London banking offices leave passwords and data visible from street

With millions spent on cyber security by financial institutions, many are failing to secure the most basic physical aspects of their premises.

This was evident in recent research by Appriver, who on a walk around the City of London found practically every street had at least one user's screen visible through a first floor window. Some streets surrounding Cheapside had screens not only visible on the first floor, but banks of them at street level.

One corner, flanked by two different high profile banking institutions, had over 150 screens between them on the ground floor, facing the street and just a few meters from the glass - half of which included a users' nameplate above the workstation.

The research showed credential password log-in boxes, emails, corporate database entry screens and numerous documents all visible to the naked eye.

While detailed information was not captured as part of the study, someone with malicious intentions, time and a zoom lens could potentially piece together the information needed to launch an attack against any of these organisations.

A potential attack could involve a scammer collecting enough details about the individual's life to strike up a conversation with the victim and the criminal will know the person's name and the company they work for. Appriver claimed that details learned from observed emails and company documents could add weight to the conversation, trick the person into believing there's a relationship and ultimately fool them into disclosing additional information that's used in a targeted attack.

"Historically, if you wanted to rob a bank, you had to physically go into the branch and 'hold up' the staff. But with advances in technology, the money moved online and criminals simply followed," said David Liberatore, senior director of technical product management at AppRiver.

"As a result, and with the constant evolution of IT security enhancements, many of the virtual ways into these establishments are being systematically sealed with criminals looking for new ways to engineer their attacks and liberate the funds. What better way than collecting freely available information by looking through the physical windows of these businesses?

"We know criminals are collecting information from social network sites, such as Facebook and LinkedIn, to launch targeted attacks and this is potentially another avenue for them to exploit. Organisations exposing corporate information through an open window are perhaps more vulnerable than if they had a key logger installed at the back of the device."

"Many organisations have become so focused on their virtual security, that physical practices are being ignored, and that means the very information they're trying to protect could be stolen by passers-by. This needs to change."

Dan Raywood is editor of The IT Security Guru