Inside the biggest bank raid that never was

Were key stroke loggers to blame for the attempted robbery of the Sumitomo Mitsui Bank?

As Yaron Bolondi faces charges of money laundering and fraud, police are actively hunting down other suspects in the attempted hacking-based theft of £220m from Sumitomo Mitsui Bank (SMB).

The National Hi-Tech Crime Unit and the bank itself are keeping quiet over the affair, and technical details of the hack are still sketchy, But reports suggest that the would-be thieves used keystroke loggers to snatch sensitive information from SMB's employees and were thus able to manipulate the bank's systems.

If this proves to be true, it still unclear whether the key stroke logging system used was based around a hardware device fitted to the back of certain computers, or was purely software based — potentially sent by an email virus.

"They are being very cagey about how the hack was done," said Graham Cluley, senior technology consultant for antivirus company Sophos. "I even heard that there were no keystroke loggers. In many ways, hardware keystroke loggers are harder to detect than software. They can be fitted easily. So maybe it was an inside job."

Legal experts also feel an internal employee may have facilitated the attack. "My gut feeling is that this came from the inside," said Mark Smith, a solicitor for law firm Olswang. "It shows that you can't rely on perimeter security. Intrusion detection gets a lot of bad press because people don’t know how to operate it, but that can really help."

Chief information security analyst Paul Wood of email security firm MessageLabs said it was unimportant which type of keystroke logger they used as the bank had the right auditing practices in place to catch the thieves.

"Whether it's a hardware or software keystroke logger, that's all supposition," said Wood. "But they are all a threat to business. We don’t know whether the keystroke logger was from an email-borne virus or it was a physical keylogger. There are quite a few ways of detecting [keystroke loggers]. It goes to show that if you have sufficiently strong auditing, you have at least a chance of catching it before it's too late."

If the keystroke logger was a software-based spyware program and entered the company network as an email attachment, what protection are antivirus companies providing to protect other firm's from coming under similar attack?

"Although antivirus software gives some sense of protection, people have to understand the false level of security there," added Wood. "Antivirus companies struggle to deal with spyware. Antivirus packages don't know if programs have been installed with user permission or not. Sobig installed legitimate software, which meant that antivirus software could detect the worm but not the program it ran."

Sophos' Cluley admitted that antivirus companies need to focus more on stopping spyware.

"Detecting spyware — that can be a problem," he said. "There are quasi-legal keystroke loggers on the market for people to keep an eye on their kids or employees. When we see a malicious piece of software, we typically add detection for it. We're now seeing 15 to 20 new key loggers a day. This time last year it was five a day. I think that the antivirus industry is realising this is giving problems."

One of the problems antivirus companies have is defining what spyware is. It is possible to legitimately buy keystroke logging software, but antivirus software has trouble defining what is malicious and what is legal.

"One of the fundamental problems with spyware is defining it," said Smith. "The definitions show some of the risks. You don’t want a suite of security products where some things fall down the gaps because there's no consistency in definition. And that's making some security companies nervous."

How to prevent keystroke logging:

  1. Use a mixture of randomised letters and numbers for customers’ passwords and login.
  2. Use multiple passwords, or a PIN followed by a password. At least one of these should not be requested in full — for example, ask for the second, third and fourth digits of a PIN, in a random order, rather than the entire number.
  3. Use drop-down boxes for field entry, making it much more difficult for hackers to 'read' passwords.
  4. The ideal solution to the problem is two-factor authentication. For example, the user has a password or pin, together with a random number generated by a token, such as a small key fob or credit card sized device, which changes approximately every 30 seconds. They foil key loggers because although the hacker can steal your password, he/she will only have the random number generated the last time you logged on, not the most recently updated number.
  5. A cheaper alternative would be to issue the random number via another medium, such as SMS, each time the user logs on.
  6. The most effective weapon against hackers is, as always, educating PC users and online customers.

(Tips courtesy of BlackSpider Technologies.)