope the banks are now examining every branch computer to check for unauthorised devices – and in the long term reconfiguring them to refuse any attempt to plug in unofficial hardware.

In their efforts to serve their customers better, banks have given their staff the ability to carry out many functions from their desktop. These recent attacks show that this convenience must be accompanied by better security.

Follow @GeoffWhite247 on Twitter

One reader comment

  1. Ray Gordon says:

    “It’s difficult to understand why a bank had not spotted that flaw and changed the machines’ settings to stop it.”

    In most circumstances you cannot detect a KVM device is attached to a computer: it’s a transparent (external) technology. They used a 3G router too which would be independent of any bank network.

    There are not really any computer settings you could change to thwart this unorthodox use of KVM devices.

    The best method would be to use a third-party authentication device which is not connected to the computer via USB.

Comments are closed.